dedecms /member/mtypes.php SQL Injection Vul

catalog

. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考

1. 漏洞描述

Dedecms会员中心注入漏洞

Relevant Link

http://www.yunsec.net/a/security/bugs/script/2012/1220/12127.html

2. 漏洞触发条件

因为是update注入，并且用了>ExecuteNoneQuery所以不能采用benchmark延时注入，但是可以通过一个"返回状态差异"判断来进行忙注，如果条件成功那么mtypename='$name'就会被update了

. 首先打开: http://127.0.0.1/dedecms5.5/member/mtypes.php
. 添加一个分类，记住ID()，和原来的分类名称(fenlei)
. 然后打开: http://127.0.0.1/dedecms5.5/member/mtypes.php?dopost=save&mtypename[1' or @`'` AND 1%3D1 and (select 'r')%3D'r' and '1'%3D'1]=4
//将其中的1改成你的分类ID
. 结束之后打开之后返回: http://127.0.0.1/dedecms5.5/member/mtypes.php
//如果(select 'r')='r'的话 那么分类名称就被改成了4！ 这样我们就能来判断是否满足条件了，二值判断注入

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAA1sAAAB/CAIAAACWi0/vAAANOUlEQVR4nO3dUWgc950HcPepR16alz6EPoS2L7k8dAltKJc8mJQ+uVxK7jhCGkqOHBIhLrlC0pbWpFyjJvY16T20deDOF0ootoRJTB27qkVydxQiqZBETnLYbWnXchvZyl3sRA8B4/PD3MO4o93/zs7MSrP6SzOfD1/MarWzKy2//8zXsytpVwIAQLvtiv0FAAAQmUYIANB2GiEAQNtphAAAbacRAgC0nUYIANB2GiEAQNtphAAAbacRAgC0nUYIANB2GiEAQNtphAAAbacRAgC0nUYIANB2GiEAQNtphAAAbacRAgC0nUYIANB2GiEAQNuFjXAVAICWyWmESZKsXevWnvHds+y4GAaRIBaFiMSNRigRYhhEglgUIhI3GqFEiGEQCWJRiEjcaIQSIYZBJIhFISJxoxFKhBgGkSAWhYjEjUYoEWIYRIJYFCISNxqhRIhhEAliUYhI3GiEEiGGQSSIRSEicaMRSoQYBpEgFoWIxI1GKBFiGESCWBQiEjcaoUSIYRAJYlGISNxsvhHOTnU6nc6++bJbNnR/1/vtFz8Vs1OdTuehQ934X3P8NHQYIqbKMqy4VDcwqFV3AlIQi0KqpcaDTunKzW5gjbciVRphOgqdTqcztbR+eeLY6z2f3Tf//uyh7z07v/r2O79/du/dE1O/WgweqaH7u9LF2b+iHjrU7b9Z99gDnR5TS31PeKfTufPurzx+7JV34n+ndaahwxAxBbNXLNukZFBz7y3dIfx5t+BosalYFFItmz3oDLmrwet7dxHWeCtStRH27vrTfyeOHeo7GCzt23vy7bVr3bVrr08/1Ol09hz6fd8jNXF/N7hIhq7P60/UQw9MDN5g9VD/lemdPDC92l279vZrMw/c3unc+cjzTTq52MRh2PoUF77e/9bnHkLyp7doUHO21Qhri0UhFVLTQWd9wyr/S8y9sfXewNTYCI//14fdtWvdtQ9f+Nb18wd9j9TE/V3x4qx8hqaoEXbXri0+f3+n0/nc47/+Tezvt7Y0cRi2PsNOFeSe2xtWELsjDKpGOM5YFFIhNR10Sk4uBh8Ouz76syE1p75GeP3Giy/u29PpdDp3/9P8h32P1Lj9XfXz8D1HzQP7crYqaYTdt2a+3Ol0bv+X2djfcm1p3DBEScVGuH7jsupWMKj5RxqvGtcYi0LKUtdBJ3fZlp4RLD7jKE3IaO8jHHZIyMbon2/vdDp79j5/fPAlzmbt73pX1IC+NdP/36wDszmrt6wRXn+v4QGNUHoTjNa+vg9zylywry98RTh3UJ0jHGcsCilMrQed/PuscMrQD0c2OqOdI+w7L3hg38DBoOjA0Nz93cAzsL5mqv2XzjlC2Ujy9/s9S3LYjr47pCYWD2qVF6ajPyc7OBaFVM6mDzp9VxbvIvpfCnCOsNGptxEWpbn7u4LFOexm/an0PsIvTi15H6H0pvdswfr4DXkxaFDhb6woOVuQ+2U4SGwqFoVUzqYPOlV/Li178SFrhAU/uSw7PrU2wuvNZv3kVm8aur8rOK9e+U2+FX7W+K8PzP5P/G+2tjR0GLY4FU8GFL8VvTvCoJY/tGw8FoVUyyYPOg9/vbfh5S/th7++fqDvf/FBI2x0NtMIZ7PPaoRl77QY+narst9H+Lm7/m5i6qTfRyiDqasRhtsWHioqVkYZORaFVMtmDzpD7mfwyrw3KGuEjU6tjbAwTdzfDTnW9i3Oiu/rb1eaOAxbn5EaYWmHG2lQHRLqj0UhFVLjQafg/3i9jXB2+ANJ01Lxr9hdH52JY6+vj9H6TzC1sxEOvtE+eCqqv6+/dWncMETJsJN/uXNY5VXjgkG9/kpToZYOc12xKKQs9R50Kp4jnO3bXCNsdDb/d42rxv5OshgGkSAWhYjEjUYoEWIYRIJYFCISNxqhRIhhEAliUYhI3GiEEiGGQSSIRSEicaMRSoQYBpEgFoWIxI1GKBFiGESCWBQiEjcaoUSIYRAJYlGISNxohBIhhkEkiEUhInGjEUqEGAaRIBaFiMSNRigRYhhEglgUIhI3+Y3whd89U3vGd8+y42IYRIJYFCISNzmNEACAVsk/RzgO47tndhzDAAGLAohLIyQCwwABiwKISyMkAsMAAYsCiEsjJALDAAGLAohLIyQCwwABiwKISyMkAsMAAYsCiEsjJALDAAGLAohLIyQCwwCB0kUxfeSoyHbO1qwUxkcjJALDAIEqjbAL25VG2AAaIREYBghUaYTnz59fWVm5CNuPRtgAGiERGAYIVGmEKysra2trV2D70QgbQCMkAsMAgSqN8OLFi1euXNmarwdGohE2wMiN8OrVqwsLCydOnPj5gBMnTiwsLFy9ejV3QyWAjGGo0WcPfHzYh9nlzx74eJAqd1XxEamFRsiOphE2wMiNcGFhYX5+/vIQ8/PzCwsLuRsqAUmS/N/a/MF/fPyXrX8mDEMtBnveYOcbVhAL7nPUx6rvG2o1jZAdTSNsgJEb4fHjxy9duvTee+8N+/ell17K3VAJOH1wcnJycnJSIzQMNatS9bIbDJ5TrNIsB+9fF6zXBhrhlcX9n9+1a//imL8yqEAjbICRG+HRo0dXVlYuXLgw7N+jR/PHQglIkiRJTh/UCA1DfdJaFjTCwa42UtUbvGak1sjGjNwIl6fv3f15jZBtQiNsgJEb4eHDh5eXl8+dOzfs3yNHjuRuqAQkSaIRpgxDjYLXiAebXJJ3EnGkRlj9GjZstEZ4ZXH/7nunlxf3a4RsDxphA2ykEZ4rdPjw4dwNlYAkSTTClGHYvIrn7bJGWHpir/QVYWcHx2qURrg8fe/u/YtXkkQjZLvQCBtAI9xiGmGSGIYtVPEcYVKtEZZew4ZVboQfnN6/+97p5SRJNEK2D42wATTCLaYRJolhqE/pG/uqnyNMBupjlccaz7fVRpUb4fL0l3cFlEKi0wgbQCPcYhphkhiG+pSezKt+jrD4+lFvw6g29NtnnCNku9AIG2DkRjgzM1PcCGdmZnI3VAL+/NtnJicnJycPno795cRkGOpS/Rxh8OFI5wj9rPEW0AjZ0TTCBhi5Ec7NzZ06dWpYHTx16tTc3FzuhkoAGcNQl4rnCKvcT+4PKVd/UDZJI2RH0wgbYORGuLq6Ojc3NzMzc3jAzMzM3Nzcu+++O2zDer5kdj7DUJcN/6Bx7y+mKX7jYO71Y/uG2svfLGFH0wgbYCN/1/j999//3yEuX77s7xpTyjBAQCNkR9MIG2DkRrhhSgAZwwABjZAdTSNsAI2QCAwDBDRCdjSNsAE0QiIwDBCo0ghFtnO2ZqUwPhohERgGCFgUQFwaIREYBghYFEBcGiERGAYIWBRAXBohERgGCFgUQFwaIREYBghYFEBcGiERGAYIWBRAXBohERgGCFgUQFw5jRAAgFbJaYQv/O4ZEREREWlPchrhNQAA2kQjBABoO40QAKDtNEIAgLYraYQ//u/7Rs3Tb95TnCfe2D2Y7y7e0ZvH5m/tzd6FT6aJ9TQBADRYSSN8+s17zn3wxtIHP9lAFi//oCDzl6aG5eUL317P6iNpzqz97LH5W2M9TQAADVbeCJc++MmL79xTPYfP7xmac3dl+ffuXw3Lj/7w6cG8vPqIRggAMA7ljXDx8g+OLP/NsFQpf2meW76esP/95jN9yauDP/rDp2cvfk0jBAAYh0qNsOi0X3+e634pa37DKmBOC+wpgk+dvTk3GiEAwJhUaoTPdb8UZqD2JUmSXeh18Ld3psnKX5IkQR0c1gI1QgCALVDeCOcvTf34t3eVJit/6YUfnr3th2dvS5IkvZDlyTO3PHnmliRJnjxzy2Dte+LNT6UZ/NSL5x/WCAEAxqGkET7xxu6XL3x7sP89feaOIEmSPH3mjrQF9soqYLF9SzcVRyMEABiTSo1wsP899fZtWQbr3dSbt6TJLn9n6ZNpSpufRggAsMXKG+HJP32jt/8FeXzpL9MkSZJd6JUWwcfeuClNkiS5l0ujEQIAjElJI/zu4h0n//SNrPbl5tHXbn70tZuTJEkvZPna4k1BkiTZ++qNvRm8ZliePfMPGiEAwDiUN8Lp7qPZX5MLOl9v80s3zy70mnj1xolXb0wvZB/mXlMQjRAAYEwqNcLszwpnefBXn8iSbfv3/3ljluDDwU8V3CA3GiEAwJiUNMLH5m/9t7Pf7O1/abKidt9/fCxNkiT3v3LD/a/ckF7I7jD9bPqpLNmNs81LoxECAIxJeSP817OP9Da/NH/7yg1BkiTpvZB9OOyWBTfIzTNvfVUjBAAYh0qNMLcCjtAIf/nRNOlD9G5SvRdqhAAAY1LeCJ85PbFn9i+Kk26bXsg+zPTeoGDb4jx1+j6NEABgHCo0wre++sVffCRIaYHbfIJH1AgBAMakvBF+f+nBL5z8aJqsn2XXbFk0QgCAMSlvhKf++NPvLz0YPaf++FONEABgHEoa4eBvIoybWE8TAECDlTRCAAAaTyMEAGg7jRAAoO00QgCAtstphAAAtErYCAEAaBuNEACg7TRCAIC20wgBANru/wE4++hhBLybyAAAAABJRU5ErkJggg==" alt="" />

Relevant Link

http://www.wooyun.org/bugs/wooyun-2010-048880
http://www.0x50sec.org/0day-exp/2012/12/id/1482/comment-page-1/#comment-57057

3. 漏洞影响范围
4. 漏洞代码分析

/member/mtypes.php

elseif ($dopost == 'save')
{
    if(isset($mtypeidarr) && is_array($mtypeidarr))
    {
        $delids = '';
        $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
        foreach($mtypeidarr as $delid)
        {
            $delids .= ','.$delid;
            unset($mtypename[$delid]);
        }
        $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
        $dsql->ExecNoneQuery($query);
    }
    //通过$mtypename进行key注入
    foreach ($mtypename as $id => $name)
    {
        $name = HtmlReplace($name);
        //未对键值$id进行任何过滤就带入查询，导致注入
        $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";
        $dsql->ExecuteNoneQuery($query);
    }
    ShowMsg('分类修改完成','mtypes.php');
} 

5. 防御方法

/member/mtypes.php

elseif ($dopost == 'save')
{
    if(isset($mtypeidarr) && is_array($mtypeidarr))
    {
        $delids = '';
        $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
        foreach($mtypeidarr as $delid)
        {
            $delids .= ','.$delid;
            unset($mtypename[$delid]);
        }
        $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
        $dsql->ExecNoneQuery($query);
    }
    //通过$mtypename进行key注入
    foreach ($mtypename as $id => $name)
    {
        $name = HtmlReplace($name);
        /* 对$id进行规范化处理 */
        $id = intval($id);
        /* */
        $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";
        $dsql->ExecuteNoneQuery($query);
    }
    ShowMsg('分类修改完成','mtypes.php');
} 

通过intval规范互处理，使得黑客注入的盲注语句失效，即不管任何时候，返回结果都是能成功修改为4，即盲注的二值条件不存在了

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved