1. RemoveXSS漏洞
E:\315\www\include\helpers\filter.helper.php 68行:
增加:val); //2019-05-08 修復
2. 【檢查】 /plus/search.php,dedecms注入漏洞
3 /plus/guestbook/edit.inc.php 其實就是留言版注入漏洞 沒有對$msg過濾,導致可以任意注入
$msg = HtmlReplace($msg, -1); => $msg = addslashes(HtmlReplace($msg, -1));
4 /dede/media_add.php 後臺文件任意上傳漏洞
找到文件/dede/media_add.php,定位到69行:$fullfilename = filename;
增加:
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) {
ShowMsg("你指定的文件名被系統禁止!",'java script:;');
exit();
}
$fullfilename = $cfg_basedir.$filename;
5 /include/common.inc.php SESSION變量覆蓋導致SQL注入
找到文件在/include/common.inc.php,定位到101行
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v)
{
if($_k == 'nvarname') ${$_k} = $_v;
else ${$_k} = _RunMagicQuotes($_v);
}
}
修復爲 =>
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v) {
if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){
exit('Request var not allow!');
}
${$_k} = _RunMagicQuotes($_v);
}
}
6 /include/uploadsafe.inc.php dedecms上傳漏洞
找到文件:文件/include/uploadsafe.inc.php,此文件有兩處漏洞
定位到42行,KaTeX parse error: Expected '}', got 'EOF' at end of input: {_key.’_size’} = @filesize($$_key);
修復後:
if(empty(${$_key.'_size'}))
{
${$_key.'_size'} = @filesize($$_key);
}
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp");
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) {
$image_dd = @getimagesize($$_key);
if($image_dd == false){
continue;
}
if (!is_array($image_dd)) {
exit('Upload filetype not allow !');
}
} </span>
定位53行,搜索到$_key);
修復後:
$image_dd = @getimagesize($$_key);
if($image_dd == false){
continue;
}
7 /include/payment/alipay.php dedecms支付模塊注入漏洞
找到此文件,定位到137行
$order_sn = trim($_GET['out_trade_no']);
$order_sn = trim(addslashes($_GET['out_trade_no']));
8 /member/soft_add.php SQL注入漏洞定位到154行
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
_____
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) {
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
}
9 /member/album_add.php dedecms SQL注入漏洞解決
定位220行
description, -1);
修復後:
description, -1));
10 /plus/guestbook/edit.inc.phpdedecms注入漏洞,留言板注入
所以在
msg’, posttime=’".time()."’ WHERE id='msg進行過濾 加入這個代碼進行過濾 可以解決問題:msg);