此漏洞最先由toby57牛在http://hi.baidu.com/toby57/blog/item/074f6b592d1dac272834f0c7.html公布出来,本人只是将漏洞跟了下,希望toby57别见怪啊!利用地方不一样,但问题出在同一地方!
caicai.php
...............................................................................
if($tid!=0) { $arr = $dsql->GetOne("Select * From `dede_arctype` where id='$tid' And corank=0 "); if($cfg_list_son=='Y') { $CrossID = GetSonIds($tid,$arr['channeltype']); //注意 } else { $CrossID = $tid; } ......................... $typequery = " arc.typeid in($CrossID) And "; } $query = "Select arc.*,m.userid,m.face, tp.typedir,tp.typename,tp.isdefault,tp.defaultname,tp.namerule,tp.namerule2,tp.ispart,tp.moresite,tp.siteurl,tp.sitepath From `dede_archives` arc left join `dede_arctype` tp on tp.id=arc.typeid left join `dede_member` m on m.mid=arc.mid where $typequery arc.arcrank>-1 order by arc.`{$sort}` desc limit $maxrc "; $dlist->SetParameter('tid',$tid); $dlist->SetParameter('sort',$sort); $dlist->SetTemplate(DEDEMEMBER.'/templets/caicai.htm'); $dlist->SetSource($query); .............................................................................................
GetSonIds()函数在channelunit.func.php中有定义
function GetSonIds($id,$channel=0,$addthis=true) { global $_Cs; //注意 $GLOBALS['idArray'] = array(); if( !is_array($_Cs) ) { require_once(DEDEROOT."/data/cache/inc_catalog_base.inc"); } GetSonIdsLogic($id,$_Cs,$channel,$addthis); $rquery = join(',',$GLOBALS['idArray']); $rquery = preg_replace("/,$/", '', $rquery); return $rquery; } //递归逻辑 function GetSonIdsLogic($id,$sArr,$channel=0,$addthis=false) { echo $id; if($id!=0 && $addthis) { $GLOBALS['idArray'][$id] = $id; } foreach($sArr as $k=>$v) { if( $v[0]==$id && ($channel==0 || $v[1]==$channel )) { GetSonIdsLogic($k,$sArr,$channel,true);var_dump($GLOBALS['idArray']); //第一个参数为$_Cs下标 } } }
漏洞在于引进函数中的$_Cs没有初始化,我们可以利用它的下标注入
例:caicai.php?tid=1&_Cs[8)'][0]=1&_Cs[8)'][1]=1就会看到报错信息.
2,mtypes.php 注入
elseif ($dopost == 'save') { if(isset($mtypeidarr) && is_array($mtypeidarr)) { $delids = '0'; $mtypeidarr = array_filter($mtypeidarr, 'is_numeric'); foreach($mtypeidarr as $delid) { $delids .= ','.$delid; unset($mtypename[$delid]); } $query = "delete from `dede_mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';"; $dsql->ExecNoneQuery($query); } foreach ($mtypename as $id => $name) //注意 { echo $name = HtmlReplace($name); echo $id; $query = "update `dede_mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'"; $dsql->ExecuteNoneQuery($query); } //ShowMsg('分类修改完成','mtypes.php'); } magic_quotes_gpc=off时,程序没处理$mtypename数组下标的值,可造成注入
现在的dedecms默认开启了内置80sec写的过滤函数,注入语句要特殊构造,上面给的链接里其实牛人己忽破了,感兴趣的同鞋们可以自己看图本地测试:)
0x0F 于2010年7月25日 发自 漏洞发布
