Shulou(Shulou.com)06/01 Report--

This article shows you how to obtain root key from DEDECMS pseudorandom vulnerability analysis. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

1. User home page

1.1 restrictions (middle)

Request to turn on the membership function.

1.2 Code Analysis

1.3 acquisition method

Request: (view admin home page)

Url+/member/index.php?uid=admin

Response:

Admin

Hash value of last_vid_ckMd5

two。 Custom form

2.1 restrictions (low)

The webmaster needs to define a form for the site.

Downloaded several sets of templates modified by DEDECMS, all retained this feature, and most sites have their own form format. Or most of the dedcms in normal use have forms:)

2.2 Code Analysis

2.3 acquisition method

Request: (view form)

Url+/plus/diy.php?diyid=1

Response:

Dede_fieIds

Dede_fieIdshash, these two values

3. POC

1. Save the following code to dede_funcookie.php

two。 Modify $cpu, $attack_method, $attack_param, $attack_hash

3. If the target website is php7: php7 dede_funcookie.php, if the target website is php5: php5 dede_funcookie.php, if it is not clear, you can run both of them ε = ("▽") ~

4. Under 16-core CPU,8G memory, it takes 4444 seconds to run the whole program. It is recommended not to run both at the same time. Pay attention to your CPU load.

IV. Harm

1. Cookie forgery

two。 Through mailbox authentication

3. Front desk RCE

The only thing you don't know about the mailbox hash algorithm is rootkey. If you run out of rootkey through poc, you can construct it, and then you can access hash to pass mailbox authentication, which is of some help to ⑧ for the use of "any user logging in at the front desk of dedecms".

V. actual combat

TIPS: you can collect all the hash through fingerprints, and then run the script once to get all the results, because the root key of the dedecms of the whole network is in the range of 2 ^ 33:), which is actually covered when the running script traverses this range.

FIND A Luck One:

1. Fingerprint search

two。 Collide with data and hash

3. ATTACK:

Modify the parameters in dede_funcookie.php: * author of this article: reprint please indicate that it comes from FreeBuf.COM.

$cpu = 16

$attack_method = 2

$attack_param = "name,text;tel,text;content,text;hz,text;qq,text"

$attack_hash = "a058f44c032cf2e4da07ebe80fbd52d8"

4. GET ROOT KEY AND ENJOY:

Get some sleep and take a look at the results:

In nohup2.out:

Protection suggestion

You can consider manually adding some values after rootkey, or adding current time, ip, servername, or uuid in the generation algorithm as a means of protection.

The above content is DEDECMS pseudorandom vulnerability analysis of how to obtain root key, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.