dedeCMS /plus/ad_js.php、/plus/mytag_js.php Vul Via Injecting PHP Code By /plus/download.php Into DB && /include/dedesql.class.php

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

1. "/plus/download.php"文件会引入"/include/common.inc.php"文件
2. "/include/common.inc.php"中会对用户输入的变量进行"变量本地注册"，如果注册的变量未被显式地初始化，则会导致本地变量覆盖
3. "/include/common.inc.php"会引入"/include/dedesql.class.php"文件
4. 存在漏洞的"/include/dedesql.class.php"，"没有"对$arrs1、$arrs2这两个数组进行初始化，导致黑客可以通过外部的输入覆盖这2个变量
5. 黑客通过向"/plus/download.php"文件中POST入特殊构造的数据包，通过覆盖$arrs1、$arrs2这两个数组，最终污染"数据表前缀变量$cfg_"，这个"数据表前缀变量$cfg_"会被带入数据库的SQL查询语句中，导致SQL注入
6. "/plus/ad_js.php"、"/plus/mytag_js.php"会从数据库中查询出刚才被注入的PHP Code，将写过写入缓存文件中，并include执行，最终导致代码执行

http://bbs.safedog.cn/thread-52264-1-1.html
http://www.2cto.com/Article/201205/129974.html
http://www.91ri.org/6462.html
http://phpinfo.me/2013/12/24/111.html

1. "/include/dedesql.class.php"，"没有"对$arrs1、$arrs2这两个数组进行初始化
2. "/plus/ad_js.php"、"/plus/mytag_js.php"未对从数据库查询出的数据进行有效过滤、检测

1. DedeCMS v5.7
2. <= DedeCMS v5.7

/* */ 
$arrs1 = array();
$arrs2 = array();

//特殊操作
if(isset($GLOBALS[‘arrs1‘]))
{
    $v1 = $v2 = ‘‘;
    for($i=0;isset($arrs1[$i]);$i++)
    {
        $v1 .= chr($arrs1[$i]);
    }
    for($i=0;isset($arrs2[$i]);$i++)
    {
        $v2 .= chr($arrs2[$i]);
    }
    $GLOBALS[$v1] .= $v2;
}
/* */

...
function find_ad_payload($adbody, $aid)
{
    global $db;
    $express = "/<\?(php){0,1}(.*)/i";
    if (preg_match($express, $adbody)) 
    {  
        $sql = " DELETE from `#@__myad` WHERE aid=‘$aid‘ ";
        $rs = $db->ExecuteNoneQuery($sql); 
        if( file_exists(DEDEDATA . ‘/cache/myad-‘.$aid.‘.htm‘) )
        {
            @unlink(DEDEDATA.‘/cache/myad-‘.$aid.‘.htm‘);
        }
        die("Request Error!");  
    }  
}

if(isset($arcID)) $aid = $arcID;
$arcID = $aid = (isset($aid) && is_numeric($aid)) ? $aid : 0;
if($aid==0) die(‘ Request Error! ‘);

$cacheFile = DEDEDATA.‘/cache/myad-‘.$aid.‘.htm‘;
if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time )
{
    $row = $dsql->GetOne("SELECT * FROM `#@__myad` WHERE aid=‘$aid‘ ");
    $adbody = ‘‘;
    if($row[‘timeset‘]==0)
    {
        $adbody = $row[‘normbody‘];
    }
    else
    {
        $ntime = time();
        if($ntime > $row[‘endtime‘] || $ntime < $row[‘starttime‘]) {
            $adbody = $row[‘expbody‘];
        } else {
            $adbody = $row[‘normbody‘];
        }
    }

    find_ad_payload($adbody, $aid);
    ...

...
function find_tag_payload($tagbody, $aid)
{
    global $db;
    $express = "/<\?(php){0,1}(.*)/i";
    if (preg_match($express, $tagbody)) 
    {  
        $sql = " DELETE from `#@__mytag` WHERE aid=‘$aid‘ ";
        $rs = $db->ExecuteNoneQuery($sql); 
        if( file_exists(DEDEDATA . ‘/cache/mytag-‘.$aid.‘.htm‘) )
        {
            @unlink(DEDEDATA.‘/cache/mytag-‘.$aid.‘.htm‘);
        }
        die("Request Error!");  
    }  
}

if(isset($arcID)) $aid = $arcID;
$arcID = $aid = (isset($aid) && is_numeric($aid)) ? $aid : 0;
if($aid==0) die(" document.write(‘Request Error!‘); ");

$cacheFile = DEDEDATA.‘/cache/mytag-‘.$aid.‘.htm‘;
//die(var_dump($cacheFile));
if( isset($nocache) || !file_exists($cacheFile) || time() - filemtime($cacheFile) > $cfg_puccache_time )
{ 
    $pv = new PartView();
    $row = $pv->dsql->GetOne(" SELECT * FROM `#@__mytag` WHERE aid=‘$aid‘ ");
    if(!is_array($row))
    {
        $myvalues = "<!--\r\ndocument.write(‘Not found input!‘);\r\n-->";
    }
    else
    {
        $tagbody = ‘‘;
        if($row[‘timeset‘]==0)
        {
            $tagbody = $row[‘normbody‘];
        }
        else
        {
            $ntime = time();
            if($ntime>$row[‘endtime‘] || $ntime < $row[‘starttime‘]) {
                $tagbody = $row[‘expbody‘];
            }
            else {
                $tagbody = $row[‘normbody‘];
            }
        }

        find_tag_payload($tagbody, $aid);

        $pv->SetTemplet($tagbody, ‘string‘);
    ...