Dedecms tag. php injection vulnerability analysis and exploitation tools

Author: toby57 [www.toby57.cn]
Date: 2008-08-18

Dedecms is a widely used PHP whole-site system, and the security of the system is also concerned. In the past, dedecms also experienced many vulnerabilities, and the official website quickly launched patches. A few days ago, 80 sec announced the injection vulnerability.
Bytes. However, the vulnerability mentioned today has nothing to do with multi-byte encoding, but it is related to URL encoding and decoding,

Haha. Only dedecms2007 (dedecms v5.1 [SP1]) is tested.
The tag. php file in the directory does not properly handle the variable $ tag, resulting in the formation of Injection Vulnerabilities. If not, paste the Code:

If (isset ($ _ server ["QUERY_STRING"]) {
$ Tag = trim ($ _ server ["QUERY_STRING"]); // get the get parameter.
$ Tags = explode ('/', $ tag); // an array separated by "/" $ tags
$ Tag = $ tags [1]; // retrieves the second element of the array $ tags
If (count ($ tags)> 3) $ pageno = intval ($ tags [2]);
} Else {
$ Tag = "";
}
$ Tag = urldecode ($ tag); // perform URL Decoding on the variable $ tag. % 27 is decoded and becomes "'".
// If no tag exists or the tag is invalid, all tags are displayed.
If ($ tag = "" | $ tag! = Addslashes ($ tag) {// If $ tag is empty or contains ', ", \, and other characters, execute
$ Dlist = new taglist(tagtag,'tag.htm'); // create an instance of the taglist class and send $ tag to its constructor. In this case, $ tag may contain "'"
}
// If a tag exists, the document list is displayed.
Else {
$ Dlist = new taglist(tagtag,'taglist.htm ');
}

Code related to taglist: (./include/inc_taglist_view.php)

Class taglist
{
..
VaR $ tag;
..
// PhP5 Constructor
Function _ construct ($ keyword, $ templet) // $ keyword = $ tag
{
..
$ This-> tag = $ keyword; // $ this-> tag = $ tag
..
If ($ this-> tag! = '')
{
$ This-> taginfos = $ this-> dsql-> getone ("select * from '# tag_index' Where tagname like '{$ this-> tag }'"); // query execution, vulnerability generated!
}

The above is the code analysis, which may not be clear. because such a vulnerability can use "'", you can directly into file the shell if the conditions are correct.
In terms of utilization, everyone can make full use of it. In order to do this, I wrote a exploitation Program (http://files.cnblogs.com/allyesno/dedeExp.rar) myself)

When file_priv is yes and the physical path is obtained, you can directly get the shell. The physical path is obtained by exploiting the./include/htmledit/index. php vulnerability.

Submit./include/htmledit/index. php? Modetype = Basic & height [] = toby57.

If this is not possible, you can also use the reinstall vulnerability to submit./install/index. php? Step = 2 You can reinstall the system, or you can obtain the physical path.

Because Union queries are not supported, only get the hash and then crack the shell in the background.