Search...

About Dedecms variable coverage exploits-vulnerability warning-the black bar safety net

2011-08-12T00:00:00

ID MYHACK58:62201131560
Type myhack58
Reporter 佚名
Modified 2011-08-12T00:00:00

Description

Someone recently broke the dedecms variable coverage holes,it is also a quite interesting vulnerability, and in some cases dedecms this variable vulnerability to exist for so long in some people are many years,about six months ago I also independently discovered by

本文 c4rp3nt3r@0x50sec.org

Write in 2 0 1 1 year 5 month

DedeCMS arbitrary variable overwrite vulnerability of the use of

Dedecms variable coverage holes summary

On magic_quotes_gpc=Off

common. inc. php for the original one-dimensional array of the$_GET of the original data is not addslashes, but for a one-dimensional array of$the$key for the addslashes, the result filter. inc. php cover again when that _RunMagicQuotes function became a paper Tiger.

2.common.inc.php

//To check and register the external submission of the variables, here only examine a one-dimensional array of key, can be bypassed to create does not allow the system configuration variables

We can use the following variable override vulnerability using the GET submit way to create a$_POST array of data, create is in check after also bypasses the check, created after the program and register into variables.

3.filter.inc.php

This file in the system configuration file, inside the foreach Loop, create a variable, so you can override the system variables.

On magic_quotes_gpc=off when you can bypass the _RunMagicQuotes of filtering!

xxx. php? site=c4rp3nt3r’s blog

经过 common.inc.php

$c4rp3nt3r=c4rp3nt3r\’s blog

经过 filter.inc.php

$c4rp3nt3r=c4rp3nt3r’s blog

Create a system variable

The program does not allow to create cfg_ at the beginning of the variable, relying on such a defense system variables not initialized vulnerability.

common. inc. php file of the vulnerability we created system variables can trigger this vulnerability.

But some system variables have been initialized, and is in common. inc. php file foreach Loop register variables after a, that is we can create, but can not cover to

But the fun is filter. inc. php this file and conducted a foreach loop which is the secondary creation. So if you include the filter. inc. php file we can override the system variables.

在 /member 目录的大部分文件都包含这么一个文件 /member/config.php

This file is the first two sentences is

require_once(dirname(FILE).’/../ include/common.inc.php’);

require_once(DEDEINC.’/ filter.inc.php’);

That is/member directory most of the files are affected by this vulnerability can overwrite system variables.

Other directory of file is not necessarily safe, can trigger the system variable is not initialized vulnerability.

There are two kinds of use methods

Depends on common. inc. php variable is created and the filter. inc. php variable coverage

//magic_quote_gpc=Off

We submitted

xxx. php? _GET[cfg_xx]=c4rp3nt3r’s blog

经过 common.inc.php

$_GET[cfg_xx]=c4rp3nt3r\’s blog

经过 filter.inc.php

$cfg_xx=c4rp3nt3r’s blog

Depends on common. inc. php variables creation

Submitted

xxx. php? _POST[cfg_xx]=c4rp3nt3r’s blog

//Check and registration outside the submitted variables

foreach($_REQUEST as $_k= > $_v) //here check only one-dimensional array of key, can be bypassed to create does not allow the system configuration variables

{

if( strlen($k)>0 && eregi(‘^(cfg|GLOBALS)’,$_k) ) //$_k=’_POST[cfg_xx]‘;bypassing the regular

{

exit(‘Request var not allow!’);

}

}

function _RunMagicQuotes(&$svar)

{

if(! get_magic_quotes_gpc())

{

if( is_array($svar) )

{

foreach($svar as $_k = > $_v) $svar[$_k] = _RunMagicQuotes($_v);

}

else

{

$svar = addslashes($svar);

}

}

return $svar;

}

foreach(Array(‘_GET’,'_POST’,'_COOKIE’) as $_request)

{

foreach($$_request as $_k = > $_v) ${$_k} = _RunMagicQuotes($_v);

//If submitted xxx. php? _GET[cfg_xx]=c4rp3nt3r’s blog

//Only create the$_GET[cfg_xx]but the first loop the$_GET has been performed done,only the use of the filter. inc. php foreach Loop variables to cover to create a

//If we submitted xxx. php? _POST[cfg_xx]=c4rp3nt3r’s blog

//First execution$_GET circulation only after creating a$_POST[cfg_xx],will not enter the above regular checks

//But next to the$_POST loop just in time to register for our variables$cfg_xx=c4rp3nt3r\’s blog

JSON Vulners Source

Initial Source

{"id": "MYHACK58:62201131560", "hash": "7577a467ee80affc9acb991deadf4fbdbcbaa892d535c01a490a54079bfa8d9a", "history": [], "published": "2011-08-12T00:00:00", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "ba85cc83534bc798464d905bb29c199f", "key": "description"}, {"hash": "282e650f3afe3c07047efec840035428", "key": "href"}, {"hash": "44ab3dcc00fb35c0e0325511299d1aaf", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "44ab3dcc00fb35c0e0325511299d1aaf", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "645396391020478112635e14b34a0f8b", "key": "reporter"}, {"hash": "92e215fdec6faf609a3b3f0cab55f961", "key": "title"}, {"hash": "0665a8b0792e65b50ab13aef58a018dc", "key": "type"}], "type": "myhack58", "objectVersion": "1.2", "references": [], "edition": 1, "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2016-11-12T18:13:01"}, "dependencies": {"references": [], "modified": "2016-11-12T18:13:01"}, "vulnersScore": 0.7}, "cvelist": [], "modified": "2011-08-12T00:00:00", "title": "About Dedecms variable coverage exploits-vulnerability warning-the black bar safety net", "viewCount": 0, "description": "Someone recently broke the dedecms variable coverage holes,it is also a quite interesting vulnerability, and in some cases dedecms this variable vulnerability to exist for so long in some people are many years,about six months ago I also independently discovered by\n\n\u672c\u6587 c4rp3nt3r@0x50sec.org\n\nWrite in 2 0 1 1 year 5 month\n\nDedeCMS arbitrary variable overwrite vulnerability of the use of\n\nDedecms variable coverage holes summary\n\n1. On magic_quotes_gpc=Off\n\ncommon. inc. php for the original one-dimensional array of the$_GET of the original data is not addslashes, but for a one-dimensional array of$the$key for the addslashes, the result filter. inc. php cover again when that _RunMagicQuotes function became a paper Tiger.\n\n2.common.inc.php\n\n//To check and register the external submission of the variables, here only examine a one-dimensional array of key, can be bypassed to create does not allow the system configuration variables\n\nWe can use the following variable override vulnerability using the GET submit way to create a$_POST array of data, create is in check after also bypasses the check, created after the program and register into variables.\n\n3.filter.inc.php\n\nThis file in the system configuration file, inside the foreach Loop, create a variable, so you can override the system variables.\n\n1. On magic_quotes_gpc=off when you can bypass the _RunMagicQuotes of filtering!\n\nxxx. php? site=c4rp3nt3r\u2019s blog\n\n\u7ecf\u8fc7 common.inc.php\n\n$c4rp3nt3r=c4rp3nt3r\\\u2019s blog\n\n\u7ecf\u8fc7 filter.inc.php\n\n$c4rp3nt3r=c4rp3nt3r\u2019s blog\n\n2. Create a system variable\n\nThe program does not allow to create cfg_ at the beginning of the variable, relying on such a defense system variables not initialized vulnerability.\n\ncommon. inc. php file of the vulnerability we created system variables can trigger this vulnerability.\n\nBut some system variables have been initialized, and is in common. inc. php file foreach Loop register variables after a, that is we can create, but can not cover to\n\nBut the fun is filter. inc. php this file and conducted a foreach loop which is the secondary creation. So if you include the filter. inc. php file we can override the system variables.\n\n\u5728 /member \u76ee\u5f55 \u7684 \u5927\u90e8\u5206 \u6587\u4ef6 \u90fd \u5305\u542b \u8fd9\u4e48 \u4e00 \u4e2a \u6587\u4ef6 /member/config.php\n\nThis file is the first two sentences is\n\nrequire_once(dirname(__FILE__).\u2019/../ include/common.inc.php\u2019);\n\nrequire_once(DEDEINC.\u2019/ filter.inc.php\u2019);\n\nThat is/member directory most of the files are affected by this vulnerability can overwrite system variables.\n\nOther directory of file is not necessarily safe, can trigger the system variable is not initialized vulnerability.\n\nThere are two kinds of use methods\n\n1. Depends on common. inc. php variable is created and the filter. inc. php variable coverage\n\n//magic_quote_gpc=Off\n\nWe submitted\n\nxxx. php? _GET[cfg_xx]=c4rp3nt3r\u2019s blog\n\n\u7ecf\u8fc7 common.inc.php\n\n$_GET[cfg_xx]=c4rp3nt3r\\\u2019s blog\n\n\u7ecf\u8fc7 filter.inc.php\n\n$cfg_xx=c4rp3nt3r\u2019s blog\n\n2. Depends on common. inc. php variables creation\n\nSubmitted\n\nxxx. php? _POST[cfg_xx]=c4rp3nt3r\u2019s blog\n\n//Check and registration outside the submitted variables\n\nforeach($_REQUEST as $_k= > $_v) //here check only one-dimensional array of key, can be bypassed to create does not allow the system configuration variables\n\n{\n\nif( strlen($_k)>0 && eregi(\u2018^(cfg_|GLOBALS)\u2019,$_k) ) //$_k=\u2019_POST[cfg_xx]\u2018;bypassing the regular\n\n{\n\nexit(\u2018Request var not allow!\u2019);\n\n}\n\n}\n\nfunction _RunMagicQuotes(&$svar)\n\n{\n\nif(! get_magic_quotes_gpc())\n\n{\n\nif( is_array($svar) )\n\n{\n\nforeach($svar as $_k = > $_v) $svar[$_k] = _RunMagicQuotes($_v);\n\n}\n\nelse\n\n{\n\n$svar = addslashes($svar);\n\n}\n\n}\n\nreturn $svar;\n\n}\n\nforeach(Array(\u2018_GET\u2019,'_POST\u2019,'_COOKIE\u2019) as $_request)\n\n{\n\nforeach($$_request as $_k = > $_v) ${$_k} = _RunMagicQuotes($_v);\n\n//If submitted xxx. php? _GET[cfg_xx]=c4rp3nt3r\u2019s blog\n\n//Only create the$_GET[cfg_xx]but the first loop the$_GET has been performed done,only the use of the filter. inc. php foreach Loop variables to cover to create a\n\n//If we submitted xxx. php? _POST[cfg_xx]=c4rp3nt3r\u2019s blog\n\n//First execution$_GET circulation only after creating a$_POST[cfg_xx],will not enter the above regular checks\n\n//But next to the$_POST loop just in time to register for our variables$cfg_xx=c4rp3nt3r\\\u2019s blog\n", "href": "http://www.myhack58.com/Article/html/3/62/2011/31560.htm", "bulletinFamily": "info", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2016-11-12T18:13:01"}