Home > Article > Backend Development > phpcms2008破绽
phpcms2008破绽
- WBOYOriginal
- 2016-06-13 10:40:13747browse
phpcms2008漏洞
下面是官方到目前为止还没有打补丁的几个漏洞
http://www.tmdsb.com/flash_upload.php?modelid=1
注入漏洞
<?phprequire dirname(__FILE__).'/include/common.inc.php';if($PHPSESSID) { session_id($PHPSESSID); session_start();}if($auth) set_cookie('auth', $auth);if(!get_cookie('cookietime') && $cookietime) set_cookie('cookietime', $cookietime);require_once 'admin/model_field.class.php';<span style="color: #ff0000;">$field = new model_field($modelid);$info = $field->get($fieldid);
?
问题就出在标红的。。跟进去看下
function __construct($modelid) { global $db; $this->db = &$db; $this->table = DB_PRE.'model_field'; echo($modelid); <span style="color: #ff0000;">$model = $this->db->get_one("SELECT * FROM ".DB_PRE."model WHERE modelid=$modelid");</span> $this->modelid = $model['modelid']; $this->modelname = $model['name']; $this->fields = cache_read($modelid.'_fields.inc.php', CACHE_MODEL_PATH); $this->tablename = DB_PRE.'c_'.$model['tablename']; }
?
构造方法中调用了select...所以忘了过滤。。。
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:php中施用sessionNext article:利用 Zend Studio 九 Run As PHPUnit Test 总结