1. RemoveXSS漏洞
E:\315\www\include\helpers\filter.helper.php 68行:
增加:
v
a
l
=
h
t
m
l
s
p
e
c
i
a
l
c
h
a
r
s
(
val = htmlspecialchars(
val=htmlspecialchars(val); //2019-05-08 修复
2. 【检查】 /plus/search.php,dedecms注入漏洞
3 /plus/guestbook/edit.inc.php 其实就是留言版注入漏洞 没有对$msg过滤,导致可以任意注入
$msg = HtmlReplace($msg, -1); => $msg = addslashes(HtmlReplace($msg, -1));
4 /dede/media_add.php 后台文件任意上传漏洞
找到文件/dede/media_add.php,定位到69行:$fullfilename = c f g b a s e d i r . cfg_basedir. cfgbasedir.filename;
增加:
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) {
ShowMsg("你指定的文件名被系统禁止!",'java script:;');
exit();
}
$fullfilename = $cfg_basedir.$filename;
5 /include/common.inc.php SESSION变量覆盖导致SQL注入
找到文件在/include/common.inc.php,定位到101行
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v)
{
if($_k == 'nvarname') ${$_k} = $_v;
else ${$_k} = _RunMagicQuotes($_v);
}
}
修复为 =>
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v) {
if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){
exit('Request var not allow!');
}
${$_k} = _RunMagicQuotes($_v);
}
}
6 /include/uploadsafe.inc.php dedecms上传漏洞
找到文件:文件/include/uploadsafe.inc.php,此文件有两处漏洞
定位到42行,KaTeX parse error: Expected '}', got 'EOF' at end of input: {_key.’_size’} = @filesize($$_key);
修复后:
if(empty(${$_key.'_size'}))
{
${$_key.'_size'} = @filesize($$_key);
}
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp");
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) {
$image_dd = @getimagesize($$_key);
if($image_dd == false){
continue;
}
if (!is_array($image_dd)) {
exit('Upload filetype not allow !');
}
} </span>
定位53行,搜索到
i
m
a
g
e
d
d
=
@
g
e
t
i
m
a
g
e
s
i
z
e
(
image_dd = @getimagesize(
imagedd=@getimagesize($_key);
修复后:
$image_dd = @getimagesize($$_key);
if($image_dd == false){
continue;
}
7 /include/payment/alipay.php dedecms支付模块注入漏洞
找到此文件,定位到137行
$order_sn = trim($_GET['out_trade_no']);
$order_sn = trim(addslashes($_GET['out_trade_no']));
8 /member/soft_add.php SQL注入漏洞定位到154行
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
_____
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) {
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
}
9 /member/album_add.php dedecms SQL注入漏洞解决
定位220行
d
e
s
c
r
i
p
t
i
o
n
=
H
t
m
l
R
e
p
l
a
c
e
(
description = HtmlReplace(
description=HtmlReplace(description, -1);
修复后:
d
e
s
c
r
i
p
t
i
o
n
=
a
d
d
s
l
a
s
h
e
s
(
H
t
m
l
R
e
p
l
a
c
e
(
description = addslashes(HtmlReplace(
description=addslashes(HtmlReplace(description, -1));
10 /plus/guestbook/edit.inc.phpdedecms注入漏洞,留言板注入
所以在
d
s
q
l
−
>
E
x
e
c
u
t
e
N
o
n
e
Q
u
e
r
y
(
"
U
P
D
A
T
E
‘
d
e
d
e
g
u
e
s
t
b
o
o
k
‘
S
E
T
‘
m
s
g
‘
=
′
dsql->ExecuteNoneQuery("UPDATE `dede_guestbook` SET `msg`='
dsql−>ExecuteNoneQuery("UPDATE‘dedeguestbook‘SET‘msg‘=′msg’, posttime
=’".time()."’ WHERE id='
i
d
′
"
)
;
之
前
对
id' "); 之前对
id′");之前对msg进行过滤 加入这个代码进行过滤 可以解决问题:
m
s
g
=
a
d
d
s
l
a
s
h
e
s
(
msg = addslashes(
msg=addslashes(msg);