保哥笔记
一个SEO从业者的分享博客

dedecms会员中心mtypes.php注入漏洞修复方法

路径:/member/mtypes.php编辑mtypes.php,找到如下代码:

elseif ($dopost == 'save')
{
    if(isset($mtypeidarr) && is_array($mtypeidarr))
    {
        $delids = '0';
        $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
        foreach($mtypeidarr as $delid)
        {
			$delid = HtmlReplace($delid);
            $delids .= ','.$delid;
            unset($mtypename[$delid]);
        }
        $query = "DELETE FROM `#@__mtypes` WHERE mtypeid IN ($delids) AND mid='$cfg_ml->M_ID';";
        $dsql->ExecNoneQuery($query);
    }
    foreach ($mtypename as $id => $name)
    {
        $name = HtmlReplace($name);
        $query = "UPDATE `#@__mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'";
        $dsql->ExecuteNoneQuery($query);
    }
    ShowMsg('分类修改完成','mtypes.php');
}

用以下代码替换:

elseif ($dopost == 'save')
{
    if(isset($mtypeidarr) && is_array($mtypeidarr))
    {
        $delids = '0';
        $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
        foreach($mtypeidarr as $delid)
        {
            $delids .= ','.$delid;
            unset($mtypename[$delid]);
        }
        $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
        $dsql->ExecNoneQuery($query);
    } 
    //通过$mtypename进行key注入
    foreach ($mtypename as $id => $name)
    {
        $name = HtmlReplace($name);
        /* 对$id进行规范化处理 */
        $id = intval($id);
        /* */
        $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";  
        $dsql->ExecuteNoneQuery($query);
    }
    ShowMsg('分类修改完成','mtypes.php');
}

 

 

标签:
上一篇:
下一篇:

发表回复

您的E-mail地址不会被公开,*号为必填

*
*