乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-18: 细节已通知厂商并且等待厂商处理中 2014-11-23: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-01-17: 细节向核心白帽子及相关领域专家公开 2015-01-27: 细节向普通白帽子公开 2015-02-06: 细节向实习白帽子公开 2014-12-30: 细节向公众公开
奇博地方门户V5.0,二次注入
/news/js.php中
if($type=='hot'||$type=='com'||$type=='new'||$type=='lastview'||$type=='like'){ if($f_id) { if(is_numeric($f_id)){ $SQL=" fid=$f_id "; }else{ $detail=explode(",",$f_id); $SQL=" fid IN ( ".implode(",",$detail)." ) "; } } else { $SQL=" 1 "; } if($type=='com') { $SQL.=" AND levels=1 "; $ORDER=' list '; $_INDEX=" USE INDEX ( list ) "; } elseif($type=='hot') { $ORDER=' hits '; $_INDEX=" USE INDEX ( hits ) "; } elseif($type=='new') { $ORDER=' list '; $_INDEX=" USE INDEX ( list ) "; } elseif($type=='lastview') { $ORDER=' lastview '; $_INDEX=" USE INDEX ( lastview ) "; } elseif($type=='like') { $SQL.=" AND id!='$id' "; if(!$keyword) { extract($db->get_one("SELECT keywords AS keyword FROM {$_pre}content WHERE id='$id'")); } if($keyword){ $SQL.=" AND ( "; $keyword=urldecode($keyword); //URLDECODE解码 $detail=explode(" ",$keyword); unset($detail2); foreach( $detail AS $key=>$value){ $detail2[]=" BINARY title LIKE '%$value%' "; } $str=implode(" OR ",$detail2); $SQL.=" $str ) "; }else{ $SQL.=" AND 0 "; } $_INDEX=" USE INDEX ( list ) "; $ORDER=' list '; } $SQL=" $_INDEX WHERE $SQL AND yz=1 ORDER BY $ORDER DESC LIMIT $rows"; $which='*'; $_target=$target?'_blank':'_self'; if($path){ $_path=preg_replace("/(.*)\/([^\/]+)/is","\\1/",$WEBURL); } if($icon==1){ $_icon="·"; }else{ $_icon=" "; } $listdb=listcontent($SQL,$which,$leng); foreach($listdb AS $key=>$rs) { $show.="$_icon<A target='$_target' HREF='{$_path}bencandy.php?fid=$rs[fid]&id=$rs[id]' title='$rs[full_title]'>$rs[title]</A><br>"; } if(!$show){ $show="暂无..."; }
起初总是不成功,后来才看到,下面代码$keyword进入explode函数,将空格拆分了,所以使用/**/替换
if($keyword){ $SQL.=" AND ( "; $keyword=urldecode($keyword); $detail=explode(" ",$keyword); unset($detail2); foreach( $detail AS $key=>$value){ $detail2[]=" BINARY title LIKE '%$value%' "; } $str=implode(" OR ",$detail2); $SQL.=" $str ) "; }else{ $SQL.=" AND 0 "; }
还是使用,qibo的成功案例网站http://tongyuxian.com/
...
危害等级:无影响厂商忽略
忽略时间:2014-12-30 14:44
暂无