转载

dedecms /member/myfriend_group.php SQL Injection Vul

catalog

1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考

1. 漏洞描述

Dedecms会员中心注入漏洞

Relevant Link

http://exp.03sec.com/dedecms-%E4%BC%9A%E5%91%98%E4%B8%AD%E5%BF%83%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E10.shtml

2. 漏洞触发条件

1. 先打开: http://127.0.0.1/dedecms5.7/member/myfriend_group.php 2. 随便添加一个分组: group //查看源码里groupname[]中的值,可以发现,这是一个基于键值key的盲注,因为没有返回,那么判断是否满足条件就看是否update了原来的数据 3. http://127.0.0.1/dedecms5.7/member/myfriend_group.php?dopost=save&groupname[2' or @`'` and (select 1)%3D1 and '1]=12222 //如果(select 1)=1的话 那个groupname就会被改成12222,上面的2改成你的groupname的ID

3. 漏洞影响范围

4. 漏洞代码分析

/member/myfriend_group.php

elseif ($dopost == 'save') {   if(isset($mtypeidarr) && is_array($mtypeidarr))   {    $delids = '0';    $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');    foreach($mtypeidarr as $delid)    {     delids .= ','.$delid;     unset($groupname[$delid]);    }    $query = "DELETE FROM `#@__member_group` WHERE id in ($delids) AND      mid='$cfg_ml->M_ID'";    $dsql->ExecNoneQuery($query);    $sql="SELECT id FROM `#@__member_friends` WHERE groupid in      ($delids) AND mid='$cfg_ml->M_ID'";    $db->SetQuery($sql);    $db->Execute();    while($row = $db->GetArray())    {     $query2 = "UPDATE `#@__member_friends` SET groupid='1' WHERE id='{$row['id']}' AND mid='$cfg_ml->M_ID'";     $dsql->ExecNoneQuery($query2);    }   }   //键值$key注入  foreach ($groupname as $id => $name)  {    $name = HtmlReplace($name);    $query = "UPDATE `#@__member_group` SET groupname='$name' WHERE id='$id' AND mid='$cfg_ml->M_ID'";    echo $query;    $dsql->ExecuteNoneQuery($query);   }   ShowMsg('分组修改完成(删除分组中的会员会转移到默认分组中)','myfriend_group.php'); } 

Relevant Link

http://www.wooyun.org/bugs/wooyun-2014-048923

5. 防御方法

/member/myfriend_group.php

foreach ($groupname as $id => $name) {  $name = HtmlReplace($name);  /* 对$id进行过滤 */  $id = HtmlReplace($id);  /* */  $query = "UPDATE `#@__member_group` SET groupname='$name' WHERE id='$id' AND mid='$cfg_ml->M_ID'";  $dsql->ExecuteNoneQuery($query); } 

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

正文到此结束
Loading...