dedecms /include/helpers/archive.helper.php SQL Injection Vul

catalog

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
5. 防禦方法
6. 攻防思考

 

1. 漏洞描述

Dedecms會員中心注入漏洞

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-048892

2. 漏洞觸發條件

1. 開啟http://127.0.0.1/dedecms5.7/member/soft_add.php
2. 新增軟體
3. 開啟BURP抓包
    1) 將picnum改成typeid2
    2) 然後引數寫5',1,1,1,@`'`),('-1','7',user() , '3','1389688643', '1389688643', '8'),(1,2,'

3. 漏洞影響範圍
4. 漏洞程式碼分析

/include/helpers/archive.helper.php

if ( ! function_exists('GetIndexKey')) 
{ 
    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1) 
    { 
        //$typeid2來自外部，結合DEDE的本地變數覆蓋漏洞即可修改這個變數值
        global $dsql,$senddate,$typeid2;  
        
        if(empty($typeid2)) $typeid2 = 0; 
        if(empty($senddate)) $senddate = time(); 
        if(empty($sortrank)) $sortrank = $senddate;
        
        //$typeid2、$senddate未進行有效過濾就帶入SQL查詢
        $iquery = "
        INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`) 
        VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') ";
        
        echo    $iquery;

        $dsql->ExecuteNoneQuery($iquery); 
        $aid = $dsql->GetLastID(); 
        return $aid; 
    } 
}

/archive.helper.php是一個輔助函式庫，是存在漏洞的源頭，真正的漏洞攻擊向量由呼叫這個檔案的GetIndexKey函式觸發
/member/soft_add.php

else if($dopost=='save')
{
    $description = '';
    include(DEDEMEMBER.'/inc/archives_check.php');

    //生成文件ID
    $arcID = GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$mid);
..

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-048892

5. 防禦方法

/include/helpers/archive.helper.php

if ( ! function_exists('GetIndexKey'))
{
    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1)
    {
        //$typeid2來自外部，結合DEDE的本地變數覆蓋漏洞即可修改這個變數值
        global $dsql,$senddate,$typeid2;
        if(empty($typeid2)) $typeid2 = 0;
        if(empty($senddate)) $senddate = time();
        if(empty($sortrank)) $sortrank = $senddate;
        /* 過濾 */
        $typeid2 = intval($typeid2);
        $senddate = intval($senddate);
        /* */
        $iquery = "
          INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)
          VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') ";
        $dsql->ExecuteNoneQuery($iquery);
        $aid = $dsql->GetLastID();
        return $aid;
    }
}

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved