catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
会员模块中存在的SQL注入
Relevant Link:
http://www.grabsun.com/article/2015/1216455.html
2. 漏洞触发条件
1. 注册用户并且登陆 2. 打开http://127.0.0.1/dedecms5.5/member/edit_baseinfo.php 3. 填写完毕后,输入验证码,点击提交,打开BURP 抓包 4. 然后再BURP里修改newsafequestion 的值改成: 1',email=@`'`,uname=(select user()),email='sss 5. 然后提交 之后再打开http://127.0.0.1/dedecms5.5/member/edit_baseinfo.php 6. 就可以看到自己的、用户名变成了注入之后的结果了
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2014-048873
3. 漏洞影响范围
4. 漏洞代码分析
/member/edit_baseinfo.php
.. //修改安全问题 if($newsafequestion != 0 && $newsafeanswer != '') { if(strlen($newsafeanswer) > 30) { ShowMsg('你的新安全问题的答案太长了,请保持在30字节以内!','-1'); exit(); } else { //这里的newsafequest没过滤,黑客可以将SQL代码注入到$addupquery中,用于之后的SQL查询 $addupquery .= ",safequestion='$newsafequestion',safeanswer='$newsafeanswer'"; } } .. //带入SQL查询 $query1 = "Update `#@__member` set pwd='$pwd',sex='$sex'{$addupquery} where mid='".$cfg_ml->M_ID."' "; $dsql->ExecuteNoneQuery($query1);
5. 防御方法
/member/edit_baseinfo.php
.. //修改安全问题 if($newsafequestion != 0 && $newsafeanswer != '') { if(strlen($newsafeanswer) > 30) { ShowMsg('你的新安全问题的答案太长了,请保持在30字节以内!','-1'); exit(); } else { /* 过滤 */ $newsafequestion = addslashes($newsafequestion); $newsafeanswer = addslashes($newsafeanswer); /* */ $addupquery .= ",safequestion='$newsafequestion',safeanswer='$newsafeanswer'"; } } .. $query1 = "UPDATE `#@__member` SET pwd='$pwd',sex='$sex'{$addupquery} where mid='".$cfg_ml->M_ID."' "; $dsql->ExecuteNoneQuery($query1);
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved