分析DEDECMS 5.5 datalistcp.class.php 包含-datalistcp.class.php, DEDECMS, DEDECMS 5.5, mysql_error_trace.inc, 包含, -st0p's blog

分析DEDECMS 5.5 datalistcp.class.php包含

This entry was posted on Apr 03 2010

作者:st0p
轉載請註明出處http://www.st0p.org

老早就看到有人發的洞，一直想過寫分析來著，最近一直呆在UBUNTU下安裝東西。。老忘。。。
有時有些朋友加我，教他找洞。。。這個好似是個累活，而且運氣佔很大一部分。。。所以我還是盡量幫分析過程發出來吧，也方便我自己學習。
具體的EXP，請看： http://www.st0p.org/blog/archives/dedecms-5-5-datalistcp-class-php-contains-exp.html

以前呢，DEDECMS會把出錯的SQL信息，寫進mysql_error_trace.php，後來被大牛們爆出來了。就改名為mysql_error_trace.inc了。。。
沒想到這次又被包含了。。。看來記錄SQL信息也不是啥好事。。。

這個EXP的原理呢，是通過構造特殊的請求給plus/digg_ajax.php來達到寫入我們的語句到mysql_error_trace.inc，當然可以滿足我們這一步寫入到mysql_error_trace.inc的文件還有不少。。不過想要執行他就不可能了。。然後這次報出的洞呢就是運氣很好才能碰到的。。
關鍵代碼存在於

/include/datalistcp.class.php

  ...
 ( isset ( $needCode ) ? $needCode : $cfg_soft_lang ) ; $codefile = ( isset ( $needCode ) ? $needCode : $cfg_soft_lang ) ;

 //通過isset函數檢查$needCode是否已配置，如已配置則結果為$needCode，否則結果為$cfg_soft_lang
 //當我們偽造結果為aa/../../../data/mysql_error_trace時

 file_exists ( DEDEINC . '/code/datalist.' . $codefile . '.inc' ) ) if ( file_exists ( DEDEINC . '/code/datalist.' . $codefile . '.inc' ) )

 {

	 DEDEINC . '/code/datalist.' . $codefile . '.inc' ) ; require_once ( DEDEINC . '/code/datalist.' . $codefile . '.inc' ) ;
  //後綴是.inc
 }
 //檢查文件是否存在，存在則包含。  我們通過../成功跳轉到到data目錄，包含我們剛才構造過的mysql_error_trace.inc
 //成功運行我們mysql_error_trace.inc在構造的語句。  。  。
 ...

鬱悶，前幾次想寫分析的時候官方還沒補呢。。剛去官方看了下通過正則進行了修補

  ( isset ( $needCode ) ? $needCode : $cfg_soft_lang ) ; $codefile = ( isset ( $needCode ) ? $needCode : $cfg_soft_lang ) ;

 preg_replace ( "/[\w-]/" , '' , $codefile ) ; $codefile = preg_replace ( "/[\w-]/" , '' , $codefile ) ;
  //通過正則過濾了。  。  。
 file_exists ( DEDEINC . '/code/datalist.' . $codefile . '.inc' ) ) if ( file_exists ( DEDEINC . '/code/datalist.' . $codefile . '.inc' ) )

 {

	 DEDEINC . '/code/datalist.' . $codefile . '.inc' ) ; require_once ( DEDEINC . '/code/datalist.' . $codefile . '.inc' ) ;

 }

datalistcp.class.php , DEDECMS , DEDECMS 5.5 , mysql_error_trace.inc , 包含

學·武功秘籍

Chinese (Simplified) flag

Chinese (Traditional) flag

Portuguese flag

Indonesian flag

Lithuanian flag

Vietnamese flag

106 Trackback(s)
Oct 1, 2011: great fish food
Nov 5, 2011: foundation crack repair in Potsdam OH
Dec 19, 2011: facebook/sex
Dec 27, 2011: bouncy castle north london
Jan 10, 2012: ways to increase facebook fans
Jan 18, 2012: clairvoyants
Jan 24, 2012: antykwariaty
Jan 29, 2012: Alpha Warranty
Feb 2, 2012: make a website
Feb 3, 2012: Domain Brokerage
Feb 5, 2012: spinal injury
Feb 5, 2012: accident in asda
Feb 5, 2012: southern dunes villa
Feb 6, 2012: http://www.fineheartenterprises.net/?page_id=28
Feb 7, 2012: auckland drainlayer
Feb 7, 2012: nba betting picks
Feb 9, 2012: Best Sentey Case
Feb 10, 2012: mlb picks
Feb 10, 2012: inspirational quotes
Feb 15, 2012: wypadanie włosów choroby
Feb 16, 2012: security doors nz
Feb 17, 2012: kullan myynti
Feb 17, 2012: erect penis
Feb 19, 2012: tienda online papel regalo
Feb 21, 2012: rudraksha beads
Feb 22, 2012: race car driving experience
Feb 23, 2012: double glazing retrofit
Feb 23, 2012: food photography tips
Feb 24, 2012: photographers
Feb 24, 2012: freefav
Feb 25, 2012: tarot meaning
Feb 28, 2012: psychic light
Mar 1, 2012: free web hosting uk no ads
Mar 1, 2012: temperature logger
Mar 1, 2012: senuke x review
Mar 2, 2012: campers world
Mar 2, 2012: tatuaggi giapponesi
Mar 3, 2012: Abdelmalik
Mar 5, 2012: Sztabka złota is really awesomething
Mar 6, 2012: Annabel
Mar 7, 2012: Buy Proxies
Mar 8, 2012: online fish store
Mar 8, 2012: forklifts sale
Mar 10, 2012: horse colors
Mar 11, 2012: Sex Artikel
Mar 11, 2012: free psychic chat
Mar 12, 2012: Anaelle
Mar 13, 2012: boats nz
Mar 16, 2012: hiking stores
Mar 17, 2012: psychics
Mar 18, 2012: Aime
Mar 20, 2012: psychic readings
Mar 22, 2012: NBA Picks
Mar 23, 2012: mannequin agence
Mar 23, 2012: dress coupon
Mar 24, 2012: best doors
Mar 27, 2012: kmdali
Mar 28, 2012: gold investment
Mar 30, 2012: davey pumps
Apr 6, 2012: prawo jazdy gdynia opinie
Apr 6, 2012: szkola jazdy gdynia opinie
Apr 8, 2012: franchises for sale nz
Apr 10, 2012: tanie ksiazki
Apr 10, 2012: antykwariat poleca
Apr 11, 2012: Carrier Parts
Apr 12, 2012: cute dog collars
Apr 12, 2012: thermal imaging camera cost
Apr 12, 2012: the silver melt value
Apr 12, 2012: The best mattresses
Apr 13, 2012: Mens leather jackets info
Apr 13, 2012: Paladin Pvp Guide
Apr 13, 2012: hunterpvp
Apr 14, 2012: online psychic readings
Apr 15, 2012: Dosimter Shop
Apr 15, 2012: Best Value Mauritius Holidays
Apr 15, 2012: Big Sea Mall
Apr 16, 2012: Warlock Pvp Guide
Apr 16, 2012: Living Social
Apr 16, 2012: Grouply Deals
Apr 16, 2012: All Hair Extensions
Apr 17, 2012: toprczone
Apr 17, 2012: Gold Secrets Guide
Apr 18, 2012: Daily Deals
Apr 18, 2012: Gatsby
Apr 19, 2012: Noice
Apr 19, 2012: Wooden Blinds
Apr 19, 2012: mysecretglow
Apr 19, 2012: Monster Beats By Dr Dre
Apr 20, 2012: Gratio
Apr 20, 2012: The Jump Manual
Apr 21, 2012: Anti Aging Simply
Apr 22, 2012: Loch Lomond Lodge
Apr 22, 2012: Dynamic Insulation
Apr 22, 2012: Rib Ride
Apr 22, 2012: Monitor Wind
Apr 22, 2012: CIM Course
Apr 23, 2012: Dynamic Insulation
Apr 24, 2012: Retro Jordans
Apr 24, 2012: Nike Air Jordan 4
Apr 28, 2012: one x
Apr 30, 2012: chase bank
Apr 30, 2012: chaseonlinebanking
Apr 30, 2012: car insurance quotes
May 13, 2012: calfless balkanize complex
May 17, 2012: Phantom of the Opera Tickets
May 18, 2012: raspberry ketone

You must be logged in to post a comment.