catalog
. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考
1. 漏洞描述
Dedecms会员中心注入漏洞
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2010-048892
2. 漏洞触发条件
. 打开http://127.0.0.1/dedecms5.7/member/soft_add.php
. 添加软件
. 打开BURP抓包
) 将picnum改成typeid2
) 然后参数写5',1,1,1,@`'`),('-1','',user() , '','', '', ''),(,,'
3. 漏洞影响范围
4. 漏洞代码分析
/include/helpers/archive.helper.php
if ( ! function_exists('GetIndexKey'))
{
function GetIndexKey($arcrank, $typeid, $sortrank=, $channelid=, $senddate=, $mid=)
{
//$typeid2来自外部,结合DEDE的本地变量覆盖漏洞即可修改这个变量值
global $dsql,$senddate,$typeid2; if(empty($typeid2)) $typeid2 = ;
if(empty($senddate)) $senddate = time();
if(empty($sortrank)) $sortrank = $senddate; //$typeid2、$senddate未进行有效过滤就带入SQL查询
$iquery = "
INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)
VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') "; echo $iquery; $dsql->ExecuteNoneQuery($iquery);
$aid = $dsql->GetLastID();
return $aid;
}
}
/archive.helper.php是一个辅助函数库,是存在漏洞的源头,真正的漏洞攻击向量由调用这个文件的GetIndexKey函数触发
/member/soft_add.php
else if($dopost=='save')
{
$description = '';
include(DEDEMEMBER.'/inc/archives_check.php'); //生成文档ID
$arcID = GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$mid);
..
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2010-048892
5. 防御方法
/include/helpers/archive.helper.php
if ( ! function_exists('GetIndexKey'))
{
function GetIndexKey($arcrank, $typeid, $sortrank=, $channelid=, $senddate=, $mid=)
{
//$typeid2来自外部,结合DEDE的本地变量覆盖漏洞即可修改这个变量值
global $dsql,$senddate,$typeid2;
if(empty($typeid2)) $typeid2 = ;
if(empty($senddate)) $senddate = time();
if(empty($sortrank)) $sortrank = $senddate;
/* 过滤 */
$typeid2 = intval($typeid2);
$senddate = intval($senddate);
/* */
$iquery = "
INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)
VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') ";
$dsql->ExecuteNoneQuery($iquery);
$aid = $dsql->GetLastID();
return $aid;
}
}
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved