pte-实战 dedecms Translation: pte-Practical dedecms

The backend interface of dedecms is as follows:

The content of directory scanning and robots.txt is similar to the following, there is nothing useful to exploit.

The backend attempts to use weak passwords to log in, register a front-end account with the username and password as 0001/111111, do not fill in security questions.

After successful registration, visit http://10.1.10.62/member/index.php?uid=0001, and you will arrive at the following interface.

Press F12 to view webpage elements and copy the value of last_vid__ckMd5.

After copying last_vid__ckMd5, log in to the 0001 account.

Open Cookies Manager and search for the website IP.

Modify the value of DedeUserID__ckMd5 to the content copied earlier. The original value before modification is as follows:

After modification, it becomes as follows:

Change DedeUserID to 0001. After modifying both values, click Refresh and then close.

Refresh, and then it becomes the admin user.

Visit http://10.1.10.62/member/resetpassword.php and send the following package using Burp.

POST /member/resetpassword.php HTTP/1.1
Host: 10.1.10.62
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=7670a8ebb1cda24bd2e5ca30dc7a583d; DedeUserID=0001; DedeUserID__ckMd5=6ce7088fae0207fd; DedeLoginTime=1689920383; DedeLoginTime__ckMd5=41803202759b8e30; last_vtime=1689920439; last_vtime__ckMd5=46f2d368c54edcb0; last_vid=0001; last_vid__ckMd5=6ce7088fae0207fd; ENV_GOBACK_URL=%2Fmember%2Fcontent_list.php%3Fchannelid%3D1
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

dopost=safequestion&safequestion=0.0&safeanswer=&id=1

Pay attention to this link in the response package.

Copy it.

http://10.1.10.62/member/resetpassword.php?dopost=getpasswd&amp;id=1&amp;key=H1nWnhNM

Remove amp;

http://10.1.10.62/member/resetpassword.php?dopost=getpasswd&id=1&key=H1nWnhNM

Access it with a browser.

You will directly go to the password change page.

Set the password to 666666.

This is the password for the front-end admin user. Next, you need to change the password for the backend username.

Visit

http://10.1.10.62/member/edit_baseinfo.php

You will be redirected to the profile completion page, simply click on "Complete Registration".

Once again, visit http://10.1.10.62/member/edit_baseinfo.php, and you will arrive at the following page.

The original password is 666666, change the new password to 888888, fill in the captcha and email, and update successfully.

Access the backend, log in with admin/888888, and you will log in successfully.

Next is uploading a shell in the backend.

Go to the file manager and create a new file.

The file is named s.php, write a shell.

The file is as follows:

AntSword base64 encoded connection.

If port 3389 is not open, you can upload the vbs script in the tool package to open the port.

Turn off the firewall.

Change the administrator password.

Remote desktop login.