dedecms Arbitrary Command Execution Vulnerability
1. Introduction to the vulnerability
There is an arbitrary command execution vulnerability in the dedecms background (cnvd has been submitted and archived, the official patch is released in 2022.1.12, the new version has been modified, the previous version can be downloaded through the link , the extraction code: ikom )
2. The impact of the vulnerability
dedecms5.7.85
Third, the reproduction process
Vulnerability Analysis
Vulnerability location: plus/mytag_js.php
You can see that after the file is written, the file can be directly included in some ways. In this case, we don't need to care about the file name (of course, the file name has a fixed htm suffix) and only need to care about the contents of myvalues passed when the file is written.
Looking up, you can find that it is obtained through a query, and what is the specific statement of this query? Let's look up.
You can see that the specific query statement is
SELECT * FROM `#@__mytag` WHERE aid='$aid'
Then there is a query that is likely to have the function of inserting, and the global search table name.
We found the specific query statement, but we found that there is no column name aid, so it must be self-incrementing.
Visit this page to get the specific insert interface. Let's try to insert the following data.
Then print $pv->GetResult()
the result. Before that, in order not to die, we need to pass on an arcID and
the specific aid number of nocache. We can also see it.
After the input, it is found that the echo is f, that is, the content we return is the "normal display content" passed when we inserted it.
Finally, let's sort out our ideas.
1. First insert a tag, and pass in the php code we want to execute at the "normal display content".
2. Write the file through file_put_contents.
3. Include files through include.
Utilization process
1. Visit dede/mytag_main.php to insert a tag.
Remember the corresponding number after saving successfully.
2. Access /plus/mytag_js.php?arcID=6&nocache=1 (6 is the tag number) to generate the file.
3. Visit /plus/mytag_js.php?arcID=6 to include the file.
Successfully executed exec('calc');
we can look at the content of the generated file.
It will be wrapped in some strings, but it will not affect the parsing of php code when including it.