標籤:
目錄
1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考
1. 漏洞描述
對於這個漏洞,我們可以簡單概括如下
1. "/plus/download.php"檔案會引入"/include/common.inc.php"檔案2. "/include/common.inc.php"中會對使用者輸入的變數進行"變數本地註冊",如果註冊的變數未被顯式地初始化,則會導致本地變數覆蓋3. "/include/common.inc.php"會引入"/include/dedesql.class.php"檔案4. 存在漏洞的"/include/dedesql.class.php","沒有"對$arrs1、$arrs2這兩個數組進行初始化,導致駭客可以通過外部的輸入覆蓋這2個變數5. 駭客通過向"/plus/download.php"檔案中POST入特殊構造的資料包,通過覆蓋$arrs1、$arrs2這兩個數組,最終汙染"資料表首碼變數$cfg_",這個"資料表首碼變數$cfg_"會被帶入資料庫的SQL查詢語句中,導致SQL注入6. "/plus/ad_js.php"、"/plus/mytag_js.php"會從資料庫中查詢出剛才被注入的PHP Code,將寫過寫入快取檔案中,並include執行,最終導致代碼執行
Relevant Link:
http://bbs.safedog.cn/thread-52264-1-1.htmlhttp://www.2cto.com/Article/201205/129974.htmlhttp://www.91ri.org/6462.htmlhttp://phpinfo.me/2013/12/24/111.html
2. 漏洞觸發條件
1. "/include/dedesql.class.php","沒有"對$arrs1、$arrs2這兩個數組進行初始化2. "/plus/ad_js.php"、"/plus/mytag_js.php"未對從資料庫查詢出的資料進行有效過濾、檢測
0x1: 手工驗證
http://localhost/dedecms5.7/plus/ad_js.php?aid=21
3. 漏洞影響範圍
1. DedeCMS v5.72. <= DedeCMS v5.7
4. 漏洞程式碼分析
5. 防禦方法
0x1: /include/dedesql.class.php
/* */ $arrs1 = array();$arrs2 = array();//特殊操作if(isset($GLOBALS[‘arrs1‘])){ $v1 = $v2 = ‘‘; for($i=0;isset($arrs1[$i]);$i++) { $v1 .= chr($arrs1[$i]); } for($i=0;isset($arrs2[$i]);$i++) { $v2 .= chr($arrs2[$i]); } $GLOBALS[$v1] .= $v2;}/* */
0x2: /plus/ad_js.php
...function find_ad_payload($adbody, $aid){ global $db; $express = "/<\?(php){0,1}(.*)/i"; if (preg_match($express, $adbody)) { $sql = " DELETE from `#@__myad` WHERE aid=‘$aid‘ "; $rs = $db->ExecuteNoneQuery($sql); if( file_exists(DEDEDATA . ‘/cache/myad-‘.$aid.‘.htm‘) ) { @unlink(DEDEDATA.‘/cache/myad-‘.$aid.‘.htm‘); } die("Request Error!"); } }if(isset($arcID)) $aid = $arcID;$arcID = $aid = (isset($aid) && is_numeric($aid)) ? $aid : 0;if($aid==0) die(‘ Request Error! ‘);$cacheFile = DEDEDATA.‘/cache/myad-‘.$aid.‘.htm‘;if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time ){ $row = $dsql->GetOne("SELECT * FROM `#@__myad` WHERE aid=‘$aid‘ "); $adbody = ‘‘; if($row[‘timeset‘]==0) { $adbody = $row[‘normbody‘]; } else { $ntime = time(); if($ntime > $row[‘endtime‘] || $ntime < $row[‘starttime‘]) { $adbody = $row[‘expbody‘]; } else { $adbody = $row[‘normbody‘]; } } find_ad_payload($adbody, $aid); ...
0x3: /plus/mytag_js.php
...function find_tag_payload($tagbody, $aid){ global $db; $express = "/<\?(php){0,1}(.*)/i"; if (preg_match($express, $tagbody)) { $sql = " DELETE from `#@__mytag` WHERE aid=‘$aid‘ "; $rs = $db->ExecuteNoneQuery($sql); if( file_exists(DEDEDATA . ‘/cache/mytag-‘.$aid.‘.htm‘) ) { @unlink(DEDEDATA.‘/cache/mytag-‘.$aid.‘.htm‘); } die("Request Error!"); } }if(isset($arcID)) $aid = $arcID;$arcID = $aid = (isset($aid) && is_numeric($aid)) ? $aid : 0;if($aid==0) die(" document.write(‘Request Error!‘); ");$cacheFile = DEDEDATA.‘/cache/mytag-‘.$aid.‘.htm‘;//die(var_dump($cacheFile));if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time ){ $pv = new PartView(); $row = $pv->dsql->GetOne(" SELECT * FROM `#@__mytag` WHERE aid=‘$aid‘ "); if(!is_array($row)) { $myvalues = "<!--\r\ndocument.write(‘Not found input!‘);\r\n-->"; } else { $tagbody = ‘‘; if($row[‘timeset‘]==0) { $tagbody = $row[‘normbody‘]; } else { $ntime = time(); if($ntime>$row[‘endtime‘] || $ntime < $row[‘starttime‘]) { $tagbody = $row[‘expbody‘]; } else { $tagbody = $row[‘normbody‘]; } } find_tag_payload($tagbody, $aid); $pv->SetTemplet($tagbody, ‘string‘); ...
6. 攻防思考
暫無
Copyright (c) 2014 LittleHann All rights reserved
dedeCMS /plus/ad_js.php、/plus/mytag_js.php Vul Via Injecting PHP Code By /plus/download.php Into DB && /include/dedesql.class.php
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
