catalog
1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響範圍 4. 漏洞程式碼分析 5. 防禦方法 6. 攻防思考
1. 漏洞描述
會員模組中存在的SQL隱碼攻擊
Relevant Link:
http://www.grabsun.com/article/2015/1216455.html
2. 漏洞觸發條件
1. 註冊使用者並且登陸 2. 開啟http://127.0.0.1/dedecms5.5/member/edit_baseinfo.php 3. 填寫完畢後,輸入驗證碼,點選提交,開啟BURP 抓包 4. 然後再BURP裡修改newsafequestion 的值改成: 1',email=@`'`,uname=(select user()),email='sss 5. 然後提交 之後再開啟http://127.0.0.1/dedecms5.5/member/edit_baseinfo.php 6. 就可以看到自己的、使用者名稱變成了注入之後的結果了
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2014-048873
3. 漏洞影響範圍
4. 漏洞程式碼分析
/member/edit_baseinfo.php
.. //修改安全問題 if($newsafequestion != 0 && $newsafeanswer != '') { if(strlen($newsafeanswer) > 30) { ShowMsg('你的新安全問題的答案太長了,請保持在30位元組以內!','-1'); exit(); } else { //這裡的newsafequest沒過濾,黑客可以將SQL程式碼注入到$addupquery中,用於之後的SQL查詢 $addupquery .= ",safequestion='$newsafequestion',safeanswer='$newsafeanswer'"; } } .. //帶入SQL查詢 $query1 = "Update `#@__member` set pwd='$pwd',sex='$sex'{$addupquery} where mid='".$cfg_ml->M_ID."' "; $dsql->ExecuteNoneQuery($query1);
5. 防禦方法
/member/edit_baseinfo.php
.. //修改安全問題 if($newsafequestion != 0 && $newsafeanswer != '') { if(strlen($newsafeanswer) > 30) { ShowMsg('你的新安全問題的答案太長了,請保持在30位元組以內!','-1'); exit(); } else { /* 過濾 */ $newsafequestion = addslashes($newsafequestion); $newsafeanswer = addslashes($newsafeanswer); /* */ $addupquery .= ",safequestion='$newsafequestion',safeanswer='$newsafeanswer'"; } } .. $query1 = "UPDATE `#@__member` SET pwd='$pwd',sex='$sex'{$addupquery} where mid='".$cfg_ml->M_ID."' "; $dsql->ExecuteNoneQuery($query1);
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved