TA的每日心情 | 怒
2020-10-2 23:00 |
|---|
签到天数: 10 天 [LV.3]偶尔看看II
|
本帖最后由 made 于 2012-11-15 16:09 编辑
dedecms最新注入
6月份dede修补的漏洞是一个原理
plus/guestbook.inc.php
[PHP] 纯文本查看 复制代码 require(dirname(__FILE__).'/../../include/common.inc.php');require_once(DEDEINC."/filter.inc.php");
plus/guestbook.inc.php
[PHP] 纯文本查看 复制代码 require_once(dirname(__FILE__).'/guestbook/guestbook.inc.php');............
$query = "INSERT INTO `#@__guestbook`(title,tid,mid,uname,email,homepage,qq,face,msg,ip,dtime,ischeck) VALUES ('$title','$tid','{$g_mid}','$uname','$email','$homepage','$qq','$img','$msg','$ip','$dtime','$needCheck'); ";
$catid变量以及$typeid变量未初始化。
plus/bookfeedback.php.
[PHP] 纯文本查看 复制代码 require_once(dirname(__FILE__)."/../include/common.inc.php");require_once(DEDEINC."/filter.inc.php");require_once(DEDEINC."/channelunit.func.php");
.............. //保存评论内容 if($comtype == 'comments') { $arctitle = addslashes($arcRow['arctitle']); $arctitle = $arcRow['arctitle']; if($msg!='') { $inquery = "INSERT INTO `#@__bookfeedback`(`aid`,`catid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$catid','$username','$bookname','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); "; $rs = $dsql->ExecuteNoneQuery($inquery); if(!$rs) { echo $dsql->GetError(); exit(); } } } //引用回复 elseif ($comtype == 'reply') { $row = $dsql->GetOne("Select * from `#@__bookfeedback` where id ='$fid'"); $arctitle = $row['arctitle']; $aid =$row['aid']; $msg = $quotemsg.$msg; $msg = HtmlReplace($msg,2); $inquery = "INSERT INTO `#@__bookfeedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')"; $dsql->ExecuteNoneQuery($inquery); }
|
|
[复制链接]
发表于 2012-11-13 10:17:28
