目录
1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考
1. 漏洞描述
对于这个漏洞,我们可以简单概括如下
1. "/plus/download.php"文件会引入"/include/common.inc.php"文件2. "/include/common.inc.php"中会对用户输入的变量进行"变量本地注册",如果注册的变量未被显式地初始化,则会导致本地变量覆盖3. "/include/common.inc.php"会引入"/include/dedesql.class.php"文件4. 存在漏洞的"/include/dedesql.class.php","没有"对$arrs1、$arrs2这两个数组进行初始化,导致黑客可以通过外部的输入覆盖这2个变量5. 黑客通过向"/plus/download.php"文件中POST入特殊构造的数据包,通过覆盖$arrs1、$arrs2这两个数组,最终污染"数据表前缀变量$cfg_",这个"数据表前缀变量$cfg_"会被带入数据库的SQL查询语句中,导致SQL注入6. "/plus/ad_js.php"、"/plus/mytag_js.php"会从数据库中查询出刚才被注入的PHP Code,将写过写入缓存文件中,并include执行,最终导致代码执行
Relevant Link:
http://bbs.safedog.cn/thread-52264-1-1.htmlhttp://www.2cto.com/Article/201205/129974.htmlhttp://www.91ri.org/6462.htmlhttp://phpinfo.me/2013/12/24/111.html
2. 漏洞触发条件
1. "/include/dedesql.class.php","没有"对$arrs1、$arrs2这两个数组进行初始化2. "/plus/ad_js.php"、"/plus/mytag_js.php"未对从数据库查询出的数据进行有效过滤、检测
0x1: 手工验证
http://localhost/dedecms5.7/plus/ad_js.php?aid=21
3. 漏洞影响范围
1. DedeCMS v5.72. <= DedeCMS v5.7
4. 漏洞代码分析5. 防御方法
0x1: /include/dedesql.class.php
/* */ $arrs1 = array();$arrs2 = array();//特殊操作if(isset($GLOBALS['arrs1'])){ $v1 = $v2 = ''; for($i=0;isset($arrs1[$i]);$i++) { $v1 .= chr($arrs1[$i]); } for($i=0;isset($arrs2[$i]);$i++) { $v2 .= chr($arrs2[$i]); } $GLOBALS[$v1] .= $v2;}/* */
0x2:/plus/ad_js.php
...function find_ad_payload($adbody, $aid){ global $db; $express = "/<\?[^><]+(\?>){0,1}|<\%[^><]+(\%>){0,1}|<\%=[^><]+(\%>){0,1}|<script[^>]+language[^>]*=[^>]*php[^>]*>[^><]*<\/script\s*>/iU"; if (preg_match($express, $adbody)) { $sql = " DELETE from `dede_myad` WHERE aid='$aid' "; $rs = $db->ExecuteNoneQuery($sql); if( file_exists(DEDEDATA . '/cache/myad-'.$aid.'.htm') ) { @unlink(DEDEDATA.'/cache/myad-'.$aid.'.htm'); } die("Request Error!"); } }if(isset($arcID)) $aid = $arcID;$arcID = $aid = (isset($aid) && is_numeric($aid)) ? $aid : 0;if($aid==0) die(' Request Error! ');$cacheFile = DEDEDATA.'/cache/myad-'.$aid.'.htm';if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time ){ $row = $dsql->GetOne("SELECT * FROM `dede_myad` WHERE aid='$aid' "); $adbody = ''; if($row['timeset']==0) { $adbody = $row['normbody']; } else { $ntime = time(); if($ntime > $row['endtime'] || $ntime < $row['starttime']) { $adbody = $row['expbody']; } else { $adbody = $row['normbody']; } } find_ad_payload($adbody, $aid); ...
0x3: /plus/mytag_js.php
...function find_tag_payload($tagbody, $aid){ global $db; $express = "/<\?[^><]+(\?>){0,1}|<\%[^><]+(\%>){0,1}|<\%=[^><]+(\%>){0,1}|<script[^>]+language[^>]*=[^>]*php[^>]*>[^><]*<\/script\s*>/iU"; if (preg_match($express, $tagbody)) { $sql = " DELETE from `dede_mytag` WHERE aid='$aid' "; $rs = $db->ExecuteNoneQuery($sql); if( file_exists(DEDEDATA . '/cache/mytag-'.$aid.'.htm') ) { @unlink(DEDEDATA.'/cache/mytag-'.$aid.'.htm'); } die("Request Error!"); } }if(isset($arcID)) $aid = $arcID;$arcID = $aid = (isset($aid) && is_numeric($aid)) ? $aid : 0;if($aid==0) die(" document.write('Request Error!'); ");$cacheFile = DEDEDATA.'/cache/mytag-'.$aid.'.htm';//die(var_dump($cacheFile));if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time ){ $pv = new PartView(); $row = $pv->dsql->GetOne(" SELECT * FROM `dede_mytag` WHERE aid='$aid' "); if(!is_array($row)) { $myvalues = "<!--\r\ndocument.write('Not found input!');\r\n-->"; } else { $tagbody = ''; if($row['timeset']==0) { $tagbody = $row['normbody']; } else { $ntime = time(); if($ntime>$row['endtime'] || $ntime < $row['starttime']) { $tagbody = $row['expbody']; } else { $tagbody = $row['normbody']; } } find_tag_payload($tagbody, $aid); $pv->SetTemplet($tagbody, 'string'); ...
需要特别注意的是,对于dedecms数据库后门的这个攻击向量场景来说,防御代码需要考虑以下几个方面
11) <?php ... ?> 2) <? ... ?> 3) <script language="php">...</script> 4) <?=expression ... ?> 5) <% ... %> 6) <%=$variable %>2
6. 攻防思考
暂无
Copyright (c) 2014 LittleHann All rights reserved
在乎的应该是沿途的风景以及看风景的心情。
