乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-03: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-17: 厂商已经主动忽略漏洞,细节向公众公开
rt
在官网下了个最新版,然后在webrock\webim\record目录下,recordAction.php代码:
public function dataAjax() { $atype = $this->request('atype'); $sid = $this->request('sid'); $aid = $this->request('aid'); $page = (int)$this->request('page', '1'); $fen = 20; $whes = $this->rock->dbinstr('receuid', $aid); $where = ""; if($atype == 'user'){ $where = "and ((`sendid`=$aid and `receid`=$sid) or (`sendid`=$sid and `receid`=$aid))"; } if($atype == 'group' || $atype == 'system' || $atype == 'dept'){ $where = "and `receid`=$sid and $whes "; } $count = m('im_mess')->rows("`type`='$atype' $where"); $maxpage= ceil($count / $fen); $sql = "select * from [Q]im_mess where `type`='$atype' $where order by `id` desc limit ".(($page-1)*$fen).",$fen"; //没有过滤就执行了 $rows = $this->db->getall($sql); if($atype != 'system'){ $snid = '0'; foreach($rows as $k=>$rs){ $snid .=','.$rs['sendid']; } if($snid != '0'){ $uarr = m('admin')->getall("`id` in($snid)", '`id`,`name`,`face`'); $_ursa= array(); foreach($uarr as $k=>$rs){ $rs['face'] = $this->rock->repempt($rs['face'], 'images/im/user100.png'); $_ursa[$rs['id']] = $rs; } foreach($rows as $k=>$rs){ $rows[$k]['sendname'] = $_ursa[$rs['sendid']]['name']; $rows[$k]['sendface'] = $_ursa[$rs['sendid']]['face']; } } }else{ foreach($rows as $k=>$rs){ $rows[$k]['sendname'] = ''; $rows[$k]['sendface'] = 'images/im/shezhi_blue.png'; } } echo json_encode(array( 'data' => $rows, 'count' => $count, 'page' => $page, 'maxpage' => $maxpage )); }
sql语句没有过滤就执行了,可以直接用sqlmap跑出来
拿官网demo做演示:其绝对路径可以由报错知道:
然后sqlmap:
其实已经传上去了
**.**.**.**/help1.php 密码 b374k
过滤
未能联系到厂商或者厂商积极拒绝