月度归档:2013年06月

DEDECMS v5.7(2013-06-07) xss+csrf 0day

书签管理存在xss+csrf

http://localhost/dedecms/member/flink_main.php
 
 
xss:http://localhost/dedecms/member/flink_main.php?dopost=addnew&title=test' onmouseover=alert(1);'&url=test' onmouseover=alert(1);'
 
CSRF:<img src="http://localhost/dedecms/member/flink_main.php?dopost=addnew&title=test&url=test">

临时修复方法:

function GetLinkList(&$dsql)
{
    global $cfg_ml;
    $dsql->SetQuery("SELECT * FROM `#@__member_flink` WHERE mid='".$cfg_ml->M_ID."' ORDER BY aid DESC");
    $dsql->Execute();
    $j=0;
    while($row = $dsql->GetArray())
    {
        $j++;
        $line = "
<div class='item flink'>
  <div class='itemHead' >
    <div class='fRight'>
      <span class='itemDigg'><a href='#' onclick='UpdateType({$row['aid']})'>[更新]</a></span>
      <span class='itemManage'><a href='#' onclick='DelType({$row['aid']})'>[删除]</a></span>
    </div>
    <span class='itemTitle'>名称:<input name='title{$row['aid']}' type='text' id='title{$row['aid']}' value=\"{$row['title']}\" class='intxt' /></span> //干嘛要加单引号呢?外面用双引号里面用双引号转义就OK了例如上面的value=\"{$row['title']}\"
    <div class='mt5'>网址:<input name='url{$row['aid']}' type='text' id='url{$row['aid']}' value=\"{$row['url']}\" class='intxt' /></div>
  </div>
</div>
<hr class='dotted' />";
        echo $line;
    }
    if($j==0)
    {
        echo "尚无任何链接";
    }
}

关于sql injection过滤问题

(这个是对于新手的,大牛请绕过)首先弄个简单的实例,让大家明白
我的数据库和表数据如下

mysql> use test
Database changed
mysql> select * from test;
+----+------+-----------------------+-------+
| id | type | description           | price |
+----+------+-----------------------+-------+
|  0 | book | sql injection attacks |    50 |
|  1 | test | sql test              |    33 |
+----+------+-----------------------+-------+

接着我们创建个页面1.php 代码如下

<?php
$conn=mysql_connect('localhost','root','');
if(!$conn){
	echo 'error:'.mysql_error();
}
mysql_select_db('test');
$id=isset($_GET['id'])?$_GET['id']:0;  //$id没过滤直接带入数据库,导致sql inject
$sql="select * from `test` where id=".$id;
echo $sql.'<br>';  //测试sql 语句输出
$result=mysql_query($sql);
while($row=mysql_fetch_array($result)){
	echo $row['price']; //输出
}
?>

访问1.php输出
select * from `test` where id=0
50
接着访问1.php?id=1 union select 1,2,3,description from test输出
select * from `test` where id=1 union select 1,2,3,description from test //注意这个sql 语句
33sql injection attackssql test

接下来我们来过滤上面的代码

<?php
$conn=mysql_connect('localhost','root','');
if(!$conn){
	echo 'error:'.mysql_error();
}
mysql_select_db('test');
$id=isset($_GET['id'])?addslashes($_GET['id']):0; //对单引号和双引号转义
 
$sql="select * from `test` where id='".$id."'"; //对条件增加个单引号,只要对$id的单引号和双引号进行转义,让$id一直在id的=''的条件里,就不会执行其他的sql条件
echo $sql.'<br>';
$result=mysql_query($sql);
while($row=mysql_fetch_array($result)){
	echo $row['price'];
}
?>

接下来再访问看看1.php?id=1%20union%20select%201,2,3,description%20from%20test输出
select * from `test` where id=’1 union select 1,2,3,description from test’ //这个参数构造的sql语句一直在id=”条件里面,这下明白了吧
33