乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-09: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-05-24: 厂商已经主动忽略漏洞,细节向公众公开
phpems 多处sql注射
百度搜索:title:PHPEMS无纸化模拟考试系统
ev.cls.php:
public function getClientIp() { if(!isset($this->e['ip'])) { if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) $ip = getenv("HTTP_CLIENT_IP"); else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) $ip = getenv("HTTP_X_FORWARDED_FOR"); else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) $ip = getenv("REMOTE_ADDR"); else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else $ip = "unknown"; $this->e['ip'] = $ip; } return $this->e['ip']; }
搜索:getClientIp
举一个例子:app.php:
public function register() { if($this->ev->get('userregister')) { $fob = array('admin','管理员','站长'); $args = $this->ev->get('args'); $defaultgroup = $this->user->getDefaultGroup(); if(!$defaultgroup['groupid'] || !trim($args['username'])) { $message = array( 'statusCode' => 300, "message" => "用户不能注册" ); exit(json_encode($message)); } $username = $args['username']; foreach($fob as $f) { if(strpos($username,$f) !== false) { $message = array( 'statusCode' => 300, 'errorinput' => 'args[username]', "message" => "用户已经存在" ); exit(json_encode($message)); } } $user = $this->user->getUserByUserName($username); if($user) { $message = array( 'statusCode' => 300, 'errorinput' => 'args[username]', "message" => "用户已经存在" ); exit(json_encode($message)); } $email = $args['useremail']; $user = $this->user->getUserByEmail($email); if($user) { $message = array( 'statusCode' => 300, 'errorinput' => 'args[username]', "message" => "邮箱已经被注册" ); exit(json_encode($message)); } $id = $this->user->insertUser(array('username' => $username,'usergroupid' => $defaultgroup['groupid'],'userpassword' => md5($args['userpassword']),'useremail' => $email)); $this->session->setSessionUser(array('sessionuserid'=>$id,'sessionpassword'=>md5($args['userpassword']),'sessionip'=>$this->ev->getClientIp(),'sessiongroupid'=>$defaultgroup['groupid'],'sessionlogintime'=>TIME,'sessionusername'=>$username)); $message = array( 'statusCode' => 200, "message" => "操作成功",
未能联系到厂商或者厂商积极拒绝