catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
Dedecms会员中心注入漏洞
Relevant Link
http://www.yunsec.net/a/security/bugs/script/2012/1220/12127.html
2. 漏洞触发条件
因为是update注入,并且用了>ExecuteNoneQuery所以不能采用benchmark延时注入,但是可以通过一个"返回状态差异"判断来进行忙注,如果条件成功那么mtypename='$name'就会被update了
1. 首先打开: http://127.0.0.1/dedecms5.5/member/mtypes.php 2. 添加一个分类,记住ID(1),和原来的分类名称(fenlei) 3. 然后打开: http://127.0.0.1/dedecms5.5/member/mtypes.php?dopost=save&mtypename[1' or @`'` AND 1%3D1 and (select 'r')%3D'r' and '1'%3D'1]=4 //将其中的1改成你的分类ID 4. 结束之后打开之后返回: http://127.0.0.1/dedecms5.5/member/mtypes.php //如果(select 'r')='r'的话 那么分类名称就被改成了4! 这样我们就能来判断是否满足条件了,二值判断注入
Relevant Link
http://www.wooyun.org/bugs/wooyun-2010-048880 http://www.0x50sec.org/0day-exp/2012/12/id/1482/comment-page-1/#comment-57057
3. 漏洞影响范围
4. 漏洞代码分析
/member/mtypes.php
elseif ($dopost == 'save') { if(isset($mtypeidarr) && is_array($mtypeidarr)) { $delids = '0'; $mtypeidarr = array_filter($mtypeidarr, 'is_numeric'); foreach($mtypeidarr as $delid) { $delids .= ','.$delid; unset($mtypename[$delid]); } $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';"; $dsql->ExecNoneQuery($query); } //通过$mtypename进行key注入 foreach ($mtypename as $id => $name) { $name = HtmlReplace($name); //未对键值$id进行任何过滤就带入查询,导致注入 $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'"; $dsql->ExecuteNoneQuery($query); } ShowMsg('分类修改完成','mtypes.php'); }
5. 防御方法
/member/mtypes.php
elseif ($dopost == 'save') { if(isset($mtypeidarr) && is_array($mtypeidarr)) { $delids = '0'; $mtypeidarr = array_filter($mtypeidarr, 'is_numeric'); foreach($mtypeidarr as $delid) { $delids .= ','.$delid; unset($mtypename[$delid]); } $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';"; $dsql->ExecNoneQuery($query); } //通过$mtypename进行key注入 foreach ($mtypename as $id => $name) { $name = HtmlReplace($name); /* 对$id进行规范化处理 */ $id = intval($id); /* */ $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'"; $dsql->ExecuteNoneQuery($query); } ShowMsg('分类修改完成','mtypes.php'); }
通过intval规范互处理,使得黑客注入的盲注语句失效,即不管任何时候,返回结果都是能成功修改为4,即盲注的二值条件不存在了
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved