標籤:
catalog
1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考
1. 漏洞描述
會員模組中存在的SQL注入
Relevant Link:
http://www.grabsun.com/article/2015/1216455.html
2. 漏洞觸發條件
1. 註冊使用者並且登陸2. 開啟http://127.0.0.1/dedecms5.5/member/edit_baseinfo.php3. 填寫完畢後,輸入驗證碼,點擊提交,開啟BURP 抓包4. 然後再BURP裡修改newsafequestion 的值改成: 1‘,[email protected]`‘`,uname=(select user()),email=‘sss5. 然後提交 之後再開啟http://127.0.0.1/dedecms5.5/member/edit_baseinfo.php6. 就可以看到自己的、使用者名稱變成了注入之後的結果了
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2014-048873
3. 漏洞影響範圍
4. 漏洞程式碼分析
/member/edit_baseinfo.php
.. //修改安全問題if($newsafequestion != 0 && $newsafeanswer != ‘‘){ if(strlen($newsafeanswer) > 30) { ShowMsg(‘你的新安全問題的答案太長了,請保持在30位元組以內!‘,‘-1‘); exit(); } else { //這裡的newsafequest沒過濾,駭客可以將SQL代碼注入到$addupquery中,用於之後的SQL查詢 $addupquery .= ",safequestion=‘$newsafequestion‘,safeanswer=‘$newsafeanswer‘"; }}..//帶入SQL查詢$query1 = "Update `#@__member` set pwd=‘$pwd‘,sex=‘$sex‘{$addupquery} where mid=‘".$cfg_ml->M_ID."‘ ";$dsql->ExecuteNoneQuery($query1);
5. 防禦方法
/member/edit_baseinfo.php
..//修改安全問題if($newsafequestion != 0 && $newsafeanswer != ‘‘){ if(strlen($newsafeanswer) > 30) { ShowMsg(‘你的新安全問題的答案太長了,請保持在30位元組以內!‘,‘-1‘); exit(); } else { /* 過濾 */ $newsafequestion = HtmlReplace($newsafequestion,1); $newsafeanswer = HtmlReplace($newsafeanswer,1); /* */ $addupquery .= ",safequestion=‘$newsafequestion‘,safeanswer=‘$newsafeanswer‘"; }}..$query1 = "UPDATE `#@__member` SET pwd=‘$pwd‘,sex=‘$sex‘{$addupquery} where mid=‘".$cfg_ml->M_ID."‘ ";$dsql->ExecuteNoneQuery($query1);
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
dedecms /member/edit_baseinfo.php SQL Injection Vul
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
