dedecms /include/helpers/archive.helper.php SQL In

. 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考

 

1. 漏洞描述

Dedecms会员中心注入漏洞

Relevant Link:

http: //  HdhCmsTestwooyun.org/bugs/wooyun-2010-048892 

2. 漏洞触发条件

 1 . 打开http: //  127.0.0.1/dedecms5.7/member/soft_add.php 
 2  . 添加软件
  3  . 打开BURP抓包
      1  ) 将picnum改成typeid2
      2 ) 然后参数写5 ‘  ,1,1,1,@`  ‘ `),( ‘  -1  ‘ , ‘  7  ‘ ,user() ,  ‘  3  ‘ , ‘  1389688643  ‘ ,  ‘  1389688643  ‘ ,  ‘  8  ‘ ),( 1 , 2 , ‘ 

3. 漏洞影响范围
4. 漏洞代码分析

/include/helpers/archive.helper.php

 if  ( ! function_exists( ‘  GetIndexKey  ‘  )) 
{ 
    function GetIndexKey($arcrank, $typeid, $sortrank = 0 , $channelid= 1 , $senddate= 0 , $mid= 1  ) 
    { 
          //  $typeid2来自外部，结合DEDE的本地变量覆盖漏洞即可修改这个变量值 
         global   $dsql,$senddate,$typeid2;  
        
          if (empty($typeid2)) $typeid2 =  0  ; 
          if (empty($senddate)) $senddate =  time(); 
          if (empty($sortrank)) $sortrank =  $senddate;
        
          //  $typeid2、$senddate未进行有效过滤就带入SQL查询 
        $iquery =  "
          INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`) 
        VALUES (  ‘  $arcrank  ‘ , ‘  $typeid  ‘ , ‘  $typeid2  ‘  ,  ‘  $channelid  ‘ , ‘  $senddate  ‘ ,  ‘  $sortrank  ‘ ,  ‘  $mid  ‘ )  "  ; 
         
        echo    $iquery;

        $dsql -> ExecuteNoneQuery($iquery); 
        $aid  = $dsql-> GetLastID(); 
          return   $aid; 
    } 
} 

/archive.helper.php是一个辅助函数库，是存在漏洞的源头，真正的漏洞攻击向量由调用这个文件的GetIndexKey函数触发
/member/soft_add.php

 else   if ($dopost== ‘  save  ‘  )
{
    $description  =  ‘‘  ;
    include(DEDEMEMBER.  ‘  /inc/archives_check.php  ‘  );

      //  生成文档ID 
    $arcID =  GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$mid);
.. 

Relevant Link:

http: //  HdhCmsTestwooyun.org/bugs/wooyun-2010-048892 

5. 防御方法

/include/helpers/archive.helper.php

 if  ( ! function_exists( ‘  GetIndexKey  ‘  ))
{
    function GetIndexKey($arcrank, $typeid, $sortrank = 0 , $channelid= 1 , $senddate= 0 , $mid= 1  )
    {
          //  $typeid2来自外部，结合DEDE的本地变量覆盖漏洞即可修改这个变量值 
         global   $dsql,$senddate,$typeid2;
          if (empty($typeid2)) $typeid2 =  0  ;
          if (empty($senddate)) $senddate =  time();
          if (empty($sortrank)) $sortrank =  $senddate;
          /*   过滤   */  
        $typeid2  =  intval($typeid2);
        $senddate  =  intval($senddate);
          /*   */  
        $iquery  =  "
            INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`)
          VALUES (  ‘  $arcrank  ‘ , ‘  $typeid  ‘ , ‘  $typeid2  ‘  ,  ‘  $channelid  ‘ , ‘  $senddate  ‘ ,  ‘  $sortrank  ‘ ,  ‘  $mid  ‘ )  "  ; 
        $dsql-> ExecuteNoneQuery($iquery);
        $aid  = $dsql-> GetLastID();
          return   $aid;
    }
} 

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

dedecms /include/helpers/archive.helper.php SQL Injection Vul

标签：

查看更多关于dedecms /include/helpers/archive.helper.php SQL In的详细内容...