我们来自五湖四海,不为别的,只因有共同的爱好,为中国互联网发展出一分力!

dedecms5.7最新sql注射漏洞利用

2014年03月15日05:01 阅读: 37397 次

标签: dedecms5.7最新sql注射漏洞利

影响版本为5.7

漏洞文件edit.inc.php具体代码:

< ?php  

if(!defined('DEDEINC')) exit('Request Error!');  

if(!empty($_COOKIE['GUEST_BOOK_POS'])) $GUEST_BOOK_POS = $_COOKIE['GUEST_BOOK_POS'];  

else $GUEST_BOOK_POS = "guestbook.php";  

$id = intval($id);  

if(empty($job)) $job='view';  

if($job=='del' && $g_isadmin)  

{  

$dsql->ExecuteNoneQuery(" DELETE FROM `#@__guestbook` WHERE id='$id' ");  

ShowMsg("成功删除一条留言!", $GUEST_BOOK_POS);  

exit();  

}  

else if($job=='check' && $g_isadmin)  

{  

$dsql->ExecuteNoneQuery(" UPDATE `#@__guestbook` SET ischeck=1 WHERE id='$id' ");  

ShowMsg("成功审核一条留言!", $GUEST_BOOK_POS);  

exit();  

}  

else if($job=='editok')  

{  

$remsg = trim($remsg);  

if($remsg!='')  

{  

//管理员回复不过滤HTML By:Errorera blog:errs.cc  

if($g_isadmin)  

{  

$msg = "
".$msg."
\n".$remsg; //$remsg
管理员回复: } else { $row = $dsql->GetOne("SELECT msg From `#@__guestbook` WHERE id='$id' "); $oldmsg = "
".addslashes($row['msg'])."
\n"; $remsg = trimMsg(cn_substrR($remsg, 1024), 1); $msg = $oldmsg.$remsg; } } //这里没有对$msg过滤,导致可以任意注入了By:Errorera home:www.errs.cc $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' "); ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS); exit(); } //home:www.errs.cc if($g_isadmin) { $row = $dsql->GetOne("SELECT * FROM `#@__guestbook` WHERE id='$id'"); require_once(DEDETEMPLATE.'/plus/guestbook-admin.htm'); } else { $row = $dsql->GetOne("SELECT id,title FROM `#@__guestbook` WHERE id='$id'"); require_once(DEDETEMPLATE.'/plus/guestbook-user.htm'); }
分享到: 更多
?2019 安全焦点 版权所有.