Risk Level: High (Requires DedeCMS administrator privileges; full RCE can be achieved)
Exploitability: Confirmed to be exploitable
Prerequisites: Requires administrator privileges
Affected Scope: <=V5.7 118 UTF-8 versions
Vulnerablitity Discover
Regular expression analysis revealed two key flaws in the DedeCMS blacklist detection regular expressions:
Defect 1: Spelling error
//Source code /dede/tpl.php line 35'array_filert'// wrong spell, it shoule be array_filter
Defect 2: Incomplete character class at the end of the regular expression
Detailed Explanation of the Bypass Principle
The regular expression ending with [([{'] only matches: ( [ { '. It does not match: " (double quotes).
Therefore, when the callback name is enclosed in double quotes, the regular expression cannot detect it.
Example:
Content written to a PHP file: array_filter(["id"],"system") → Because the callback "system" contains double quotes, and the ending character class does not contain double quotes, the regular expression cannot match it, thus bypassing the detection.
Python POC for regular expression
Full payload
Step
1
log on admin portal
2
Go to Core Module → Attachment Management → File Manager
3
Create a new file (e.g., shell.php), insert the following content, and save it:
4
Save the file (It would bypass blacklist )
5
Accessing the PHP file and passing in parameters, such as ?c=whoami, successfully obtained a shell.
Relavant Screenshots
Source Code fix recommandation
It is recommended to fix the following two issues in the source code:
In dede/tpl.php, on line 38, fix the regular expression by adding " to the end of the character class:
In dede/tpl.php, on line 35, fix the spelling error:
