乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-27: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-08-25: 厂商已经主动忽略漏洞,细节向公众公开
162100网址导航本地包含 #
162100网址导航本地包含 #漏洞页面:mingz.php
漏洞页面:mingz.php
<?php/* 名站模块 *//* 162100源码 - 162100.com */@ require ('set/set.php');@ require ('set/set_sql.php');@ require ('set/set_area.php');if (!function_exists('get_m')) { function get_m($v) { global $web, $n; $text = ''; if ($web['link_type'] == 1) { //$link = '"export.php?url=".urlencode($h[0]).""'; $link = '"".($h[3] == "js" ? $h[0] : "export.php?url=".urlencode($h[0])).""'; } else { $link = '"".($h[3] == "js" ? "export.php?url=".urlencode($h[0]) : $h[0]).""'; } if ($v = trim($v)) { $total_arr = @explode("\n", $v); $n = count($total_arr); if ($n > 0) { $text .= '<div id="mingz_">'; foreach ($total_arr as $each) { $h = @explode("|", trim($each)); $text .= '<span><a onclick="addM(this)" href="'.eval('return '.$link.';').'"'.($h[2] != '' ? ' class="'.$h[2].'"' : '').'>'.$h[1].'</a></span>'; } $text .= '</div>'; } } return $text; }}$_GET['run'] = (string)$_GET['run'];if ($_GET['run'] == 'collection') { $title = '自定义网址'; $require = 'collection';} elseif ($_GET['run'] == 'notepad') { $title = '记事本'; $require = 'notepad';} elseif ($_GET['run'] == 'search_site') { $title = '站内搜索'; $require = 'search_site';} else { if (array_key_exists($_GET['run'], $web['area']['mingz'])) { $title = $web['area']['mingz'][$_GET['run']][0]; $text = ''; $n = 0; if (!isset($sql['db_err'])) { db_conn(); } if ($sql['db_err'] == '') { echo 'SELECT class_title,http_name_style,class_priority FROM `'.$sql['pref'].'162100` WHERE column_id="mingz" AND class_id="'.$_GET['run'].'" AND detail_title="" LIMIT 1', $db; $result = @mysql_query('SELECT class_title,http_name_style,class_priority FROM `'.$sql['pref'].'162100` WHERE column_id="mingz" AND class_id="'.$_GET['run'].'" AND detail_title="" LIMIT 1', $db); if ($row = @mysql_fetch_assoc($result)) { $text .= (preg_replace('/<style.+<\/style>/isU', '', trim($row['class_priority'])) != '' ? '<style type="text/css"><!--.class_priority {}--></style><div class="class_priority">'.$row['class_priority'].'</div>' : $row['class_priority']).''.get_m($row['http_name_style']).''; } else { $err = '数据为空或读取失败!'; } @mysql_free_result($result); } else { $err = $sql['db_err']; } @mysql_close(); } else { $title = '参数出错!'; }}?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="Page-Enter" content="blendTrans(Duration=1)" /><meta http-equiv="Page-Exit" content="blendTrans(Duration=1)" /><title><?php echo $title.' - '.$web['sitename2'], $web['code_author']; ?></title><base target="_blank" /><link href="inc/css/css_base.css" rel="stylesheet" type="text/css"><link href="inc/css/style/color_<?php echo preg_replace('/_\d+$/', '', $web['cssfile']); ?>/css.css" rel="stylesheet" type="text/css" id="my_style_color"><link href="inc/css/style/bj_<?php echo $web['cssfile']; ?>/css.css" rel="stylesheet" type="text/css" id="my_style_bj"><style type="text/css"><!--body { width:720px; background-color:transparent; background-image:none; }--></style><script type="text/javascript" language="javaScript" src="inc/js/main.js"></script><script language="javascript" type="text/javascript"><!--//调出用户信息弹窗window.onload=function(){ document.body.style.backgroundColor='#FFFFFF'; try { parent.document.getElementById('t1Frame').height=document.body.offsetHeight; }catch(e){ }}//--></script></head><body><?php//<!-- require -->if (isset($require)) { @ require ('inc/run/get_mingz_'.$require.'.php');//此处是个本地包含漏洞。} else { echo $text, $err;}//<!-- /require -->?></body></html>
环境需要开启gloabs全局利用如图:
过滤
未能联系到厂商或者厂商积极拒绝