此程序多用于网络媒体各大地方卫视,程序目录dealfunc下comment_stat.php和comment_js.php, 对cmid未做过滤。直接导致注射。 后台默认地址为http://cp.xxxx.com/ws comment_stat.php文件 源码 <?php /** * comment_stat.php :: 评论回复统计文件:: dealfunc * * $Id: comment_stat.php 67 2007-06-01 03:48:20Z $ */ define ('INCLUDE_PATH', './'); require_once "./liv_global.php"; $staticfile = $_REQUEST['staticfile']; $commresult = $DB->query_first("SELECT count(*) as cmtnum FROM liv_comment where contentid=".$_REQUEST['cmid'] . " and auditing=1 "); ?> document.write('<?php echo intval($commresult['cmtnum']);?>'); <?php ?> www.2cto.com comment_js.php文件源码 <?php /** * comment_js.php :: 评论JS调用:: dealfunc * * $Id: comment_js.php 67 2007-06-01 03:48:20Z $ */ define('INCLUDE_PATH','./'); require "./liv_global.php"; $cmid = $_REQUEST['cmid']; if ($cmid) { $cond = ' AND contentid=' . $cmid; } $limit = intval($_REQUEST['limit']) ? intval($_REQUEST['limit']) : 6; $brieflength = intval($_REQUEST['brieflength']) ? intval($_REQUEST['brieflength']) : 100; ?> document.write('<ul style="border-bottom:1px solid #ccc;margin-bottom:10px;"><li style="font-size:14px;font-weight:bold;">文章评论:</li>'); <?php $result = $DB->query("SELECT * FROM " . DB_PREFIX . "comment WHERE auditing = 1 and siteid = " . intval($siteinfo['siteid']) . $cond . " ORDER BY pubdate DESC LIMIT $limit"); //echo "SELECT * FROM " . DB_PREFIX . "comment WHERE auditing = 1 and siteid = " . intval($siteinfo['siteid']) . $cond . " and contentid=".$cmid." ORDER BY pubdate DESC LIMIT $limit"; $rst = $DB->num_rows($result); //$commentlink = $siteinfo['sitepath'].'comment/comment.php?cmid='.$cmid.'&modeid='.$modeid; $commentlink = $siteinfo['sitepath'].'comment/comment.php?cmid='.$cmid; while($row = $DB->fetch_array($result)) { $content = cutchars($row['content'],$brieflength); // $content = nl2br($content); $content = str_replace(array(chr(10),chr(13)),"",$content); $pubdate = date('Y-m-d',$row['pubdate']); $author = $row['author']; $ips = explode(".",$row['ip']); $newip = $ips[0].'.'.$ips[1].'.*.*'; $link = $siteinfo['weburl'] . 'comment/comment.php?cmid=' . $row['contentid']; ?> document.write('<li style="background:#f1f1f1;border-bottom:1px solid #d8d8d8;padding:5px;">网友:<b><?php echo $author ?></b> 时间:<?php echo $pubdate ?> IP:<?php echo $newip ?></li><li style="line-height:22px;padding:5px;"><a href="<?php echo $link ?>" target="_blank"><?php echo $content;?></a></li>'); <?php } if($rst != 0) { ?> document.write('<li style="text-align:right;line-height:22px;font-weight:bold;padding-right:10px;"><a href="<?php echo $commentlink ?>" target="_blank">更多留言</a></li>'); <?php } ?> document.write('</ul>'); <?php ?> 没任何过滤,直接带入查询 修复方案: 加强过滤或直接删除此目录下的文件,
查看更多关于livcms内容管理系统存在注射漏洞及修复 - 网站安的详细内容...