客服电话
APP下载
迪恩网络APP
随时随地掌握行业动态
官方微信
扫描二维码
关注迪恩网络微信公众号
漏洞版本:DEDECMS 5.1 漏洞描述:同样是在magic_quotes_gpc=off的情况下可用
此漏洞可拿到后台管理员的帐号和加密HASH,漏洞存在文件plus/feedback_js.php,未过滤参数为$arcurl
......
$urlindex = 0;
if(empty($arcID))
{
$row = $dlist->dsql->GetOne("Select id From `#@__cache_feedbackurl` where url='$arcurl' ");
//此处$arcurl没有过滤
if(is_array($row)) $urlindex = $row['id'];
//存在结果则把$urlindex赋值为查询到的$row['id'],我们可以构造SQL语句带入下面的操作中了
}
if(empty($arcID) && empty($urlindex)) exit();
//如果$arcID为空或$urlindex为空则退出
......
if(empty($arcID)) $wq = " urlindex = '$urlindex' ";
//我们让$arcID为空,刚才上面执行的结果就会被赋值给$wq带入下面的操作中执行了.
else $wq = " aid='$arcID' ";
$querystring = "select * from `#@__feedback` where $wq and ischeck='1' order by dtime desc";
$dlist->Init();
$dlist->SetSource($querystring);
......
看一下利用方法吧,嘿,为了闭合我用了两次union
<* 参考
http://www.st0p.org/blog/archives/dedecms-5-1-feedback_js-php-0day.html*> 测试方法: |
2022-07-18
2022-08-17
2022-11-06
2022-08-17
2022-08-15
theindianappguy/machine_learning_flutter_app: Learn how to build a tensorflow mo
挨打的读音是什么?很多人在拼音的时候导致错误,这是因为挨为多音字,读i,还有读音ā
b1scoito/clicker: Advanced Minecraft auto-clicker made in C++
hiroyuki-kasai/ClassifierToolbox: A MATLAB toolbox for classifier: Version 1.0.7
jacksonhvisuals/quicksilver: A free, (mostly) material-design template for the w
fragglet/c-algorithms: A library of common data structures and algorithms writte
Use after free in storage in Google Chrome prior to 100.0.4896.88 allowed an att
An issue was discovered in Veritas NetBackup 8.1.x through 8.1.2, 8.2, 8.3.x thr
doka-guide/content: Контент Доки: статьи, картинки, д
amp;amp;lt;scroll-viewscroll-y:scroll-top=amp;quot;scrollTopamp;quot;style=amp;q
请发表评论