Fengcms SQL injection & 读取任意文件漏洞

  • A+
所属分类:漏洞时代
摘要

Fengcms SQL injection & 读任意文件 & XSS。[php]
if(!empty($_POST)){if(URL_TYPE==1){echo ‘<meta http-equiv=”refresh” content=”0;url=’.(($_POST[‘project’])?’?controller=search&project=’.$_POST[‘project’].’&tags=’.$_POST[‘tags’]:’/tags/’.$_POST[‘tags’].’.html’).'”>’;


漏洞作者: catchermana

Fengcms SQL injection & 读任意文件 & XSS。

Searchcontrol 中。  

[php]
if(!empty($_POST)){

if(URL_TYPE==1){

echo '<meta http-equiv="refresh" content="0;url='.(($_POST['project'])?'?controller=search&project='.$_POST['project'].'&tags='.$_POST['tags']:'/tags/'.$_POST['tags'].'.html').'">';

 

}else{

 

echo '<meta http-equiv="refresh" content="0;url=?controller=search'.(($_POST['project'])?'&project='.$_POST['project'].'&tags='.$_POST['tags']:'&tags='.$_POST['tags']).'.html">';

 

}

 

}else{
[/php]

直接输出了 $_POST[‘tags’] 可以反射xss了。   
在downcontrol 中    

[php]
$_GET['file']=base64_decode($_GET['file']);

 

if(file_exists(ROOT_PATH.$_GET['file'])){

 

header("Content-Type: application/force-download");

 

header("Content-Disposition: attachment; filename=".basename($_GET['file']));

 

readfile(ROOT_PATH.$_GET['file']);

 

}else{

 

echo '<script type="text/javascript">alert("您要下载的文件不存在!");history.back();</script>';

 

}

 

}

 

}
[/php]

漏洞证明:

Fengcms SQL injection & 读取任意文件漏洞

 

 

Fengcms SQL injection & 读取任意文件漏洞

 

Fengcms SQL injection & 读取任意文件漏洞

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: