20.03.2015, 18:49
|
|
Постоянный
Регистрация: 06.01.2012
Сообщений: 913
С нами:
7552406
Репутация:
724
|
|
Open redirect и обход авторизации. В плане эксплуатации имеются серьезные ограничения.
https://www.drupal.org/SA-CORE-2015-001
Байпас (modules/user/user.module)
До
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]user_pass_rehash[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$timestamp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]) {
return[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$timestamp[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]);
}[/COLOR][/COLOR]
После
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]user_pass_rehash[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$timestamp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$uid[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#FF8000"]// Backwards compatibility: Try to determine a $uid if one was not passed.
// (Since $uid is a required parameter to this function, a PHP warning will
// be generated if it's not provided, which is an indication that the calling
// code should be updated. But the code below will try to generate a correct
// hash in the meantime.)
[/COLOR][COLOR="#007700"]if (!isset([/COLOR][COLOR="#0000BB"]$uid[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$uids[/COLOR][COLOR="#007700"]= array();
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]db_query_range[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT uid FROM {users} WHERE pass = '%s' AND login = '%s' AND uid > 0"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]);
while ([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]db_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$uids[/COLOR][COLOR="#007700"][] =[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uid'[/COLOR][COLOR="#007700"]];
}
[/COLOR][COLOR="#FF8000"]// If exactly one user account matches the provided password and login
// timestamp, proceed with that $uid.
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]count[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$uids[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$uid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]reset[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$uids[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// Otherwise there is no safe hash to return, so return a random string
// that will never be treated as a valid token.
[/COLOR][COLOR="#007700"]else {
return[/COLOR][COLOR="#0000BB"]drupal_random_key[/COLOR][COLOR="#007700"]();
}
}
return[/COLOR][COLOR="#0000BB"]drupal_hmac_base64[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$timestamp[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$uid[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]drupal_get_private_key[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]);
}
[/COLOR][/COLOR]
ORed (includes/bootstrap.inc)
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]// Sanitize the destination parameter (which is often used for redirects)
// to prevent open redirect attacks leading to other domains. Sanitize
// both $_GET['destination'] and $_REQUEST['destination'] to protect code
// that relies on either, but do not sanitize $_POST to avoid interfering
// with unrelated form submissions. $_REQUEST['edit']['destination'] is
// also sanitized since drupal_goto() will sometimes rely on it, and
// other code might therefore use it too. The sanitization happens here
// because menu_path_is_external() requires the variable system to be
// available.
[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) || isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) || isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edit'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]])) {
require_once[/COLOR][COLOR="#DD0000"]'./includes/menu.inc'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]drupal_load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'module'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'filter'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]// If the destination is an external URL, remove it.
[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]menu_path_is_external[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]])) {
unset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]);
unset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]);
}
[/COLOR][COLOR="#FF8000"]// If there's still something in $_REQUEST['destination'] that didn't
// come from $_GET, check it too.
[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) && (!isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) ||[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]] !=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]menu_path_is_external[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]])) {
unset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]);
}
[/COLOR][COLOR="#FF8000"]// Check $_REQUEST['edit']['destination'] separately.
[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edit'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]menu_path_is_external[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edit'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]])) {
unset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edit'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]);
}
}[/COLOR][/COLOR]
|
|
|