dedecms /member/flink_main.php SQL Injection Vul

標籤：

catalog

1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考

 

1. 漏洞描述

會員模組中存在的SQL注入

Relevant Link

http://www.cnseay.com/1959/

 
2. 漏洞觸發條件

1. 開啟 http://127.0.0.1/dedecms/member/flink_main.php#2. 在串連網址裡面寫入 http://sss2‘),(8,1,@`‘`),(8,(select user()),‘33333/*串連名稱隨意這裡的8 是你的使用者ID 想要查看必須得知道自己的使用者id，通過查看cookie裡面有一個DedeUserID，就是自己的使用者id*/

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2014-048878

3. 漏洞影響範圍
4. 漏洞程式碼分析

/member/flink_main.php

if($dopost=="addnew"){    AjaxHead();    $row = $dsql->GetOne("Select count(*) as dd From `#@__member_flink` where mid=‘".$cfg_ml->M_ID."‘ ");    if($row[‘dd‘]>=50)    {        echo "<font color=‘red‘>增加網址失敗，因為已經達到五十個網址的上限！</font>";        GetLinkList($dsql);        exit();    }    //如果前面有http就不過濾了    if(!eregi("^http://",$url))    {        $url = "http://".HtmlReplace($url, 2);    }    $title = HtmlReplace($title);    //$url未經過過濾就帶入SQL查詢    $inquery = "INSERT INTO `#@__member_flink`(mid,title,url) VALUES(".$cfg_ml->M_ID.",‘$title‘,‘$url‘); ";    $dsql->ExecuteNoneQuery($inquery);    echo "<font color=‘red‘>成功增加一連結！</font>";    GetLinkList($dsql);    exit();}

5. 防禦方法

/member/flink_main.php

if($dopost=="addnew"){    AjaxHead();    $row = $dsql->GetOne("Select count(*) as dd From `#@__member_flink` where mid=‘".$cfg_ml->M_ID."‘ ");    if($row[‘dd‘]>=50)    {        echo "<font color=‘red‘>增加網址失敗，因為已經達到五十個網址的上限！</font>";        GetLinkList($dsql);        exit();    }    //如果前面有http就不過濾了    if(!eregi("^http://",$url))    {        $url = "http://".HtmlReplace($url, 2);    }    $title = HtmlReplace($title);    /* $url過濾 */    $url = HtmlReplace($url);    /**/     $inquery = "INSERT INTO `#@__member_flink`(mid,title,url) VALUES(".$cfg_ml->M_ID.",‘$title‘,‘$url‘); ";    $dsql->ExecuteNoneQuery($inquery);    echo "<font color=‘red‘>成功增加一連結！</font>";    GetLinkList($dsql);    exit();}

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

dedecms /member/flink_main.php SQL Injection Vul