Tag: Get BSP ALS Operation search color causes database connection Webshell
Dedecms/plus/advancedsearch.php, directly from $_session[$sqlhash] get the value as $query into the SQL query, the exploit premise is Session.auto_start = 1 The automatic session is started.
Harm:
1. Hackers can use this vulnerability to redefine a database connection.
2. Through this vulnerability to a variety of ultra-vires operation construction vulnerabilities directly written to the Webshell backdoor.
The Cloud Shield team has a universal unified defense in the DEDEMCS variable registration portal, which prohibits the entry of session variables, and fixes the following methods:
Open/mnt/www/xiaoshuo/include/common.inc.php file with a text editor
First, search the following string
(cfg_| Globals|_get|_post| _cookie) To be replaced by (Cfg_| globals|_get|_post|_cookie| _session)
There are two places ' can be replaced '
Second, search the following code:
foreach(Array ('_get','_post','_cookie') as$_request) { foreach($_request as$_k =$_v) { if($_k = ='Nvarname') ${$_k} =$_v; Else${$_k} =_runmagicquotes ($_V); }
To be replaced by:
foreach(Array ('_get','_post','_cookie') as$_request) { foreach($_request as$_k =$_v) { if(strlen ($_k) >0&& eregi ('^ (cfg_| GLOBALS)', $_k)) {Exit ('Request var not allow!'); } ${$_k}=_runmagicquotes ($_V); }}
Such a session variable overwrite causes the SQL injection vulnerability to be resolved!
DEDECMS Session variable overwrite causes SQL injection Vulnerability Patching scenario