乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-10: 细节已通知厂商并且等待厂商处理中 2014-05-10: 厂商已经确认,细节仅向厂商公开 2014-05-13: 细节向第三方安全合作伙伴开放 2014-07-04: 细节向核心白帽子及相关领域专家公开 2014-07-14: 细节向普通白帽子公开 2014-07-24: 细节向实习白帽子公开 2014-08-08: 细节向公众公开
同一文件中。 两处无需登录,一处需要注册一个会员。
在app/controllers/home.php中第一处
public function friendadd() { header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Cache-Control: no-cache, must-revalidate"); header("Pragma: no-cache"); if(@!eregi($_SERVER['SERVER_NAME'],$_SERVER['HTTP_REFERER'])){exit('QQ:848769359');} @header("Content-type: text/html;charset=gbk"); $user= $this->input->get_post('user', TRUE); //user $type= $this->input->get_post('type', TRUE); //type if(empty($user)){ exit("10000");//参数错误 } $users=$this->session->userdata('cs_name'); if(!$this->CsdjUser->User_Login(1)){ exit("10001");//没有登入 } if($users==$user){ exit("10004");//不能关注自己 } if($type=='qx'){ //删除 $this->db->query("delete from ".CS_SqlPrefix."friend where CS_Userb='".$user."' and cs_usera='".$users."'"); //删除粉丝 $this->db->query("delete from ".CS_SqlPrefix."fans where CS_Usera='".$user."' and cs_userb='".$users."'"); exit("ok"); } $sql="SELECT * FROM ".CS_SqlPrefix."user where cs_name='".$user."'";
$user 无过滤的就带入到了查询当中。第二处
public function login() { $username = $this->input->get_post('username', TRUE); //username $userpass = $this->input->get_post('userpass', TRUE); //userpass if(empty($username)) exit('10001'); //用户名为空 if(empty($userpass)) exit('10002'); //密码为空 //可以用ID、会员名、邮箱来进行登入 $sqlu="SELECT CS_Pass,CS_SID,CS_YID,CS_ID,CS_Name,CS_LogNum,CS_Cion,CS_Vip,CS_LogTime,CS_EndTime FROM ".CS_SqlPrefix."user where cs_id='".$username."' or cs_name='".$username."' or cs_email='".$username."'"; $row=$this->CsdjDB->get_all($sqlu);
$username无过滤带入查询中。第三处
public function webplayer() { header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Cache-Control: no-cache, must-revalidate"); header("Pragma: no-cache"); if(@!eregi($_SERVER['SERVER_NAME'],$_SERVER['HTTP_REFERER'])){exit('QQ:848769359');} @header("Content-type: text/html;charset=gbk"); $user= $this->input->post('uid', TRUE); //user $showstr=''; $sqlstr="select CS_FID,CS_Name,CS_PlayUrl from ".CS_SqlPrefix."dance where CS_YID=0 and CS_HID=0 and CS_User='".$user."' order by CS_ID desc limit 0, 10"; $result=$this->CsdjDB->db->query($sqlstr);
$user 可控无过滤。测试一下demo
demo成功。其他两处都一样。
危害等级:高
漏洞Rank:20
确认时间:2014-05-10 16:35
不是上午已经发过一次了吗?我刚刚已经修复了~!
暂无