码迷,mamicode.com
首页 > 数据库 > 详细

dedecms /include/helpers/archive.helper.php SQL Injection Vul

时间:2015-05-19 16:17:48      阅读:261      评论:0      收藏:0      [点我收藏+]

标签:

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

Dedecms会员中心注入漏洞

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-048892


2. 漏洞触发条件

1. 打开http://127.0.0.1/dedecms5.7/member/soft_add.php
2. 添加软件
3. 打开BURP抓包
    1) 将picnum改成typeid2
    2) 然后参数写5,1,1,1,@``),(-1,7,user() , 3,1389688643, 1389688643, 8),(1,2,


3. 漏洞影响范围
4. 漏洞代码分析

/include/helpers/archive.helper.php

if ( ! function_exists(GetIndexKey)) 
{ 
    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1) 
    { 
        //$typeid2来自外部,结合DEDE的本地变量覆盖漏洞即可修改这个变量值
        global $dsql,$senddate,$typeid2;  
        
        if(empty($typeid2)) $typeid2 = 0; 
        if(empty($senddate)) $senddate = time(); 
        if(empty($sortrank)) $sortrank = $senddate;
        
        //$typeid2、$senddate未进行有效过滤就带入SQL查询
        $iquery = "
        INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`) 
        VALUES ($arcrank,$typeid,$typeid2 , $channelid,$senddate, $sortrank, $mid) ";
        
        echo    $iquery;

        $dsql->ExecuteNoneQuery($iquery); 
        $aid = $dsql->GetLastID(); 
        return $aid; 
    } 
}

/archive.helper.php是一个辅助函数库,是存在漏洞的源头,真正的漏洞攻击向量由调用这个文件的GetIndexKey函数触发
/member/soft_add.php

else if($dopost==save)
{
    $description = ‘‘;
    include(DEDEMEMBER./inc/archives_check.php);

    //生成文档ID
    $arcID = GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$mid);
..

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-048892


5. 防御方法

/include/helpers/archive.helper.php

if ( ! function_exists(GetIndexKey))
{
    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1)
    {
        //$typeid2来自外部,结合DEDE的本地变量覆盖漏洞即可修改这个变量值
        global $dsql,$senddate,$typeid2;
        if(empty($typeid2)) $typeid2 = 0;
        if(empty($senddate)) $senddate = time();
        if(empty($sortrank)) $sortrank = $senddate;
        /* 过滤 */
        $typeid2 = intval($typeid2);
        $senddate = intval($senddate);
        /* */
        $iquery = "
          INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)
          VALUES ($arcrank,$typeid,$typeid2 , $channelid,$senddate, $sortrank, $mid) ";
        $dsql->ExecuteNoneQuery($iquery);
        $aid = $dsql->GetLastID();
        return $aid;
    }
}


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

dedecms /include/helpers/archive.helper.php SQL Injection Vul

标签:

原文地址:http://www.cnblogs.com/LittleHann/p/4514777.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!