乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-19: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-12-18: 厂商已经主动忽略漏洞,细节向公众公开
RT 前台sql注入 无需管理员登陆
在文件admin_message_list_inbox.php中:
include_once("$config[webroot]/includes/page_utf_class.php");include_once("$config[webroot]/module/message/includes/plugin_msg_class.php");//=============================================$msg=new msg();if(isset($_POST["deid"])&&!empty($_POST['del'])){ $msg->del_mail();}if(isset($_POST["deid"])&&!empty($_POST['save'])){ $msg->save_mail();}
调用了del_mail() 再看这个方法:
function del_mail($id=NULL) { if(empty($id)) { for($i=0;$i<count($_POST["deid"]);$i++) { $id=$_POST["deid"][$i]; $sql="update ".FEEDBACK." set iflook=2 where id=$id"; $this->db->query($sql); unset($sql); } } else { $sql="update ".FEEDBACK." set iflook=2 where id=$id"; $this->db->query($sql); } }
id没有过滤 直接带入到了sql语句执行 同一文件中还有几处类似漏洞:
//恢复邮件 function recover_mail($id=NULL) { global $admin; if(!empty($id)) { $sql="update ".FEEDBACK." set iflook=1 where id=$id"; $this->db->query($sql); $admin->msg("main.php?m=message&s=admin_message_list_inbox"); } else { for($i=0;$i<count($_POST["deid"]);$i++) { $id=$_POST["deid"][$i]; $sql="update ".FEEDBACK." set iflook=1 where id=$id"; $this->db->query($sql); unset($sql); } } }
function friend_msg_batch_send() { global $buid,$admin; if(!empty($_POST['senduser'])&&!empty($_POST['msgcon'])) { $date=date("Y-m-d H:i:s"); $sear=explode(';',$_POST['senduser']); if(count($sear)>1) { $sear1=array_unique($sear); $suser="'0'"; foreach($sear1 as $v) { $suser.=",'$v'"; } $sql="select user,email,userid from ".ALLUSER." where user in ($suser)"; } else
该厂商拥有大量客户:
未能联系到厂商或者厂商积极拒绝