2011-10-09 11:51eTopEIMS v1.0 漏洞 :
Author:mer4en7y
Team:90sec
blog:HdhCmsTesthi.baidu测试数据/alonecode
1)注入漏洞,注入有好几处,只贴一处代码news.php
require_once('include/header.php');
empty($_GET['id']) ? exit() : $nid = $_GET['id'];
$result = $ mysql ->select($tablepre.'news','',"WHERE `nid` = $nid");
$record = $mysql->fetch($result,'1');
$views = $record['views'] + 1;
$mysql->update($tablepre.'news',"`views` = $views","WHERE `nid` = $nid")
id未过滤
2)上传漏洞(可以拿shell):后台--> 系统 设置-->Flash设置-->编辑上传
漏洞文件:common.func.php
function upfile(){
if (is_uploaded_file($_FILES['upfile']['tmp_name'])){
$upfile = $_FILES['upfile'];
$name = $upfile['name'];
$type = $upfile['type'];
$size = $upfile['size'];
$tmp_name = $upfile['tmp_name'];
$error = $upfile['error'];
switch ($type){
case 'image/jpeg':
case 'image/jpg':
case 'image/gif':
case 'image/png':
$isupload = 1;
break;
default:
$isupload = 0;
} HdhCmsTest2cto测试数据
if ($isupload && $error == 0){
$new_name = date("dHis") . '_' . rand(10000, 99999) . strrchr($name,'.');
$file_path = createFolder() . $new_name;
move_uploaded_file($tmp_name,$file_path);
}
}
return substr($file_path,3);
}
只验证了MIME头,改包绕过检测即可
修复:加强过滤和验证
查看更多关于eTopEIMS v1.0漏洞及修复 - 网站安全 - 自学php的详细内容...