乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-15: 细节已通知厂商并且等待厂商处理中 2015-04-17: 厂商已经确认,细节仅向厂商公开 2015-04-20: 细节向第三方安全合作伙伴开放 2015-06-11: 细节向核心白帽子及相关领域专家公开 2015-06-21: 细节向普通白帽子公开 2015-07-01: 细节向实习白帽子公开 2015-07-16: 细节向公众公开
之前提交说已经过滤了,然后又下载了一下,发现还是没有过滤,不知道审核说的过滤是在哪过滤的
可以看到是最新下载的,更新日期
后台配置文件位于/admin/include/common.inc.php
代码无任何改变
<?php# MetInfo Enterprise Content Management System # Copyright (C) MetInfo Co.,Ltd (http://www.metinfo.cn). All rights reserved. header("Content-type: text/html;charset=utf-8");error_reporting(E_ERROR | E_PARSE);@set_time_limit(0);define('ROOTPATH_ADMIN', substr(dirname(__FILE__), 0, -7));DIRECTORY_SEPARATOR == '\\'?@ini_set('include_path', '.;' . ROOTPATH_ADMIN):@ini_set('include_path', '.:' . ROOTPATH_ADMIN);$DS=DIRECTORY_SEPARATOR;$url_array=explode($DS,ROOTPATH_ADMIN);$count = count($url_array);$last_count=$count-2;$last_count=strlen($url_array[$last_count])+1;define('ROOTPATH', substr(ROOTPATH_ADMIN, 0, -$last_count));PHP_VERSION >= '5.1' && date_default_timezone_set('Asia/Shanghai');session_cache_limiter('private, must-revalidate'); @ini_set('session.auto_start',0); if(PHP_VERSION < '4.1.0') { $_GET = &$HTTP_GET_VARS; $_POST = &$HTTP_POST_VARS; $_COOKIE = &$HTTP_COOKIE_VARS; $_SERVER = &$HTTP_SERVER_VARS; $_ENV = &$HTTP_ENV_VARS; $_FILES = &$HTTP_POST_FILES;}$settings=array();$db_settings=array();$db_settings = parse_ini_file(ROOTPATH.'config/config_db.php');@extract($db_settings);require_once ROOTPATH_ADMIN.'include/mysql_class.php';$db = new dbmysql();$db->dbconn($con_db_host,$con_db_id,$con_db_pass,$con_db_name);$query="select * from {$tablepre}config where name='met_tablename' and lang='metinfo'";$mettable=$db->get_one($query);$mettables=explode('|',$mettable[value]);foreach($mettables as $key=>$val){ $tablename='met_'.$val; $$tablename=$tablepre.$val; $_M[table][$tablename]=$tablepre.$val;}require_once dirname(__file__).'/global.func.php';require_once dirname(__file__).'/global/snap.func.php';define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());$lang=$_GET['lang']<>""?$_GET['lang']:$_POST['lang'];$lang=daddslashes($lang,0,1);$metinfoadminok=1;$settings_arr=array();require_once ROOTPATH.'config/config.inc.php';met_cooike_start();$query="select * from {$tablepre}lang where mark='{$_GET[langset]}' and lang='metinfo'";$isadminlang=$db->get_one($query);if(!$isadminlang&&$_GET[langset]!='')die('not have this language');if($_GET[langset]!=''){ $_GET[langset]=daddslashes($_GET[langset],0,1); change_met_cookie('languser',$_GET[langset]); save_met_cookie();}
langset还是无任何过滤,直接带入查询
and 1=1
and 1=2
SQLmap测试
由于后台文件调用了login_check.php文件来检查是否已经登录,因此,后台所有文件均可注入附上最新下载的程序http://pan.baidu.com/s/1mgHvzMo
不知道
危害等级:高
漏洞Rank:12
确认时间:2015-04-17 10:51
谢谢您的反馈,这个问题我们已经修复了。
暂无