Catalog
1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking
1. Vulnerability description
DEDECMS Member Center Injection vulnerability
Relevant Link
http://www.yunsec.net/a/security/bugs/script/2012/1220/12127.html
2. Vulnerability Trigger Condition
Because it is an update injection and uses >executenonequery, it is not possible to use benchmark delay injection, but it can be done by a "return state difference" judgment, if the condition succeeds then mtypename= ' $name ' It's going to be an update.
// 127.0.0.1/dedecms5.5/member/mtypes.php 2 . Add a category, remembering the ID (1 ), and the original category name (Fenlei) 3 . Then open: Http:// 127.0.0.1/dedecms5.5/member/ Mtypes.php?dopost=save&mtypename[1 ' or @ ' and 1%3d1 and (select ' R ')%3d ' R ' and ' 1 '%3d ' 1]=4
Relevant Link
http://www.wooyun.org/bugs/wooyun-2010-048880http://www.0x50sec.org/ 0day-exp/2012/12/id/1482/comment-page-1/#comment -57057
3. Vulnerability Impact Range
4. Vulnerability Code Analysis
/member/mtypes.php
ElseIf ($dopost = ='Save'){ if(Isset ($mtypeidarr) &&Is_array ($mtypeidarr)) {$delids='0'; $mtypeidarr= Array_filter ($mtypeidarr,'Is_numeric'); foreach($mtypeidarr as$delid) {$delids.=','. $delid; Unset ($mtypename [$delid]); } $query="Delete from ' #@__mtypes ' where Mtypeid in ($delids) and mid= ' $cfg _ml->m_id ';"; $dsql-execnonequery ($query); } //key injection via $mtypename foreach($mtypename as$id =$name) {$name=Htmlreplace ($name); //No filtering of the key value $id into the query, resulting in an injection$query ="Update ' #@__mtypes ' Set mtypename= ' $name ' where mtypeid= ' $id ' and mid= ' $cfg _ml->m_id '"; $dsql-executenonequery ($query); } showmsg ('Classification Modification Complete','mtypes.php');}
5. Defense Methods
/member/mtypes.php
ElseIf ($dopost = ='Save'){ if(Isset ($mtypeidarr) &&Is_array ($mtypeidarr)) {$delids='0'; $mtypeidarr= Array_filter ($mtypeidarr,'Is_numeric'); foreach($mtypeidarr as$delid) {$delids.=','. $delid; Unset ($mtypename [$delid]); } $query="Delete from ' #@__mtypes ' where Mtypeid in ($delids) and mid= ' $cfg _ml->m_id ';"; $dsql-execnonequery ($query); } //key injection via $mtypename foreach($mtypename as$id =$name) {$name=Htmlreplace ($name); /*normalize the $id of the process*/$id=intval ($id); /* */$query="Update ' #@__mtypes ' Set mtypename= ' $name ' where mtypeid= ' $id ' and mid= ' $cfg _ml->m_id '"; Die (Var_dump ($query)); $dsql-executenonequery ($query); } showmsg ('Classification Modification Complete','mtypes.php');}
Through the INTVAL specification interoperability, so that the hacker injected blind statement invalidation, that no matter at any time, the return result can be successfully modified to 4, that is, the blind two value condition does not exist
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
dedecms/member/mtypes.php SQL Injection Vul
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
