标签:
本文作者:浅蓝
前段时间有人发过搜云的源码,都好长时间了。
这次我放出个最新的。
是在他换模板之前的源码。(现在的搜云后端基本没什么变化 换了个模板而已)
同时审计出来了一些漏洞。。
我里面的数据库配置信息等重要敏感信息换成了"马赛克"
以下附上审计出的漏洞
1.user.ph#sql注入
265行 $card = $_POST[‘card‘];
if ($_POST[‘card‘]) {
$sql = "select * from alipay where card=‘{$card}‘";
$row = mysql_query($sql);
$rows = mysql_fetch_array($row);
$status = $rows[‘6‘];
$card没有转义 直接带入数据库查询
2.user.php#sql注入(2)
241行 $touser = $_POST[‘touser‘];
$jb = $_POST[‘jb‘];
$select = "select jb from user where username=‘{$username}‘";
$row = $mysql_query($select);
$rows = mysql_fetch_array($row);
$pd = $rows[‘jb‘];
if ($jb > $pd) {
echo ‘<script>alert(\‘You don\‘t have so much gold!\‘)</script>‘;
echo $pd;
die;
} else {
if ($pd <= 0) {
echo ‘<script>alert(\‘You not have gold!\‘)</script>‘;
die;
} else {
$sql = "update user set jb=jb-‘{$jb}‘ where username=‘{$username}‘";
}
}
$sql1 = "update user set jb=jb+‘{$jb}‘ where username=‘{$touser}‘";
mysql_query($sql);
mysql_query($sql1);
echo ‘<script>alert(\‘Transfer success!\‘)</script>‘;
jb和touser没有转义被带入数据库
3.download.php#sql注入
11行 $file_name=$_GET[‘id‘];
if ($file_name==""){
echo "请输入文件ID";
exit();
}
$sql="select * from new1.dbo.own_user_info where id={$file_name}";
$id=sqlsrv_query($conn,$sql);
$info=sqlsrv_fetch_array($id);
$file_name的值没有被转义 参数可控 直接带入数据库查询
4.function.php#http头部注入(被应用在多处)
121行 function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER[‘REMOTE_ADDR‘]) && $_SERVER[‘REMOTE_ADDR‘] && strcasecmp($_SERVER[‘REMOTE_ADDR‘], "unknown"))
$ip = $_SERVER[‘REMOTE_ADDR‘];
else
$ip = "unknown";
$oip = explode(".",$ip);
for($i=0;$i<count($oip);$i++)
{
if($ip[$i]>255){
return (0);
}
}
if (ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$oip));
{
return $ip;
}
}
该函数被用在 登录&注册&查询信息 等地方
请前往X安全组社区下载SoYun.rar
解压密码为X组域名
贴出部分数据 /*
Navicat MySQL Data Transfer
Source Server : localhost_13306
Source Server Version : 50528
Source Host : localhost:3306
Source Database : ff
Target Server Type : MYSQL
Target Server Version : 50528
File Encoding : 65001
Date: 2014-11-18 20:00:30
*/
SET FOREIGN_KEY_CHECKS=0;
-- ----------------------------
-- Table structure for `log`
-- ----------------------------
DROP TABLE IF EXISTS `log`;
CREATE TABLE `log` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user` varchar(20) DEFAULT NULL,
`ip` varchar(30) DEFAULT NULL,
`msg` text,
`time` datetime DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=130474 DEFAULT CHARSET=utf8;
-- ----------------------------
-- Records of log
-- ----------------------------
INSERT INTO `log` VALUES (‘1‘, ‘admin‘, ‘::1‘, ‘登陆账å?·,IP:::1‘, ‘2014-05-11 17:27:02‘);
-- ----------------------------
-- Table structure for `main`
-- ----------------------------
DROP TABLE IF EXISTS `main`;
CREATE TABLE `main` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=39 DEFAULT CHARSET=utf8;
-- ----------------------------
-- Records of main
-- ----------------------------
INSERT INTO `main` VALUES (‘1‘, ‘admin‘);
-- ----------------------------
-- Table structure for `user`
-- ----------------------------
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(50) CHARACTER SET utf8 DEFAULT NULL,
`password` varchar(32) CHARACTER SET utf8 DEFAULT NULL,
`time` varchar(20) CHARACTER SET utf8 DEFAULT NULL,
`yqm` text CHARACTER SET utf8,
`email` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
`gold` int(11) DEFAULT NULL,
`ip` varchar(50) CHARACTER SET utf8 DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=821 DEFAULT CHARSET=gbk;
-- ----------------------------
-- Records of user
-- ----------------------------
INSERT INTO `user` VALUES (‘1‘, ‘admin‘, ‘8d416388567183add25dd486695de2af‘, ‘2014-06-20 20:31:37‘, ‘‘, ‘617925118@qq.com‘, ‘0‘, ‘101.18.170.224‘);
-- ----------------------------
-- Table structure for `yaoqingma`
-- ----------------------------
DROP TABLE IF EXISTS `yaoqingma`;
CREATE TABLE `yaoqingma` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`yaoqingma` text CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL,
`status` tinyint(1) NOT NULL DEFAULT ‘0‘,
`time` datetime NOT NULL,
`email` varchar(255) CHARACTER SET utf8 COLLATE utf8_unicode_ci DEFAULT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `id` (`id`) USING BTREE
) ENGINE=MyISAM AUTO_INCREMENT=319 DEFAULT CHARSET=gbk;
-- ----------------------------
-- Records of yaoqingma
-- ----------------------------
INSERT INTO `yaoqingma` VALUES (‘2‘, ‘7041193b4314bed819d1a29c5724830b‘, ‘0‘, ‘2014-01-05 16:59:07‘, null);
能感谢就感谢一下.
标签:
原文地址:http://www.cnblogs.com/dongchi/p/4998573.html
