对最近dedecms注入的解析
发布时间:2022-04-30 10:40:29 所属栏目:安全 来源:互联网
导读:漏洞文件: plusfeedback.php。 存在问题的代码: ...if($comtype == comments) { $arctitle = addslashes($title); if($msg!=) {//$typeid变量未做初始化 $inquery = INSERT INTO `dede_feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dti
漏洞文件: plusfeedback.php。 存在问题的代码: ...if($comtype == 'comments') { $arctitle = addslashes($title); if($msg!='') {//$typeid变量未做初始化 $inquery = "INSERT INTO `dede_feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); "; echo $inquery;//调试,输出查询语句 $rs = $dsql->ExecuteNoneQuery($inquery); if(!$rs) { ShowMsg(' 发表评论错误! ', '-1'); //echo $dsql->GetError(); exit(); } } } //引用回复 elseif ($comtype == 'reply') { $row = $dsql->GetOne("SELECT * FROM `dede_feedback` WHERE id ='$fid'"); $arctitle = $row['arctitle']; $aid =$row['aid']; $msg = $quotemsg.$msg; $msg = HtmlReplace($msg, 2); $inquery = "INSERT INTO `dede_feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')"; $dsql->ExecuteNoneQuery($inquery); } 完整的输入语句,第二个参数 typeid可控。 INSERT INTO `dede_feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('108','2','游客','paxmac','127.0.0.1','1','1351774092', '0','0','0','feedback','0','nsfocus&&paxmac team'); common.inc.php文件 会把所有的request进行处理。 function _RunMagicQuotes(&$svar) { if(!get_magic_quotes_gpc()) { if( is_array($svar) ) { foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v); } else { if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE)#',$svar) ) { exit('Request var not allow!'); foreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k => $_v) { if($_k == 'nvarname') ${$_k} = $_v; else ${$_k} = _RunMagicQuotes($_v); foreach($svar as $_k => $_v) { $svar[$_k] = _FilterAll($fk,$_v); (编辑:东莞站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
站长推荐