Dedecms 注入漏洞9

  • A+
所属分类:漏洞时代
摘要

[php][/php]测试方法127.0.0.1/dede/plus/guestbook.php?action=save&validate=scuf&msg=1&uname=1&img=111′


漏洞作者: Matt

[php]

else if($action=='save') {     if(!empty($_COOKIE['GUEST_BOOK_POS'])) $GUEST_BOOK_POS = $_COOKIE  ['GUEST_BOOK_POS'];     else $GUEST_BOOK_POS = 'guestbook.php';     if(empty($validate)) $validate=='';     else $validate = strtolower($validate);     $svali = GetCkVdValue();     if($validate=='' || $validate!=$svali)     {          ShowMsg("验证码不正确!","");          exit();     }     $ip = GetIP();     $dtime = time();     $uname = trimMsg($uname);     $email = trimMsg($email);     $homepage = trimMsg($homepage);     $homepage = preg_replace("#http:////#", '', $homepage);     $qq = trimMsg($qq);     $msg = trimMsg(cn_substrR($msg, 1024), 1);     $tid = empty($tid) ? 0 : intval($tid);     $reid = empty($reid) ? 0 : intval($reid);      if($msg=='' || $uname=='') {         showMsg('你的姓名和留言内容不能为空!','-1');         exit();     }     $title = HtmlReplace( cn_substrR($title,60), 1 );     if($title=='') $title = '无标题';          if($reid != 0)     {         $row = $dsql->GetOne("SELECT msg FROM `#@__guestbook` WHERE   id='$reid' ");         $msg = "<div class=//'rebox//'>".addslashes($row  ['msg'])."</div>/n".$msg;     }      $query = "INSERT INTO `#@__guestbook`  (title,tid,mid,uname,email,homepage,qq,face,msg,ip,dtime,ischeck)                   VALUES   ('$title','$tid','{$g_mid}','$uname','$email','$homepage','$qq','$img','$ms  g','$ip','$dtime','$needCheck'); ";       echo $query;//img没有过滤     $dsql->ExecuteNoneQuery($query);     $gid = $dsql->GetLastID();

[/php]

漏洞证明:

测试方法127.0.0.1/dede/plus/guestbook.php?

action=save&validate=scuf&msg=1&uname=1&img=111'

吧SCUF改成你自己的验证码就哦了 我就不写exp了。。我没安装留言~

Dedecms 注入漏洞9

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: