Dedecms 5.7 edit. inc. php file injection

Code of the vulnerability file edit. inc. php: <? Php if (! Defined ('deinc') exit ('request Error! '); If (! Empty ($ _ COOKIE ['guest _ BOOK_POS ']) $ GUEST_BOOK_POS =$ _ COOKIE ['guest _ BOOK_POS']; else $ GUEST_BOOK_POS = "guestbook. php "; $ id = intval ($ id); if (empty ($ job) $ job = 'view '; if ($ job = 'del '& $ g_isadmin) {$ dsql-> ExecuteNoneQuery ("delete from 'dede _ guestbook' WHERE id = '$ id '"); showMsg ("A message is deleted successfully! ", $ GUEST_BOOK_POS); exit ();} else if ($ job = 'check' & $ g_isadmin) {$ dsql-> ExecuteNoneQuery ("UPDATE 'dede _ guestbook 'SET ischeck = 1 WHERE id =' $ id'"); ShowMsg ("A message is successfully reviewed! ", $ GUEST_BOOK_POS); exit ();} else if ($ job = 'editok') {$ remsg = trim ($ remsg); if ($ remsg! = '') {// The Administrator replies without filtering HTML if ($ g_isadmin) {$ msg =" <div class = \ 'rebox \ '> ". $ msg. "</div> \ n ". $ remsg; // $ remsg <br> <font color = red> admin reply: </font>} else {$ row = $ dsql-> GetOne ("SELECT msg From 'dede _ guestbook 'WHERE id =' $ id '"); $ oldmsg = "<div class =\\ 'rebox \ '> ". addslashes ($ row ['msg ']). "</div> \ n"; $ remsg = trimMsg (cn_substrR ($ remsg, 1024), 1); $ msg = $ oldmsg. $ remsg ;}// $ msg is not filtered here, resulting in any injection of $ dsql-> Ex EcuteNoneQuery ("UPDATE 'dede _ guestbook 'SET 'msg' = '$ msg', 'posttime' = '". time (). "'where id = '$ id'"); ShowMsg ("A message is successfully changed or replied! ", $ GUEST_BOOK_POS); exit ();} if ($ g_isadmin) {$ row = $ dsql-> GetOne ("SELECT * FROM 'dede _ guestbook 'WHERE id =' $ id'"); require_once (DEDETEMPLATE. '/plus/guestbook-admin.htm');} else {$ row = $ dsql-> GetOne ("SELECT id, title FROM 'dede _ guestbook 'WHERE id =' $ id' "); require_once (DEDETEMPLATE. '/plus/guestbook-user.htm');} condition required for successful vulnerability: 1. php magic_quotes_gpc = off 2. the vulnerability file has plus/guestbook. the php dede_guestbook table must also exist.. How to determine whether the vulnerability exists: First open www.2cto.com/plus/guestbook. php to view others' messages, and then move the cursor over [reply/edit] To View others' message IDs. Write down ID access: www.xxx.com/plus/guestbook.php? Action = admin & job = editok & msg = 90sec '& id = existing Message ID. If the Message id is submitted in dede5.7, the message "successfully changed or replied to a message" is displayed, which indicates the modification. when the call succeeds, go back to www.xxx.com/plus/guestbook.php and check whether the modified Message ID has changed to 90sec. If the change turns into 90sec, the vulnerability cannot be exploited. If the change is successful, the php magic_quotes_gpc = off is enabled, the content of the Message ID is still the previous one, which proves that the vulnerability can be used. Then visit www.xxx.com/plus/guestbook.php again? Action = admin & job = editok & id = existing Message ID & msg = ', msg = user (), email =' and then return, the content of the Message ID is directly modified to the mysql user (). this is probably the case. You may be interested in more research !! Finally, it is estimated that someone will say how to storm the admin account password. You will know it after your own research. It can be violent anyway (I won't send it if it's not violent )!!