The wind phase with the guestbook v3. 2 build 0 9 1 2 0 1 vulnerability-vulnerability warning-the black bar safety net

2009-12-26T00:00:00
ID MYHACK58:62200925721
Type myhack58
Reporter 佚名
Modified 2009-12-26T00:00:00

Description

Wind phase with the guestbook v3. 2 build 0 9 1 2 0 1 multiple vulnerabilities

Download Script : http://down.chinaz.com/soft/22331.htm

Author : bl4ck

Contact : bl4ck[4t]live[dot]cn

Blog : http://user.qzone.qq.com/271174530

Dork : No DoRk f0R ScRipT KiDDieS

Description :

This system is new to write exploits many I also not say those common injection vulnerabilities.

Today only say the one about the password change exploit this vulnerability to torment me one day. As for why everyone can be their own test, specific test details I will not say.

admin.php code

if ($do == ’passmod’){ $password = isset($_POST[’password’]) ? $_POST[’password’] : ’; $oldpassword = isset($_POST[’oldpassword’]) ? $_POST[’oldpassword’] : ’; $oldpass = isset($_POST[’oldpass’]) ? $_POST[’oldpass’] : ’; if (empty($oldpassword)) { forward(’old password cannot be empty!’, $methd=’, $url = ’); } if(empty($password)) { forward(’new password cannot be empty!’, $methd=’, $url = ’); } if(md5($oldpassword) != $oldpass) { forward(’old password incorrect!’, $methd=’, $url = ’); }

//Determine whether the password is modified, if modified then the md5 encryption, does not modify the original value if($password == $oldpassword) { $newpassword = $oldpass; } else { $newpassword = md5($password); } $DB->query("update {$db_prefix}admin set password=’$newpassword’ where id=1"); session_destroy(); //forward(’password changed successfully, please re-login!’, $methd=’href’, $url = ’admin.php? do=manage’); die("<script>window. alert(’password changed successfully, please re-boarding Recorded in!’); window. document. location. href=’admin. php? do=manage’;</script>"); } ?& gt;

Here all passwords are post submission over, So just cause we can submit it to be updated.