dedecms支付模块注入漏洞:引起的文件是/include/payment/alipay.php
问题解决:找到:$order_sn = trim($_GET['out_trade_no']);
将其修改为如下代码:$order_sn = trim(addslashes($_GET['out_trade_no']));
-----------------------------------------------------------------------
dedecms media_add.php dedecms后台文件任意上传漏洞:引起的文件是/dede/media_add.php
问题解决:搜索$fullfilename = $cfg_basedir.$filename;(大概在69行左右)
替换成if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!",'java script:;'); exit(); } $fullfilename = $cfg_basedir.$filename;
--------------
dedecms 5.7sp1中最新/plus/download.php下载重定向漏洞:引起的文件是/plus/download.php
问题解决:
将/plus/download.php中第67行header("location:$link");
替换为:if(stristr($link,$cfg_basehost))
{
header("location:$link");
}
else
{
header("location:$cfg_basehost");
}
-------------------
common.inc.php漏洞 目标存在全局变量覆盖漏洞:引起的文件 include/common.inc.php
问题解决:
在 /include/common.inc.php 中找到注册变量的代码foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);
}
修改为:foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v) {
if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){
exit('Request var not allow!');
}
${$_k} = _RunMagicQuotes($_v);
}
}
-----------------------------------
dedecms织梦soft_add.php文件暴模版SQL注入漏洞:引起的文件是 /member/soft_add.php
找到下面这句:(第154行)$urls .= “{dede:link islocal=’1′ text='{$servermsg1}’} $softurl1 {/dede:link}\r\n”;
替换成:if (preg_match(“#}(.*?){/dede:link}{dede:#sim”, $servermsg1) != 1) { $urls .= “{dede:link islocal=’1′ text='{$servermsg1}’} $softurl1 {/dede:link}\r\n”; }
----------------DedeCMS 5.7 /include/dialog/config.php 跨站脚本漏洞 引起的文件:include/dialog/config.php
方案一:
首先第一步:定位到include/dialog/config.php文件,在$gurl = “../../{$adminDirHand}/login.php?gotopage=”.urlencode($dedeNowurl);上面添加如下语句:
$adminDirHand = HtmlReplace($adminDirHand, 1);
第二步:plus目录下的bshare.php文件117行 $uuid = isset($uuid)? $uuid : ”;改成 $uuid = isset($uuid)? htmlspecialchars($uuid) : ”;
之后用360的网站漏洞测试过后,就可以发现网站的XXS漏洞消失了.