来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 去官网下载了最新版本并打上了最新补丁后审计出来几处漏洞。先提交2个gpc=off的注射,该程序还有getshell看看厂商的态度再考虑发不发。1 cp_profile php 隐私$inserts = array();foreach ($_POST[ 3...
|
去官网下载了最新版本并打上了最新补丁后审计出来几处漏洞。先提交2个gpc=off的注射,该程序还有getshell看看厂商的态度再考虑发不发。
//隐私
$inserts = array();
foreach ($_POST['friend'] as $key => $value) {
$value = intval($value);
$inserts[] = "('base','$key','$space[uid]','$value')";
}
if($inserts) {
$_SGLOBAL['db']->query("DELETE FROM ".tname('spaceinfo')." WHERE uid='$space[uid]' AND type='base'");
$_SGLOBAL['db']->query("INSERT INTO ".tname('spaceinfo')." (type,subtype,uid,friend)
VALUES ".implode(',', $inserts));
}
第二处注入:cp_privacy.php
foreach ($filter_note as $key => $value) {
list($type, $uid) = explode('|', $key);
$types[$key] = $type;
$uids[$key] = $uid;
if(is_numeric($type)) {
$appids[$key] = $type;
}
}
if($uids) {
$query = $_SGLOBAL['db']->query("SELECT uid, username FROM ".tname('space')." WHERE uid IN (".simplode($uids).")");
while ($value = $_SGLOBAL['db']->fetch_array($query)) {
$users[$value['uid']] = $value['username'];
}
}
修复方案:key也过滤下 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
