PHP168 V6. 01/6. 0 2 elevation of privilege and storm the local path vulnerability-vulnerability warning-the black bar safety net

2010-12-16T00:00:00
ID MYHACK58:62201028587
Type myhack58
Reporter 佚名
Modified 2010-12-16T00:00:00

Description

PHP168 whole Station is the PHP field of the current most powerful build system, The code is all open source, can be extremely convenient for secondary development, all modules can be freely installed and removed, individual users completely free to use

PHPCMS V6. 0 1 There is a serious security issue

Register for an account, enter the member center. Visit http://www.hackqing.com/member/buygroup.php?job=buy&gid=3 You will see the following words.

You are now the level is ordinary Membership, you will have to purchase the levels are super administrator, you need Points 0

Click to buy, such as return you now level is the super administrator and so forth. Return to the member Center to view it Then find the background login pass shell can be

php proof page absolute path 1, Add quotation marks'this is the most commonly used 2, the variable parameter type, such as the id=1 to id=a, etc. sometimes is very effective 3, out added data,such as the id=1 to id=1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1...... And so sometimes is very effective 4, the text. php? aa[]=xx 5, The use of php's max_execution_time, can be absolute path is displayed. This probability is very small. For in server load is a serious time of testing. 6, benchmark( 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9, md5( 'test' ) ) BENCHMARK(count,expr): the BENCHMARK()function is repeated countTimes times execution of an expression expr, it can be used for timing the MySQL process expression much faster. The result value is always 0. the id=1 union select 1,benchmark(5 0 0 0 0 0,md5('test')),1 from user where userid=1 and ord(substring(username,1,1))=9 7 /* Use of the Find function you can make a denial of service attack! http://www.xxxx.com/test/test/show.php?id=1%20union%20select%201,1,benchmark(9 9 9 9 9 9 9 9,md5(0x41)), but the premise is still required can be injected

php168 storm path vulnerability in V6. 0 2 The above test successfully

do/cutimg. php? action=cutimg&uploadfile=php168/mysql_config.php