织梦dedecms漏洞修复记
自己用dedecms在阿里云上搭建了套网站,之后阿里云漏洞提示,织梦有多个漏洞需要我修复,发我邮箱,今天整理了下,我遇到的漏洞,及我修复的过程。
- 漏洞描述:dedecms的/member/soft_add.php中,对输入模板参数$servermsg1未进行严格过滤,导致攻击者可构造模版闭合标签,实现模版注入进行GETSHELL。
解决办法:打开根目录下/member/soft_add.php(在154行),
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
替换成:if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }
- 漏洞描述:edecms SESSION变量覆盖导致SQL注入 /include/common.inc.php,dedecms SESSION变量覆盖导致SQL注入dedecms的/plus/advancedsearch.php中,直接从$_SESSION[$sqlhash]获取值作为$query带入SQL查询,这个漏洞的利用前提是session.auto_start = 1即开始了自动SESSION会话,需要在dedemcs的变量注册入口进行了通用统一防御,禁止SESSION变量的传入。解决办法:打开/include/common.inc.php,找到cfg_|GLOBALS|_GET|_POST|_COOKIE,一共有两处68行和90行。找到后,后面再加一个_SESSION,成
- 漏洞描述:dedecms留言板注入漏洞,/plus/guestbook/edit.inc.php
dedecms SESSION变量覆盖导致SQL注入
4,/plus/search.php,dedecms注入漏洞
//引入栏目缓存并看关键字是否有相关栏目内容
require_once($typenameCacheFile);
if(isset($typeArr) && is_array($typeArr))
{
foreach($typeArr as $id=>$typename)
{
$keywordn = str_replace($typename, ‘ ‘, $keyword);
if($keyword != $keywordn)
{
$keyword = $keywordn;
$typeid = $id; //对ID没做任何过滤 导致注入
break;
}
}
}
}
$keyword = addslashes(cn_substr($keyword,30));//引入栏目缓存并看关键字是否有相关栏目内容
require_once($typenameCacheFile);
if(isset($typeArr) && is_array($typeArr))
{
foreach($typeArr as $id=>$typename)
{
//$keywordn = str_replace($typename, ‘ ‘, $keyword);
$keywordn = $keyword;
if($keyword != $keywordn)
{
$keyword = HtmlReplace($keywordn);//防XSS
$typeid = intval($id); //强制转换为数字型
break;
}
}
}
}
$keyword = addslashes(cn_substr($keyword,30));5,/plus/guestbook/edit.inc.phpdedecms注入漏洞,其实就是留言版注入漏洞
没有对$msg过滤,导致可以任意注入,找到
$msg = HtmlReplace($msg, -1);
$dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");
ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS);
exit();$msg = addslashes(HtmlReplace($msg, -1));
$dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");
ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS);
exit();
6,/dede/media_add.php dedecms 后台文件任意上传漏洞
找到文件/dede/media_add.php,定位到69行:$fullfilename = $cfg_basedir.$filename;
找到文件/dede/media_add.php,定位到69行:$fullfilename = $cfg_basedir.$filename;
修复后:
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) {
ShowMsg("你指定的文件名被系统禁止!",'java script:;');
exit();
}
$fullfilename = $cfg_basedir.$filename;
找到文件在/include/common.inc.php,定位到101行
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v)
{
if($_k == 'nvarname') ${$_k} = $_v;
else ${$_k} = _RunMagicQuotes($_v);
}
}
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v) {
if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){
exit('Request var not allow!');
}
${$_k} = _RunMagicQuotes($_v);
}
}
{
foreach($$_request as $_k => $_v) {
if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){
exit('Request var not allow!');
}
${$_k} = _RunMagicQuotes($_v);
}
}
8,/include/uploadsafe.inc.phpdedecms上传漏洞
找到文件:文件/include/uploadsafe.inc.php,此文件有两处漏洞
- 定位到42行,${$_key.'_size'} = @filesize($$_key);
if(empty(${$_key.'_size'}))
{
${$_key.'_size'} = @filesize($$_key);
}
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp");
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) {
$image_dd = @getimagesize($$_key);
if($image_dd == false){
continue;
}
if (!is_array($image_dd)) {
exit('Upload filetype not allow !');
}
} - 定位53行,搜索到$image_dd = @getimagesize($$_key);
$image_dd = @getimagesize($$_key);
if($image_dd == false){
continue;
}找到此文件,定位到137行
$order_sn = trim($_GET['out_trade_no']);修复后:$order_sn = trim(addslashes($_GET['out_trade_no']));10,/member/soft_add.php dedecms模版SQL注入漏洞定位到154行
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) {
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
}
定位到53行
elseif ($dopost == 'save')
{
if(isset($mtypeidarr) && is_array($mtypeidarr))
{
$delids = '0';
$mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
foreach($mtypeidarr as $delid)
{
$delid = HtmlReplace($delid);
$delids .= ','.$delid;
unset($mtypename[$delid]);
}
$query = "DELETE FROM `#@__mtypes` WHERE mtypeid IN ($delids) AND mid='$cfg_ml->M_ID';";
$dsql->ExecNoneQuery($query);
}
foreach ($mtypename as $id => $name)
{
$name = HtmlReplace($name);
$query = "UPDATE `#@__mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'";
$dsql->ExecuteNoneQuery($query);
}
ShowMsg('分类修改完成','mtypes.php');
}elseif ($dopost == 'save') {
if(isset($mtypeidarr) && is_array($mtypeidarr)) {
$delids = '0';
$mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
foreach($mtypeidarr as $delid) {
$delids .= ','.$delid;
unset($mtypename[$delid]);
}
$query = "delete from `dede_mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
$dsql->ExecNoneQuery($query);
}
//通过$mtypename进行key注入
foreach ($mtypename as $id => $name) {
$name = HtmlReplace($name); /* 对$id进行规范化处理 */
$id = intval($id); /* */
$query = "update `dede_mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";
die(var_dump($query));
$dsql->ExecuteNoneQuery($query);
}
ShowMsg('分类修改完成','mtypes.php');
} 12,/member/inc/inc_archives_functions.php dedecms cookies泄漏导致SQL漏洞
定位到239行
echo "";echo "";
定位到83行
if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode))
{
showMsg('数据校验不对,程序返回', '-1');
exit();
}if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) )
{
showMsg('数据校验不对,程序返回', '-1');
exit();
}定位到56行
else if($dopost=='read')
{
$sql = "SELECT * FROM `#@__member_friends` WHERE mid='{$cfg_ml->M_ID}' AND ftype!='-1' ORDER BY addtime DESC LIMIT 20";
$friends = array();
$dsql->SetQuery($sql);
$dsql->Execute();
while ($row = $dsql->GetArray())
{
$friends[] = $row;
}
//$id注入
$row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");//ID没过滤
if(!is_array($row))
{
ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
exit();
}
//$id注入
$dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'");
$dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'");
include_once(dirname(__FILE__).'/templets/pm-read.htm');
exit();
}else if($dopost=='read')
{
$sql = "Select * From `#@__member_friends` where mid='{$cfg_ml->M_ID}' And ftype!='-1' order by addtime desc limit 20";
$friends = array();
$dsql->SetQuery($sql);
$dsql->Execute();
while ($row = $dsql->GetArray())
{
$friends[] = $row;
}
/* $id过滤 */
$id = intval($id);
/* */
$row = $dsql->GetOne("Select * From `#@__member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");
if(!is_array($row))
{
ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
exit();
}
$dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");
$dsql->ExecuteNoneQuery("Update `#@__member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");
include_once(dirname(__FILE__).'/templets/pm-read.htm');
exit();
}15,/member/album_add.php dedecms SQL注入漏洞解决
定位220行
$description = HtmlReplace($description, -1);
修复后:
$description = addslashes(HtmlReplace($description, -1));
16,/plus/guestbook/edit.inc.php dedecms注入漏洞,留言板注入
所以在
$dsql->ExecuteNoneQuery("UPDATE `dede_guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");
之前对$msg进行过滤
加入这个代码进行过滤 可以解决问题:$msg = addslashes($msg);