• 

  • <ul id="cgeq2"></ul>
    

    • 




    

    

    
	
    
		歡迎您光臨深圳塔燈網絡科技有限公司!
		
    
		  電話圖標 余先生:13699882642 
		
    
	
    

    

    


    

    









 


    
	
    
		
	
    


	
    
		
    
			
    
				
    
					
    織夢member/reg_new.php SQL注入漏洞修復
    
					
    發表日期:2018-08    文章編輯:小燈    瀏覽次數:1969
    
				
    
				
    
					
    1. 漏洞描述
    Dedecms會員中心注入漏洞
    2. 漏洞觸發條件
    /member/reg_new.php?dopost=regbase&step=1&mtype=%B8%F6%C8%CB&mtype=%B8%F6%C8%CB&userid=123asd123&uname=12asd13123&userpwd=123123&userpwdok=123123&email=1213asd123%40QQ.COM&safequestion=1','1111111111111','1389701121','127.0.0.1','1389701121','127.0.0.1'),('個人',user(),'4297f44b13955235245b2497399d7a93','12as11111111111111111d13123','','10','0','[email protected]','100', '0','-10','','1&safeanswer=1111111111111&sex=&vdcode=slum&agree=
    //把vdcode=slum改成當前的驗證碼
    3. 漏洞影響范圍
    4. 漏洞代碼分析
    /member/reg_new.php
    ..
    $jointime = time();
    $logintime = time();
    $joinip = GetIP();
    $loginip = GetIP();
    $pwd = md5($userpwd);
    $spaceSta = ($cfg_mb_spacesta < 0 ? $cfg_mb_spacesta : 0);
    //未對$mtype、$safeanswer、$safequestion進行有效過濾就帶入SQL查詢
    $inQuery = "INSERT INTO `dede_member` (`mtype` ,`userid` ,`pwd` ,`uname` ,`sex` ,`rank` ,`money` ,`email` ,`scores` ,
    `matt`, `spacesta` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` )
    VALUES ('$mtype','$userid','$pwd','$uname','$sex','10','$dfmoney','$email','$dfscores',
    '0','$spaceSta','','$safequestion','$safeanswer','$jointime','$joinip','$logintime','$loginip'); ";
    if($dsql->ExecuteNoneQuery($inQuery))
    ..
    5. 防御方法
    /member/reg_new.php
    ..
    $jointime = time();
    $logintime = time();
    $joinip = GetIP();
    $loginip = GetIP();
    $pwd = md5($userpwd);
    /* 對$mtype、$safeanswer、$safequestion進行有效過濾 */$mtype = HtmlReplace($mtype,1);$safeanswer = HtmlReplace($safeanswer);$safequestion = HtmlReplace($safequestion);/* */
    $spaceSta = ($cfg_mb_spacesta < 0 ? $cfg_mb_spacesta : 0);
    $inQuery = "INSERT INTO `dede_member` (`mtype` ,`userid` ,`pwd` ,`uname` ,`sex` ,`rank` ,`money` ,`email` ,`scores` ,
    `matt`, `spacesta` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` )
    VALUES ('$mtype','$userid','$pwd','$uname','$sex','10','$dfmoney','$email','$dfscores',
    '0','$spaceSta','','$safequestion','$safeanswer','$jointime','$joinip','$logintime','$loginip'); ";
    if($dsql->ExecuteNoneQuery($inQuery))
    {
    ..
    黃色部分是添加的代碼

    					
    
本頁內容由塔燈網絡科技有限公司通過網絡收集編輯所得,所有資料僅供用戶參考了本站不擁有所有權,如您認為本網頁中由涉嫌抄襲的內容,請及時與我們聯系,并提供相關證據,工作人員會在5工作日內聯系您,一經查實,本站立刻刪除侵權內容。本文鏈接:http://www.juherenli.com/6337.html
    



				
				
    
				
					 
				
					
				
			
    
			
			
    
				
    
										
     
    
					
    相關cms文章