• dedecms /include/helpers/archive.helper.php SQL Injection Vul

    catalog

    1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

    1. 漏洞描述

    Dedecms会员中心注入漏洞

    Relevant Link:

    http://www.wooyun.org/bugs/wooyun-2010-048892


    2. 漏洞触发条件

    1. 打开http://127.0.0.1/dedecms5.7/member/soft_add.php
2. 添加软件
3. 打开BURP抓包
    1) 将picnum改成typeid2
    2) 然后参数写5',1,1,1,@`'`),('-1','7',user() , '3','1389688643', '1389688643', '8'),(1,2,'


    3. 漏洞影响范围
    4. 漏洞代码分析

    /include/helpers/archive.helper.php

    if ( ! function_exists('GetIndexKey')) 
{ 
    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1) 
    { 
        //$typeid2来自外部,结合DEDE的本地变量覆盖漏洞即可修改这个变量值
        global $dsql,$senddate,$typeid2;  
        
        if(empty($typeid2)) $typeid2 = 0; 
        if(empty($senddate)) $senddate = time(); 
        if(empty($sortrank)) $sortrank = $senddate;
        
        //$typeid2、$senddate未进行有效过滤就带入SQL查询
        $iquery = "
        INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`) 
        VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') ";
        
        echo    $iquery;

        $dsql->ExecuteNoneQuery($iquery); 
        $aid = $dsql->GetLastID(); 
        return $aid; 
    } 
}

    /archive.helper.php是一个辅助函数库,是存在漏洞的源头,真正的漏洞攻击向量由调用这个文件的GetIndexKey函数触发
    /member/soft_add.php

    else if($dopost=='save')
{
    $description = '';
    include(DEDEMEMBER.'/inc/archives_check.php');

    //生成文档ID
    $arcID = GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$mid);
..

    Relevant Link:

    http://www.wooyun.org/bugs/wooyun-2010-048892


    5. 防御方法

    /include/helpers/archive.helper.php

    if ( ! function_exists('GetIndexKey'))
{
    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1)
    {
        //$typeid2来自外部,结合DEDE的本地变量覆盖漏洞即可修改这个变量值
        global $dsql,$senddate,$typeid2;
        if(empty($typeid2)) $typeid2 = 0;
        if(empty($senddate)) $senddate = time();
        if(empty($sortrank)) $sortrank = $senddate;
        /* 过滤 */
        $typeid2 = intval($typeid2);
        $senddate = intval($senddate);
        /* */
        $iquery = "
          INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)
          VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') ";
        $dsql->ExecuteNoneQuery($iquery);
        $aid = $dsql->GetLastID();
        return $aid;
    }
}


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved
  • 相关阅读:
    docker 目录移动到其他磁盘的操作
    linux -- 查看磁盘空间的大小 查看文件夹占用磁盘空间大小
    python flask 反向代理
    shell 脚本换行符的问题
    uniapp使用web-view跳转vue单页面通信,互发消息
    java基础(多线程---lambda)
    SpringBoot开发详解(五)--Controller接收参数以及参数校验
    使用 TypeScript 来开发 React 的注意事项
    video标签通过js实现增加倍速播放功能
    zblog调取置顶文章
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4514777.html
Copyright © 2020-2023  润新知