发布日期:2010-07.20 发布作者:xhm1n9 官方地址:www.dedecms.com 漏洞描述:
1. 此漏洞最先由toby57牛在http: //hi.baidu.com/toby57/blog/item/074f6b592d1dac272834f0c7.html公布出来,本人只是将漏洞跟了下,希望toby57别见怪啊!利用地方不一样,但问题出在同一地方! caicai.php
...............................................................................
- if($tid!=0)
- {
- $arr = $dsql->GetOne("Select * From `dede_arctype` where id='$tid' And corank=0 ");
- if($cfg_list_son=='Y')
- {
- $CrossID = GetSonIds($tid,$arr['channeltype']); //注意
- }
- else
- {
- $CrossID = $tid;
- }
- .........................
- $typequery = " arc.typeid in($CrossID) And ";
- }
-
- $query = "Select arc.*,m.userid,m.face,
- tp.typedir,tp.typename,tp.isdefault,tp.defaultname,tp.namerule,tp.namerule2,tp.ispart,tp.moresite,tp.siteurl,tp.sitepath
- From `dede_archives` arc left join `dede_arctype` tp on tp.id=arc.typeid left join `dede_member` m on m.mid=arc.mid
- where $typequery arc.arcrank>-1
- order by arc.`{$sort}` desc limit $maxrc ";
- $dlist->SetParameter('tid',$tid);
- $dlist->SetParameter('sort',$sort);
- $dlist->SetTemplate(DEDEMEMBER.'/templets/caicai.htm');
- $dlist->SetSource($query);
.............................................................................................
GetSonIds()函数在channelunit.func.php中有定义
- function GetSonIds($id,$channel=0,$addthis=true)
- {
- global $_Cs; //注意
- $GLOBALS['idArray'] = array();
- if( !is_array($_Cs) )
- {
- require_once(DEDEROOT."/data/cache/inc_catalog_base.inc");
- }
- GetSonIdsLogic($id,$_Cs,$channel,$addthis);
- $rquery = join(',',$GLOBALS['idArray']);
- $rquery = preg_replace("/,$/", '', $rquery);
-
- return $rquery;
- }
-
- //递归逻辑
- function GetSonIdsLogic($id,$sArr,$channel=0,$addthis=false)
- { echo $id;
- if($id!=0 && $addthis)
- {
- $GLOBALS['idArray'][$id] = $id;
- }
- foreach($sArr as $k=>$v)
- {
- if( $v[0]==$id && ($channel==0 || $v[1]==$channel ))
- {
- GetSonIdsLogic($k,$sArr,$channel,true);var_dump($GLOBALS['idArray']); //第一个参数为$_Cs下标
- }
- }
- }
漏洞在于引进函数中的$_Cs没有初始化,我们可以利用它的下标注入
例:caicai.php?tid=1&_Cs[8)'][0]=1&_Cs[8)'][1]=1就会看到报错信息.
2,mtypes.php 注入
- elseif ($dopost == 'save')
- {
- if(isset($mtypeidarr) && is_array($mtypeidarr))
- {
- $delids = '0';
- $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
- foreach($mtypeidarr as $delid)
- {
- $delids .= ','.$delid;
- unset($mtypename[$delid]);
- }
- $query = "delete from `dede_mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
- $dsql->ExecNoneQuery($query);
- }
- foreach ($mtypename as $id => $name) //注意
- {
- echo $name = HtmlReplace($name);
- echo $id;
- $query = "update `dede_mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";
- $dsql->ExecuteNoneQuery($query);
- }
- //ShowMsg('分类修改完成','mtypes.php');
- }
magic_quotes_gpc=off时,程序没处理$mtypename数组下标的值,可造成注入
现在的dedecms默认开启了内置80sec写的过滤函数,注入语句要特殊构造,上面给的链接里其实牛人己忽破了,感兴趣的同鞋们可以自己看图本地测试:)
From:http://www.hackline.net/a/news/ldfb/web/2010/0721/4824.html
我的QQ空间