小说系统漏洞修复

  • A+
所属分类:WordPres

697小说系统使用织梦模板有多个漏洞需要我们自己修复,今天整理了下,我遇到的漏洞,及我修复的过程。

1.漏洞描述:dedecms的/member/soft_add.php中,对输入模板参数$servermsg1未进行严格过滤,导致攻击者可构造模版闭合标签,实现模版注入进行GETSHELL。
解决办法:打开根目录下/member/soft_add.php(在154行),

$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";

替换成:

<span style="font-size:14px;"><pre name="code" class="php"> if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) {  
<span style="white-space:pre">    </span> $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";  
 } </span> 

2.漏洞描述:edecms SESSION变量覆盖导致SQL注入 /include/common.inc.php,dedecms SESSION变量覆盖导致SQL注入dedecms的/plus/advancedsearch.php中,直接从$_SESSION[$sqlhash]获取值作为$query带入SQL查询,这个漏洞的利用前提是session.auto_start = 1即开始了自动SESSION会话,需要在dedemcs的变量注册入口进行了通用统一防御,禁止SESSION变量的传入。解决办法:打开/include/common.inc.php,找到cfg_|GLOBALS|_GET|_POST|_COOKIE,一共有两处68行和90行。找到后,后面再加一个_SESSION,成

3.漏洞描述:dedecms留言板注入漏洞,/plus/guestbook/edit.inc.php
dedecms SESSION变量覆盖导致SQL注入

4./plus/search.php,dedecms注入漏洞

//引入栏目缓存并看关键字是否有相关栏目内容  
require_once($typenameCacheFile);  
if(isset($typeArr) && is_array($typeArr))  
{  
    foreach($typeArr as $id=>$typename)  
    {  
        $keywordn = str_replace($typename, ‘ ‘, $keyword);  
        if($keyword != $keywordn)  
        {  
            $keyword = $keywordn;  
            $typeid = $id; //对ID没做任何过滤 导致注入  
            break;  
        }  
    }  
}  
}  
  
$keyword = addslashes(cn_substr($keyword,30));  

修复后:

//引入栏目缓存并看关键字是否有相关栏目内容  
require_once($typenameCacheFile);  
if(isset($typeArr) && is_array($typeArr))  
{  
    foreach($typeArr as $id=>$typename)  
    {  
        //$keywordn = str_replace($typename, ‘ ‘, $keyword);  
        $keywordn = $keyword;  
        if($keyword != $keywordn)  
        {  
            $keyword = HtmlReplace($keywordn);//防XSS  
            $typeid = intval($id); //强制转换为数字型  
            break;  
        }  
    }  
}  
}  
$keyword = addslashes(cn_substr($keyword,30));  

5./plus/guestbook/edit.inc.phpdedecms注入漏洞,其实就是留言版注入漏洞
没有对$msg过滤,导致可以任意注入,找到

$msg = HtmlReplace($msg, -1);  
    $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");  
    ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS);  
    exit();  

修复:

$msg = addslashes(HtmlReplace($msg, -1));  
    $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");  
    ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS);  
    exit();  

加入: addslashes进行过滤

6./dede/media_add.php dedecms 后台文件任意上传漏洞
找到文件/dede/media_add.php,定位到69行:$fullfilename = $cfg_basedir.$filename;
修复后:

if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) {   
            ShowMsg("你指定的文件名被系统禁止!",'java script:;');  
            exit();  
        }   
        $fullfilename = $cfg_basedir.$filename;  

7./include/common.inc.phpdedecms SESSION变量覆盖导致SQL注入
找到文件在/include/common.inc.php,定位到101行

 foreach(Array('_GET','_POST','_COOKIE') as $_request)  
  {  
      foreach($$_request as $_k => $_v)  
{  
    if($_k == 'nvarname') ${$_k} = $_v;  
    else ${$_k} = _RunMagicQuotes($_v);  
}  
  }  

修复后:

foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
         foreach($$_request as $_k => $_v) {
                    if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){
                            exit('Request var not allow!');
                   }
                    ${$_k} = _RunMagicQuotes($_v);
    }
}

.,/include/uploadsafe.inc.phpdedecms上传漏洞
找到文件:文件/include/uploadsafe.inc.php,此文件有两处漏洞

定位到42行,${$_key.'_size'} = @filesize($$_key);

修复后:

<span style="font-size:14px;"> if(empty(${$_key.'_size'}))  
    {  
        ${$_key.'_size'} = @filesize($$_key);  
   
   }   
   $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp");   
   if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) {  
       $image_dd = @getimagesize($$_key);   
       if($image_dd == false){  
        continue;   
       }  
       if (!is_array($image_dd)) {   
        exit('Upload filetype not allow !');   
       }   
   } </span> 
定位53行,搜索到$image_dd = @getimagesize($$_key);

修复后:

<span style="font-size:14px;">  $image_dd = @getimagesize($$_key);  
        if($image_dd == false){  
            continue;  
        }</span>  

9. /include/payment/alipay.php dedecms支付模块注入漏洞找到此文件,定位到137行

$order_sn = trim($_GET['out_trade_no']);  

修复后:

$order_sn = trim(addslashes($_GET['out_trade_no']));

10./member/soft_add.php dedecms模版SQL注入漏洞定位到154行

$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";

修复后:

if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) {  
  $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";  
}

11./member/mtypes.phpdedecms注入漏洞定位到53行

elseif ($dopost == 'save')  
{  
    if(isset($mtypeidarr) && is_array($mtypeidarr))  
    {  
        $delids = '0';  
        $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');  
        foreach($mtypeidarr as $delid)  
        {  
            $delid = HtmlReplace($delid);  
            $delids .= ','.$delid;  
            unset($mtypename[$delid]);  
        }  
        $query = "DELETE FROM `#@__mtypes` WHERE mtypeid IN ($delids) AND mid='$cfg_ml->M_ID';";  
        $dsql->ExecNoneQuery($query);  
    }  
    foreach ($mtypename as $id => $name)  
    {  
        $name = HtmlReplace($name);  
        $query = "UPDATE `#@__mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'";  
        $dsql->ExecuteNoneQuery($query);  
    }  
    ShowMsg('分类修改完成','mtypes.php');  
} 

修复后:

elseif ($dopost == 'save') {    
    if(isset($mtypeidarr) && is_array($mtypeidarr))   {     
        $delids = '0';     
        $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');     
        foreach($mtypeidarr as $delid)     {      
            $delids .= ','.$delid;     
            unset($mtypename[$delid]);      
        }      
         $query = "delete from `dede_mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";   
         $dsql->ExecNoneQuery($query);   
    }    
    //通过$mtypename进行key注入  
    foreach ($mtypename as $id => $name)   {     
      $name = HtmlReplace($name);     /* 对$id进行规范化处理 */     
      $id = intval($id);     /* */     
      $query = "update `dede_mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";    
      die(var_dump($query));     
      $dsql->ExecuteNoneQuery($query);    
    }   
  ShowMsg('分类修改完成','mtypes.php');  
}

12./member/inc/inc_archives_functions.php dedecms cookies泄漏导致SQL漏洞,定位到239行

echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />"; 

修复后:

echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields."jigumisdfs".$cfg_cookie_encode)."\" />"; 

13./member/article_add.php dedecms cookies泄漏导致SQL漏洞,定位到83行

if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode))  
    {  
        showMsg('数据校验不对,程序返回', '-1');  
        exit();  
    }

修复后:

if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) )  
    {  
        showMsg('数据校验不对,程序返回', '-1');  
        exit();  
    }  

14./member/pm.phpdedecms注入漏洞,会员中心漏洞,定位到56行

[php] view plain copy
else if($dopost=='read')  
{  
    $sql = "SELECT * FROM `#@__member_friends` WHERE  mid='{$cfg_ml->M_ID}' AND ftype!='-1'  ORDER BY addtime DESC LIMIT 20";  
    $friends = array();  
    $dsql->SetQuery($sql);  
    $dsql->Execute();  
    while ($row = $dsql->GetArray())   
    {  
        $friends[] = $row;  
    }  
    //$id注入  
    $row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");//ID没过滤  
    if(!is_array($row))  
    {  
        ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');  
        exit();  
    }  
    //$id注入  
    $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'");  
    $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'");  
    include_once(dirname(__FILE__).'/templets/pm-read.htm');  
    exit();  
}

修复后:

else if($dopost=='read')  
{  
    $sql = "Select * From `#@__member_friends` where  mid='{$cfg_ml->M_ID}' And ftype!='-1'  order by addtime desc limit 20";  
    $friends = array();  
    $dsql->SetQuery($sql);  
    $dsql->Execute();  
    while ($row = $dsql->GetArray())   
    {  
        $friends[] = $row;  
    }  
    /* $id过滤 */  
    $id = intval($id);  
    /* */   
    $row = $dsql->GetOne("Select * From `#@__member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");  
    if(!is_array($row))  
    {  
        ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');  
        exit();  
    }  
    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");  
    $dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");  
    include_once(dirname(__FILE__).'/templets/pm-read.htm');  
    exit();  
} 

15./member/album_add.php dedecms SQL注入漏洞解决,定位220行

$description = HtmlReplace($description, -1);

修复后:

$description = addslashes(HtmlReplace($description, -1));

16./plus/guestbook/edit.inc.php
dedecms注入漏洞,留言板注入
位置所在在

$dsql->ExecuteNoneQuery("UPDATE `dede_guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' "); 

之前对$msg进行过滤 加入这个代码进行过滤 可以解决问题:$msg = addslashes($msg);
 
小说系统漏洞修复

weinxin
QQ群:20764411
QQ群扫码加群