dedecms /include/helpers/archive.helper.php SQL Injection Vul
catalogphp
1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響範圍 4. 漏洞代碼分析 5. 防護方法 6. 攻防思考
1. 漏洞描述sql
Dedecms會員中心注入漏洞函數
Relevant Link:post
http://www.wooyun.org/bugs/wooyun-2010-048892
2. 漏洞觸發條件spa
1. 打開http://127.0.0.1/dedecms5.7/member/soft_add.php 2. 添加軟件 3. 打開BURP抓包 1) 將picnum改爲typeid2 2) 而後參數寫5',1,1,1,@`'`),('-1','7',user() , '3','1389688643', '1389688643', '8'),(1,2,'
3. 漏洞影響範圍
4. 漏洞代碼分析code
/include/helpers/archive.helper.phpblog
if ( ! function_exists('GetIndexKey')) { function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1) { //$typeid2來自外部,結合DEDE的本地變量覆蓋漏洞便可修改這個變量值 global $dsql,$senddate,$typeid2; if(empty($typeid2)) $typeid2 = 0; if(empty($senddate)) $senddate = time(); if(empty($sortrank)) $sortrank = $senddate; //$typeid二、$senddate未進行有效過濾就帶入SQL查詢 $iquery = " INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`) VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') "; echo $iquery; $dsql->ExecuteNoneQuery($iquery); $aid = $dsql->GetLastID(); return $aid; } }
/archive.helper.php是一個輔助函數庫,是存在漏洞的源頭,真正的漏洞攻擊向量由調用這個文件的GetIndexKey函數觸發
/member/soft_add.php
ip
else if($dopost=='save') { $description = ''; include(DEDEMEMBER.'/inc/archives_check.php'); //生成文檔ID $arcID = GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$mid); ..
Relevant Link:文檔
http://www.wooyun.org/bugs/wooyun-2010-048892
5. 防護方法it
/include/helpers/archive.helper.php
if ( ! function_exists('GetIndexKey')) { function GetIndexKey($arcrank, $typeid, $sortrank=0, $channelid=1, $senddate=0, $mid=1) { //$typeid2來自外部,結合DEDE的本地變量覆蓋漏洞便可修改這個變量值 global $dsql,$senddate,$typeid2; if(empty($typeid2)) $typeid2 = 0; if(empty($senddate)) $senddate = time(); if(empty($sortrank)) $sortrank = $senddate; /* 過濾 */ $typeid2 = intval($typeid2); $senddate = intval($senddate); /* */ $iquery = " INSERT INTO `#@__arctiny` (`arcrank`,`typeid`,`typeid2`,`channel`,`senddate`, `sortrank`, `mid`) VALUES ('$arcrank','$typeid','$typeid2' , '$channelid','$senddate', '$sortrank', '$mid') "; $dsql->ExecuteNoneQuery($iquery); $aid = $dsql->GetLastID(); return $aid; } }
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
相關文章
- 1. dedecms /include/uploadsafe.inc.php SQL Injection Via Local Variable Overriding Vul
- 2. ecshop /category.php SQL Injection Vul
- 3. ecshop /flow.php SQL Injection Vul
- 4. discuz /faq.php SQL Injection Vul
- 5. ecshop /includes/modules/payment/alipay.php SQL Injection Vul
- 6. sql injection
- 7. DVWA-sql injection(Blind)
- 8. DVWA SQL Injection High
- 9. SQL Injection with MySQL
- 10. SQL Injection(注入)
- 更多相關文章...
- • SQL WHERE 子句 - SQL 教程
- • SQL UNIQUE 約束 - SQL 教程
- • Composer 安裝與使用
- • 三篇文章瞭解 TiDB 技術內幕 —— 說計算
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. dedecms /include/uploadsafe.inc.php SQL Injection Via Local Variable Overriding Vul
- 2. ecshop /category.php SQL Injection Vul
- 3. ecshop /flow.php SQL Injection Vul
- 4. discuz /faq.php SQL Injection Vul
- 5. ecshop /includes/modules/payment/alipay.php SQL Injection Vul
- 6. sql injection
- 7. DVWA-sql injection(Blind)
- 8. DVWA SQL Injection High
- 9. SQL Injection with MySQL
- 10. SQL Injection(注入)