DedeCMS latest foreground SQL injection and repair

DedeCMS latest foreground SQL injection and repair
See also SQL injection, a small problem caused by multiple cases... dedeCMS imposes severe restrictions on user names and email addresses during registration, but does not impose any restrictions on user pen names. You can enter single quotation marks, and so on. As a result, the second injection is performed when you use the pen name again. /member/reg_new.php: Approximately 194 rows

$ InQuery = "insert into 'dede _ member' ('mtype ', 'userid', 'pwd', 'uname', 'sex', 'rank', 'money ', 'email ', 'scores', 'Matt', 'space', 'face', 'safequestion ', 'safeanswer', 'jobtime', 'jobip', 'logintime ', 'loginip') VALUES ('$ mtype', '$ userid',' $ pwd', '$ uname',' $ sex', '10', '$ dfmoney ', '$ email', '$ dfscores', '0', '$ spaceSta', ',' $ safequestion ',' $ safeanswer ',' $ jointime ', '$ joinip',' $ logintime ',' $ loginip '); "; // no $ uname judgment is made before, if ($ dsql-> ExecuteNoneQuery ($ inQuery ))

 

2. Perform a global search for M_UserName, username, getUserName (), and find the point where the pen name is reloaded into the database, such as/include/memberlogin. class. php. There are about 567 rows.

Function RecordFeeds ($ type, $ title, $ note, $ aid) {global $ dsql, $ pai_mb_feedcheck; // determine whether to record if (in_array ($ type, array ('add', 'addsoft ', 'feedback', 'addfriends', 'stow') {$ ntime = time (); $ title = htmlspecialchars (cn_substrR ($ title, 255); if (in_array ($ type, array ('add', 'addsoft ', 'feedback ', 'stow') {$ rcdtype = array ('add' => 'released successfully ', 'addsoft' => 'Software released successfully ', 'feedback' => 'commented on the topic ', 'stow' => 'added to favorites'); // content Cloth processing $ arcrul = "<a href = '/plus/view. php? Aid = ". $ aid. "'> ". $ title. "</a>"; $ title = htmlspecialchars ($ rcdtype [$ type]. $ arcrul, ENT_QUOTES);} else if ($ type = 'addfriends ') {// Add friends for processing $ arcrul = "<a href ='/member/index. php? Uid = ". $ aid. "'> ". $ aid. "</a>"; $ title = htmlspecialchars ('and '. $ arcrul. "Become friends", ENT_QUOTES);} $ note = Html2Text ($ note); $ aid = (isset ($ aid) & is_numeric ($ aid )? $ Aid: 0); $ ischeck = ($ pai_mb_feedcheck = 'y ')? 0: 1; $ query = "insert into 'dede _ member_feed '('mid', 'userid', 'uname', 'type', 'aid ', 'dtime ', 'title', 'note', 'ischeck') Values ('$ this-> m_id',' $ this-> M_LoginID ',' $ this-> M_UserName ', '$ type',' $ aid ',' $ ntime', '$ title',' $ note ',' $ ischeck'); "; // insert user dynamics, here is the focus. $ this-> M_UserName $ rs = $ dsql-> ExecuteNoneQuery ($ query); return $ rs;} else {return FALSE;} is used directly ;}

 

3. this injection can be triggered by recording feed operations, such as posting articles and adding friends. inject new users and insert SQL statements (based on your hobbies, it is best to add \ at the end, and then find a controllable near field) 2. add a friend to trigger user dynamic record 3. go to the personal center ~

Solution:The simplest format of pen names is restricted during registration.