工业和信息化部ICP/IP备案 粤ICP备18086699号
服务热线
解决方案
最新文章
您当前位置:主页 > 新闻动态 > 解决方案 > 方案列表 >

织梦DedeCMS常见漏洞处理方法

时间: 2017-09-09 17:27 来源:www.chnuo.com 作者:禅诺科技 点击: 织梦DedeCMS漏洞

禅诺科技的服务器不光是自己在用,也在给客户使用,里云的ECS+cpanel控制面板+CSF防火墙架构的虚拟主机,今天被阿里的云骑士提醒说有DEDECMS漏洞,这个不能忍啊,果断出手处理。本着为新手站长们服务的宗旨,把处理方案写出来,供大家参考使用。

1、/member/soft_add.php  这个是*个dedecms模版SQL注入漏洞,处理方法如下:

打开/member/soft_add.php文件,搜索代码:

$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";

修改为:

if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }

这个漏洞搞定。下*个。

2、/member/article_add.php  这个是*个dedecms cookies泄漏导致SQL漏洞,处理方案如下:

打开文件:/member/article_add.php,搜索代码:

if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode))

修改为:

if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) )

搞定,下*个。

3、/include/common.inc.php  这个是dedecms SESSION变量覆盖导致SQL注入漏洞,处理方案如下:

打开文件/include/common.inc.php,搜索代码:

if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE)#',$svar) )

修改为:

if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE|_SESSION)#',$svar) )

齐活,下*个:

4、/plus/guestbook/edit.inc.php  这个是*个dedecms留言板注入漏洞,因为没有对$msg过滤,导致可以任意注入,处理方案如下:

打开/plus/guestbook/edit.inc.php,搜索代码:

else if($job=='editok')

修改为:

else if($job=='editok') { $remsg = trim($remsg); 
/* 验证$g_isadmin */
    
if($remsg!='')
 { //管理员回复不过滤HTML
      if($g_isadmin) { $msg = "<div class=\\'rebox\\'>".$msg."</div>\n".$remsg; //$remsg <br><font color=red>管理员回复:</font>
} else { $row = $dsql->GetOne("SELECT msg From `a15_guestbook` WHERE id='$id' "); $oldmsg = "<div class=\\'rebox\\'>".addslashes($row['msg'])."</div>\n"; $remsg = trimMsg(cn_substrR($remsg, 1024), 1); $msg = $oldmsg.$remsg; } } 
/* */
    
/* 对$msg进行有效过滤 */ 
$msg = addslashes($msg); 
/* */ 
$dsql->ExecuteNoneQuery("UPDATE `a15_guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' "); ShowMsg("成功更改或回复*条留言!", $GUEST_BOOK_POS); exit(); }

齐活,下*个:

5、/include/uploadsafe.inc.php  这个是dedecms上传漏洞,处理方案如下:

打开文件/include/uploadsafe.inc.php,搜索代码:

${$_key.'_size'} = @filesize($$_key);      }

修改为:

${$_key.'_size'} = @filesize($$_key);

       } $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } }

继续搜索:

$image_dd = @getimagesize($$_key);

替换成:

$image_dd = @getimagesize($$_key); if($image_dd == false){ continue; }

齐活,下*个:

6、/include/payment/alipay.php  这个是dedecms支付模块注入漏洞,处理方案如下:

打开/include/payment/alipay.php文件,搜索:

$order_sn = trim($_GET['out_trade_no']);

替换为:

$order_sn = trim(addslashes($_GET['out_trade_no']));;

解决,下*个:

7、/dede/media_add.php 这个是dedecms后台文件任意上传漏洞,危险性多大不用我多说了吧?处理方案如下:

打开/dede/media_add.php(这里的dede替换为你的后台目录),搜索:

$fullfilename = $cfg_basedir.$filename;

替换为:

if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!",'java script:;'); exit(); } $fullfilename = $cfg_basedir.$filename;

解决,下*个:

8、/member/pm.php  这个是dedecms注入漏洞,处理方案如下:

打开/member/pm.php,搜索:

else if($dopost=='read')
{
 $sql = "SELECT * FROM `dede_member_friends` WHERE mid='{$cfg_ml-&gt;M_ID}' AND ftype!='-1' ORDER BY addtime DESC LIMIT 20";
 $friends = array();
 $dsql-&gt;SetQuery($sql);
 $dsql-&gt;Execute();
 while ($row = $dsql-&gt;GetArray()) 
 {
 $friends[] = $row;
 }
 //$id注入
 $row = $dsql-&gt;GetOne("SELECT * FROM `dede_member_pms` WHERE id='$id' AND (fromid='{$cfg_ml-&gt;M_ID}' OR toid='{$cfg_ml-&gt;M_ID}')");//ID没过滤
 if(!is_array($row))
 {
 ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
 exit();
 }
 //$id注入
 $dsql-&gt;ExecuteNoneQuery("UPDATE `dede_member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml-&gt;M_ID}'");
 $dsql-&gt;ExecuteNoneQuery("UPDATE `dede_member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml-&gt;M_ID}'");
 include_once(dirname(__FILE__).'/templets/pm-read.htm');
 exit();
}

替换为:

else if($dopost=='read')
{
    $sql = "Select * From `dede_member_friends` where  mid='{$cfg_ml->M_ID}' And ftype!='-1'  order by addtime desc limit 20";
    $friends = array();
    $dsql->SetQuery($sql);
    $dsql->Execute();
    while ($row = $dsql->GetArray()) 
    {
        $friends[] = $row;
    }
    /* $id过滤 */
    $id = intval($id);
    /* */ 
    $row = $dsql->GetOne("Select * From `dede_member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");
    if(!is_array($row))
    {
        ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');
        exit();
    }
    $dsql->ExecuteNoneQuery("Update `dede_member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");
    $dsql->ExecuteNoneQuery("Update `dede_member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");
    include_once(dirname(__FILE__).'/templets/pm-read.htm');
    exit();
}

齐活,下*个:

9、/member/inc/inc_archives_functions.php  这个是dedecms cookies泄漏导致SQL漏洞,处理方案如下:

打开/member/inc/inc_archives_functions.php文件,搜索:

echo " \"".md5($dede_addonfields.$cfg_cookie_encode)."\" ";

替换为:

echo " \"". 'anythingelse' .$cfg_cookie_encode) ."\" />";

搞定,下*个:

10、/member/mtypes.php   这个是织梦的会员中心注入漏洞,处理方案如下:

打开/member/mtypes.php,搜索:

elseif ($dopost == 'save')
{
	if(isset($mtypeidarr) && is_array($mtypeidarr))
	{
		$delids = '0';
		$mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
		foreach($mtypeidarr as $delid)
		{
			$delids .= ','.$delid;
			unset($mtypename[$delid]);
		}
		$query = "delete from `dede_mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
		$dsql->ExecNoneQuery($query);
	} 
	//通过$mtypename进行key注入
	foreach ($mtypename as $id => $name)
	{
		$name = HtmlReplace($name);
		//未对键值$id进行任何过滤就带入查询,导致注入
		$query = "update `dede_mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'"; 
		$dsql->ExecuteNoneQuery($query);
	}
	ShowMsg('分类修改完成','mtypes.php');
}

替换为:

elseif ($dopost == 'save')
{
	if(isset($mtypeidarr) && is_array($mtypeidarr))
	{
		$delids = '0';
		$mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
		foreach($mtypeidarr as $delid)
		{
			$delids .= ','.$delid;
			unset($mtypename[$delid]);
		}
		$query = "delete from `dede_mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
		$dsql->ExecNoneQuery($query);
	} 
	//通过$mtypename进行key注入
	foreach ($mtypename as $id => $name)
	{
		$name = HtmlReplace($name);
		/* 对$id进行规范化处理 */
		$id = intval($id);
		/* */
		$query = "update `dede_mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'"; 
		die(var_dump($query));
		$dsql->ExecuteNoneQuery($query);
	}
	ShowMsg('分类修改完成','mtypes.php');
}


(责任编辑:admin)

案例喜欢就分享吧
禅诺科技--专业网络建设服务提供商
本文由佛山网络公司-禅诺科技版权所有,未经批准转载必究。