Dedecms xss+csrf Getshell \dede\file_manage_control.php

Directory

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

A simple summary of how this vulnerability is exploited

1 The exploit of this vulnerability is the need to log in to the background to operate, accurately from the point of view of the cookie is required to be logged in the background state 2 the background of the logo upload has an XSS vulnerability, hackers can inject the XSS code in the IMG src 3. Hackers can use XSS unfiltered vulnerability, initiate CSRF attack, hijack target user to "/dede/file_manage_control.php"  File send malformed post packet 4"/dede/file_manage_control.php" does not effectively filter externally entered data, The data is exported to the disk file, resulting in the Getshell

What we need to understand about this vulnerability is that the root of the vulnerability is that there is an XSS unfiltered vulnerability in the background of Dede, and that "/dede/file_manager_control.php" itself is not too much of a vulnerability, because this file is the native business function provided by the website system, Allows administrators to manage their own disks in the form of FTP-like management

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-025175http://www.wooyun.org/bugs/ wooyun-2010-065561http://www.2cto.com/Article/201409/335025.html

2. Vulnerability Trigger Condition

1 . The hacker has got the administrator's background account number, password 2  3. The hacker through background XSS does not filter the vulnerability hijacking administrator, forcing the launch of Ajax POST request to a specific file 4. Initiating    an attack based on the xss+ CSRF 1) SQL injection Based on xss+CSRF    2) File Upload Based on XSS+CSRF

0x1:poc

1 . Use XSS to force hijack users to initiate post requests to inject XSS code 2 . Posthttp://localhost/dedecms5.7/dede/file_manage_control.php3. Datafmdo=edit&backurl=&activepath=&filename=csrf.php&str=<?php eval ($_post[op]);? >&b1=

3. Vulnerability Impact Range

1. dedecms-v5. 7-utf8-SP12. <= dedecms-v5. 7-utf8-sp1

4. Vulnerability Code Analysis

In essence, the root cause of this vulnerability is a XSS+CSRF attack based on background administrator interaction, but the code defense of XSS involves a lot of logical points, it is difficult to defend each other, and the use of XSS involves the installation of a module of this problem
A viable (but not the best) defense method is "cut off the Business", "\dede\file_manage_control.php" is a business function of the site, providing file uploads that we can "\dede\file_manage_ File upload in control.php "Insert function hook" for malicious detection of "POST file Upload Based on xss+csrf" files

5. Defense Methods

0x1: \dede\file_manage_control.php

<?PHP/** * File Management control * * @version $Id: file_manage_control.php 1 8:48 July 13, 2010 Z Tianya $ * @package DEDECMS.ADMI Nistrator * @copyright Copyright (c) 2007-2010, Desdev, Inc. * @licensehttp://help.dedecms.com/usersguide/license.html* @linkhttp://www.dedecms.com */require (dirname (__file__)."/config.php"); function Find_php_payload ($body, $file) {$express="/<\? (PHP) {0,1} (. *)/ I"; if(Preg_match ($express, $body)) {if(File_exists ($file)) {@unlink ($file); } die ("Request error!"); }}checkpurview ('plus_ File Manager');...Else if($fmdo = ="Edit") {$filename= Str_replace ("..","", $filename); $file="$cfg _basedir$activepath/$filename"; //escaping an input variable$str =stripslashes ($STR); $str=find_php_payload ($str, $file); $FP= fopen ($file,"W");    Fputs ($fp, $STR);    Fclose ($FP); if(Empty ($backurl)) {showmsg ("save a file successfully! ","file_manage_main.php?activepath= $activepath"); }    Else{showmsg ("Save the file successfully! ", $backurl); } exit ();} ...

0x2: The impact of Defense programs on website business

The defensive plan that uses the "business cut-off" idea can successfully defend against this xss+csrf Getshell attack, but it also has a certain impact on the business.

1. The user has the "<?php" label in the edited file

2. Hackers use XSS+CSRF to send Ajax post requests for Getshell

The code successfully defended the hacker's injection attack

6. Defensive Thinking

Copyright (c) Littlehann All rights reserved

Dedecms xss+csrf Getshell \dede\file_manage_control.php