闲的蛋疼 看会代码
这个漏洞有点意思
./vote.php
if($_REQUEST['act']=='dovote')
{
$ok = false;
foreach($_REQUEST['name'] as $vote_ask_id=>$names) //便利name
{ //echo $vote_ask_id."||".$names;
foreach($names as $kk=>$name) // 再次便利 所以$_REQUEST['name']要是一个二维数组
{//echo "||$name";
if($name!='')
{
$ok = true;
}
}
}
if(!$ok)
{
showErr($GLOBALS['lang']['YOU_DONT_CHOICE']); //name必须不等于空哦 否则程序退出
}
$vote_id = intval($_REQUEST['vote_id']);
if(check_ipop_limit(get_client_ip(),"vote",3600,$vote_id)) //限制了ip当时不要紧 =下看下获取ip的代码 (防止刷票 一IP投票一次)
{
foreach($_REQUEST['name'] as $vote_ask_id=>$names) //和之前一样 重点是$vote_ask_id 继续向下看
{
foreach($names as $kk=>$name)
{
$name = htmlspecialchars(addslashes(trim($name)));
echo "<h5>".get_client_ip()."||id:$vote_ask_idsql:select * from ".DB_PREFIX."vote_result where name = '.$name.' and vote_id = .$vote_id. and vote_ask_id = .$vote_ask_id</h5>";
$result = $GLOBALS['db']->getRow("select * from ".DB_PREFIX."vote_result where name = '".$name."' and vote_id = ".$vote_id." and vote_ask_id = ".$vote_ask_id); //咦没 引号?$vote_ask_id 哦他妈ye
$is_add = true;
if($result)
{
$GLOBALS['db']->query("update ".DB_PREFIX."vote_result set count = count + 1 where name = '".$name."' and vote_id = ".$vote_id." and vote_ask_id = ".$vote_ask_id);
if(intval($GLOBALS['db']->affected_rows())!=0)
{
$is_add = false;
}
}
看下获取ip的代码
// 获取客户端IP地址
function get_client_ip(){ //可控哟 绕过就简单了
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}
构造地址:
http://127.0.0.1/www/es2/vote.php?act=dovote&name['][ss]=ss
exp就算了 懒的写了 大家自己发挥吧。。