dedecms /include/helpers/archive.helper.php SQL Injection Vul

最後更新：2015-05-19 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

標籤：

catalog

1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考

1. 漏洞描述

Dedecms測試人員中樞注入漏洞

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-048892

2. 漏洞觸發條件

1. 開啟http://127.0.0.1/dedecms5.7/member/soft_add.php2. 添加軟體3. 開啟BURP抓包    1) 將picnum改成typeid2    2) 然後參數寫5‘,1,1,1,@`‘`),(‘-1‘,‘7‘,user() , ‘3‘,‘1389688643‘, ‘1389688643‘, ‘8‘),(1,2,‘

3. 漏洞影響範圍
4. 漏洞程式碼分析

/include/helpers/archive.helper.php

if ( ! function_exists(‘GetIndexKey‘)) {     function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1)     {         //$typeid2來自外部，結合DEDE的本地變數覆蓋漏洞即可修改這個變數值        global $dsql,$senddate,$typeid2;                  if(empty($typeid2)) $typeid2 = 0;         if(empty($senddate)) $senddate = time();         if(empty($sortrank)) $sortrank = $senddate;                //$typeid2、$senddate未進行有效過濾就帶入SQL查詢        $iquery = "        INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)         VALUES (‘$arcrank‘,‘$typeid‘,‘$typeid2‘ , ‘$channelid‘,‘$senddate‘, ‘$sortrank‘, ‘$mid‘) ";                echo    $iquery;        $dsql->ExecuteNoneQuery($iquery);         $aid = $dsql->GetLastID();         return $aid;     } }

/archive.helper.php是一個輔助函數庫，是存在漏洞的源頭，真正的漏洞攻擊向量由調用這個檔案的GetIndexKey函數觸發
/member/soft_add.php

else if($dopost==‘save‘){    $description = ‘‘;    include(DEDEMEMBER.‘/inc/archives_check.php‘);    //產生文檔ID    $arcID = GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$mid);..

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-048892

5. 防禦方法

/include/helpers/archive.helper.php

if ( ! function_exists(‘GetIndexKey‘)){    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1)    {        //$typeid2來自外部，結合DEDE的本地變數覆蓋漏洞即可修改這個變數值        global $dsql,$senddate,$typeid2;        if(empty($typeid2)) $typeid2 = 0;        if(empty($senddate)) $senddate = time();        if(empty($sortrank)) $sortrank = $senddate;        /* 過濾 */        $typeid2 = intval($typeid2);        $senddate = intval($senddate);        /* */        $iquery = "          INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)          VALUES (‘$arcrank‘,‘$typeid‘,‘$typeid2‘ , ‘$channelid‘,‘$senddate‘, ‘$sortrank‘, ‘$mid‘) ";        $dsql->ExecuteNoneQuery($iquery);        $aid = $dsql->GetLastID();        return $aid;    }}

6. 攻防思考

dedecms /include/helpers/archive.helper.php SQL Injection Vul

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More