dedecms /member/uploads_edit.php SQL Injection Vul

標籤：

catalog

1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考

 

1. 漏洞描述

Dedecms 5.3版本下的member/uploads_edit.php中的未限制檔案上傳漏洞允許遠程攻擊者通過上傳一個有兩個擴充的檔案名稱的檔案，然後藉助未知向量訪問該檔案而執行任意代碼。這已經通過帶.jpg.php的檔案名稱所證實

Relevant Link:

http://cve.scap.org.cn/CVE-2009-2270.htmlhttp://www.cnnvd.org.cn/vulnerability/show/cv_id/2009070008

2. 漏洞觸發條件

0x1: POC

<form id="frmUpload" enctype="multipart/form-data" action="http://127.0.0.1/dedecms5.5/member/uploads_edit.php?dopost=save&title=ss&oldurl=1‘.php" method="post"><!-- oldurl是注入點 -->    <input type="file" name="addonfile" id="addonfile" size="50"><br>    <input name="mode" type="hidden" value="2">    <input id="btnUpload" type="submit" value="Upload"></form>

Relevant Link:

http://www.wooyun.org/bug.php?action=view&id=48894http://www.2cto.com/Article/201012/80026.html

3. 漏洞影響範圍
4. 漏洞程式碼分析

/member/uploads_edit.php

else if($dopost==‘save‘){    $title = HtmlReplace($title,2);    if($mediatype==1) $utype = ‘image‘;    else if($mediatype==2)    {        $utype = ‘flash‘;    }    else if($mediatype==3)    {        $utype = ‘media‘;    }    else    {        $utype = ‘addon‘;    }    $title = HtmlReplace($title,2);    //擷取"."前面的檔案名稱    $exname = ereg_replace("(.*)/","",$oldurl);    //擷取"."之外的副檔名    $exname = ereg_replace("\.(.*)$","",$exname);    //返回上傳的檔案名稱    $filename = MemberUploads(‘addonfile‘,$oldurl,$cfg_ml->M_ID,$utype,$exname,-1,-1,true);    //$filename帶入函數查詢    SaveUploadInfo($title,$filename,$mediatype);    ShowMsg("成功修改檔案！","uploads_edit.php?aid=$aid");}

\member\inc\inc_archives_functions.php

function SaveUploadInfo($title,$filename,$medaitype=1,$addinfos=‘‘){    global $dsql,$cfg_ml,$cfg_basedir;    if($filename==‘‘)    {        return false;    }    if(!is_array($addinfos))    {        $addinfos[0] = $addinfos[1] = $addinfos[2] = 0;    }    if($medaitype==1)    {        $info = ‘‘;        $addinfos = GetImageSize($cfg_basedir.$filename,$info);    }    $addinfos[2] = @filesize($cfg_basedir.$filename);    $row = $dsql->GetOne("Select aid,title,url From `#@__uploads` where url like ‘$filename‘ And mid=‘".$cfg_ml->M_ID."‘; ");    $uptime = time();    if(is_array($row))    {        $query = "Update `#@__uploads` set title=‘$title‘,mediatype=‘$medaitype‘,                     width=‘{$addinfos[0]}‘,height=‘{$addinfos[1]}‘,filesize=‘{$addinfos[2]}‘,uptime=‘$uptime‘                     where aid=‘{$row[‘aid‘]}‘; ";        $dsql->ExecuteNoneQuery($query);    }    else    {        //$filename未進行過濾就帶入SQL查詢，造成SQL注入        $inquery = "INSERT INTO `#@__uploads`(title,url,mediatype,width,height,playtime,filesize,uptime,mid)           VALUES (‘$title‘,‘$filename‘,‘$medaitype‘,‘".$addinfos[0]."‘,‘".$addinfos[1]."‘,‘0‘,‘".$addinfos[2]."‘,‘$uptime‘,‘".$cfg_ml->M_ID."‘); ";        $dsql->ExecuteNoneQuery($inquery);    }    return true;}

5. 防禦方法

/member/uploads_edit.php

else if($dopost==‘save‘){    $title = HtmlReplace($title,2);    if($mediatype==1) $utype = ‘image‘;    else if($mediatype==2)    {        $utype = ‘flash‘;    }    else if($mediatype==3)    {        $utype = ‘media‘;    }    else    {        $utype = ‘addon‘;    }    $title = HtmlReplace($title, 2);    /* 對$oldurl進行有效過濾 */    $oldurl = HtmlReplace($oldurl);    /* */    $exname = preg_replace("#(.*)/#", "", $oldurl);    $exname = preg_replace("#\.(.*)$#", "", $exname);    $filename = MemberUploads(‘addonfile‘, $oldurl, $cfg_ml->M_ID, $utype,$exname, -1, -1, TRUE);    SaveUploadInfo($title, $filename, $mediatype);    ShowMsg("成功修改檔案！", "uploads_edit.php?aid=$aid");}

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

dedecms /member/uploads_edit.php SQL Injection Vul