原创

DedeCMS 漏洞修复 汇总

1. file_class.php 任意文件上传漏洞

大约位置: /dede/file_class.php文件161行

else if(preg_match("/\.(".$fileexp.")/i",$filename))

改为


else if(substr($filename, -strlen($fileexp))===$fileexp)

2. dedecms留言板注入漏洞

文件: /plus/guestbook/edit.inc.php

找到如下代码

$dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");

替换成

$msg  = addslashes($msg); $dsql->ExecuteNoneQuery("UPDATE `dede_guestbook`  SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");

3. dede/media_add.php

    $fullfilename = $cfg_basedir.$filename;

替换为:

if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename)))
{
    ShowMsg("你指定的文件名被系统禁止!",'java script:;');
    exit();
}
$fullfilename = $cfg_basedir.$filename;

4. /member/article_add.php

漏洞名称:dedecms cookies泄漏导致SQL漏洞

补丁文件:/member/article_add.php

if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode))

修改为:


if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) )

dedecms

5. /member/soft_add.php

dedecms的/member/soft_add.php中,对输入模板参数$servermsg1未进行严格过滤,导致攻击者可构造模版闭合标签,实现模版注入进行GETSHELL。
打开文件/member/soft_add.php,搜索(大概在154行):

$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";

替换为:

if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) 
{
    $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; 
}

6.dedecms cookies泄漏导致SQL漏洞

漏洞名称:dedecms cookies泄漏导致SQL漏洞

补丁文件:/member/inc/inc_archives_functions.php

漏洞描述:dedecms的文章发表表单中泄漏了用于防御CSRF的核心cookie,同时在其他核心支付系统也使用了同样的cookie进行验证,黑客可利用泄漏的cookie通过后台验证,进行后台注入。

解决方法:

echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />";

替换为:


echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields."
anythingelse".$cfg_cookie_encode)."\" />";

(这一步骤,待定)搜索整个文件夹 ,将代码

$formfields.$cfg_cookie_encode

替换为:

$formfields."
anythingelse".$cfg_cookie_encode

7. 注册用户任意文件删除漏洞

阿里云 织梦DedeCMS v5.7 注册用户任意文件删除漏洞archives_check_edit.php的解决方法

漏洞名称:DedeCMS v5.7 注册用户任意文件删除漏洞

漏洞文件:/member/inc/archives_check_edit.php

漏洞描述:注册会员用户可利用此漏洞任意删除网站文件。

解决方法:

打开/member/inc/archives_check_edit.php文件,找到92行 将:

$litpic =$oldlitpic;

替换成:

$litpic =$oldlitpic; if (strpos( $litpic, '..') !== false || strpos( $litpic, $cfg_user_dir."/{$userid}/" ) === false) exit('not allowed path!');

修改文件前请做好文件备份,将新的archives_check_edit.php文件上传替换阿里云服务器上即可解决此问题。

8. SQL注入漏洞。

dedecms的/dedecms/member/album_add.php文件中,
对输入参数mtypesid未进行int整型转义,
导致SQL注入的发生。
修复方法:
打开dedecms/member/album_add.php文件,查找以下代码(大约220行左右)

$description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼)

将上面的代码替换为:

$description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼)
$mtypesid = intval($mtypesid);

9. Dedecms会员中心注入漏洞

漏洞文件: /member/mtypes.php

编辑mtypes.php,找到如下代码:


elseif ($dopost == 'save')
{
    if(isset($mtypeidarr) && is_array($mtypeidarr))
    {
        $delids = '0';
        $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
        foreach($mtypeidarr as $delid)
        {
$delid = HtmlReplace($delid);
            $delids .= ','.$delid;
            unset($mtypename[$delid]);
        }
        $query = "DELETE FROM `#@__mtypes` WHERE mtypeid IN ($delids) AND mid='$cfg_ml->M_ID';";
        $dsql->ExecNoneQuery($query);
    }
    foreach ($mtypename as $id => $name)
    {
        $name = HtmlReplace($name);
        $query = "UPDATE `#@__mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'";
        $dsql->ExecuteNoneQuery($query);
    }
    ShowMsg('分类修改完成','mtypes.php');
}

修改为:


elseif ($dopost == 'save')
{
    if(isset($mtypeidarr) && is_array($mtypeidarr))
    {
        $delids = '0';
        $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
        foreach($mtypeidarr as $delid)
        {
            $delids .= ','.$delid;
            unset($mtypename[$delid]);
        }
        $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
        $dsql->ExecNoneQuery($query);
    }
    //通过$mtypename进行key注入
    foreach ($mtypename as $id => $name)
    {
        $name = HtmlReplace($name);
        /* 对$id进行规范化处理 */
        $id = intval($id);
        /* */
        $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";  
        $dsql->ExecuteNoneQuery($query);
    }
    ShowMsg('分类修改完成','mtypes.php');
}

10. SQL 注入

漏洞文件: /member/pm.php

/member/pm.php这个是dedecms注入漏洞,处理方案如下:

打开/member/pm.php,搜索:

else if($dopost=='read')
{
    $sql = "SELECT * FROM `#@__member_friends` WHERE  mid='{$cfg_ml-&gt;M_ID}' AND ftype!='-1'  ORDER BY addtime DESC LIMIT 20";
    $friends = array();
    $dsql-&gt;SetQuery($sql);
    $dsql-&gt;Execute();
    while ($row = $dsql-&gt;GetArray()) 
    {
        $friends[] = $row;
    }
    //$id注入
    $row = $dsql-&gt;GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml-&gt;M_ID}' OR toid='{$cfg_ml-&gt;M_ID}')");//ID没过滤
    if(!is_array($row))
    {
        ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
        exit();
    }
    //$id注入
    $dsql-&gt;ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml-&gt;M_ID}'");
    $dsql-&gt;ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml-&gt;M_ID}'");
    include_once(dirname(__FILE__).'/templets/pm-read.htm');
    exit();
}

替换为:

else if($dopost=='read')
{
    $sql = "Select * From `#@__member_friends` where  mid='{$cfg_ml->M_ID}' And ftype!='-1'  order by addtime desc limit 20";
    $friends = array();
    $dsql->SetQuery($sql);
    $dsql->Execute();
    while ($row = $dsql->GetArray()) 
    {
        $friends[] = $row;
    }
    /* $id过滤 */
    $id = intval($id);
    /* */ 
    $row = $dsql->GetOne("Select * From `#@__member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");
    if(!is_array($row))
    {
        ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
        exit();
    }
    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");
    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");
    include_once(dirname(__FILE__).'/templets/pm-read.htm');
    exit();
}

11. 存在全局变量覆盖漏洞

文件:/include/common.inc.php

foreach(Array('_GET','_POST','_COOKIE') as $_request){
    foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);}
    foreach(Array('_GET','_POST','_COOKIE') as $_request)
    {
        foreach($$_request as $_k => $_v) 
        {
            if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k))
            {
                exit('Request var not allow!');
            }
            ${$_k} = _RunMagicQuotes($_v);
        }
    }

12. alipay支付异常

文件路径 /include/payment/alipay.php

$order_sn = trim($_GET['out_trade_no']);

改为:

$order_sn = trim(addslashes($_GET['out_trade_no']));

13. dedecms上传漏洞

文件路径:include/uploadsafe.inc.php

$image_dd = @getimagesize($$_key);

改为:


  $image_dd = @getimagesize($$_key);
  if($image_dd == false){
        continue;
   }

采集侠定时任务采集

https://你的域名/Plugins/run.php?action=robot&kw_g=1&kw_make=1&kw_slink=1&kw_seobody=1&kw_tforbid=1&kw_confu=1&kw_rant=1&donow=1

正文到此结束