齐博CMS 二次注入3

  • A+
所属分类:漏洞时代
摘要

/news/js.php中起初总是不成功,后来才看到,下面代码$keyword进入explode函数,将空格拆分了,所以使用/**/替换


漏洞作者: Power

/news/js.php中

if($type=='hot'||$type=='com'||$type=='new'||$type=='lastview'||$type=='like') {  if($f_id)  {   if(is_numeric($f_id)){    $SQL=" fid=$f_id ";   }else{    $detail=explode(",",$f_id);    $SQL=" fid IN ( ".implode(",",$detail)." ) ";   }  }  else  {   $SQL=" 1 ";  }   if($type=='com')  {   $SQL.=" AND levels=1 ";   $ORDER=' list ';   $_INDEX=" USE INDEX ( list ) ";  }  elseif($type=='hot')  {   $ORDER=' hits ';   $_INDEX=" USE INDEX ( hits ) ";  }  elseif($type=='new')  {   $ORDER=' list ';   $_INDEX=" USE INDEX ( list ) ";  }  elseif($type=='lastview')  {   $ORDER=' lastview ';   $_INDEX=" USE INDEX ( lastview ) ";  }  elseif($type=='like')  {    $SQL.=" AND id!='$id' ";    if(!$keyword)   {    extract($db->get_one("SELECT keywords AS keyword FROM {$_pre}content WHERE id='$id'"));   }    if($keyword){    $SQL.=" AND ( ";    $keyword=urldecode($keyword);   //URLDECODE解码    $detail=explode(" ",$keyword);    unset($detail2);    foreach( $detail AS $key=>$value){     $detail2[]=" BINARY title LIKE '%$value%' ";    }    $str=implode(" OR ",$detail2);    $SQL.=" $str ) ";    }else{    $SQL.=" AND 0 ";   }    $_INDEX=" USE INDEX ( list ) ";   $ORDER=' list ';  }   $SQL=" $_INDEX WHERE $SQL AND yz=1 ORDER BY $ORDER DESC LIMIT $rows";   $which='*';  $_target=$target?'_blank':'_self';  if($path){   $_path=preg_replace("/(.*)//([^//]+)/is","//1/",$WEBURL);  }  if($icon==1){   $_icon="·";  }else{   $_icon="&nbsp;";  }   $listdb=listcontent($SQL,$which,$leng);  foreach($listdb AS $key=>$rs)  {   $show.="$_icon<A target='$_target' HREF='{$_path}bencandy.php?fid=$rs[fid]&id=$rs[id]' title='$rs[full_title]'>$rs[title]</A><br>";  }  if(!$show){   $show="暂无...";  }

起初总是不成功,后来才看到,下面代码$keyword进入explode函数,将空格拆分了,所以使用/**/替换

if($keyword){    $SQL.=" AND ( ";    $keyword=urldecode($keyword);    $detail=explode(" ",$keyword);    unset($detail2);    foreach( $detail AS $key=>$value){     $detail2[]=" BINARY title LIKE '%$value%' ";    }    $str=implode(" OR ",$detail2);    $SQL.=" $str ) ";    }else{    $SQL.=" AND 0 ";   }

漏洞证明:

还是使用,qibo的成功案例网站

http://tongyuxian.com/

齐博CMS 二次注入3

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: