DEDECMS v5.7.106 has a command execution vulnerability
In the uploads/dede/config.php file, we find that the file written in the UpDateMemberModCache() function is.inc, but the content written here is obtained from the database, and the database content is under our control.
The failure to include the global filter function config.php is the key vulnerability
The file is written to config_passport.php. We can add the content we want through the membership model management function point. After adding the content in the database is as follows
Let's take a look at the member model.inc file
We successfully escape our content by escaping the single quotation mark with the \ backslash, closing it with the following single quotation mark, and then closing all the preceding content with parentheses.
View the call to UpDateMemberModCache
This function is used in dede/member_model_add.php. After testing, it is found that if a new member template is added through member model management, the content will be written to the member_model.inc file
inc file cannot be used, we go to the system function point to find a place where we can edit the file, and then include member_model.inc to successfully getshell.
Create a new file through the file manager, and then include the.inc file we just did, so that we can successfully bypass the malicious function detection of dede, and finally getshell.
Access the 1.php file
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。