PHPMyWind一枚注入

2015-06-01T00:00:00
ID SSV:94770
Type seebug
Reporter Root
Modified 2015-06-01T00:00:00

Description

简要描述:

rt

详细说明:

Finger能把这个合到之前那个洞一起么 类似的 漏洞文件 /member.php

else if($a == 'binding') { //初始化参数 $username = empty($username) ? '' : $username; $password = empty($password) ? '' : md5(md5($password)); //验证输入数据 if($username == '' or $password == '') { header('location:?c=binding'); exit(); } $row = $dosql->GetOne("SELECT `id`,`password`,`logintime`,`loginip`,`expval` FROM `#@__member` WHERE `username`='$username'"); //密码错误 if(!is_array($row) or $password!=$row['password']) { ShowMsg('您输入的用户名或密码错误!','-1'); exit(); } else { if(check_app_login('qq')) { $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'"); if(isset($r['id'])) { ShowMsg('该QQ已与其他账号绑定!','-1'); } else { $qqid = $_SESSION['app']['qq']['uid']; $sql = "UPDATE `#@__member` SET `qqid`='$qqid' WHERE `username`='$username'"; } } else if(check_app_login('weibo')) { $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'"); if(isset($r['id'])) { ShowMsg('该微博已与其他账号绑定!','-1'); } else { $weiboid = $_SESSION['app']['weibo']['idstr']; $sql = "UPDATE `#@__member` SET `weiboid`='$weiboid' WHERE `username`='$username'"; } } $dosql->ExecNoneQuery($sql);

$sql 未初始化

漏洞证明:

证明: username password要填真实的

<img src="https://images.seebug.org/upload/201505/291829491275b557854e8ed62af4544396ba7b76.png" alt="QQ图片20150529182909.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201505/291829564247c9966ea14618c59e272a381d5cc6.png" alt="12312382930.png" width="600" onerror="javascript:errimg(this);">