2011-10-09 11:51eTopEIMS v1.0漏洞：

 

Author:mer4en7y

Team:90sec

blog:www.hi.baidu.com/alonecode

 

1)注入漏洞，注入有好几处，只贴一处代码news.php

require_once('include/header.php');

    empty($_GET['id']) ? exit() : $nid = $_GET['id'];

    $result = $mysql->select($tablepre.'news','',"WHERE `nid` = $nid");

    $record = $mysql->fetch($result,'1');

    $views = $record['views'] + 1;

    $mysql->update($tablepre.'news',"`views` = $views","WHERE `nid` = $nid")

id未过滤

 

2)上传漏洞（可以拿shell）：后台-->系统设置-->Flash设置-->编辑上传

漏洞文件:common.func.php

function upfile(){

    if (is_uploaded_file($_FILES['upfile']['tmp_name'])){

        $upfile = $_FILES['upfile'];

            $name = $upfile['name'];

            $type = $upfile['type'];

            $size = $upfile['size'];

            $tmp_name = $upfile['tmp_name'];

            $error = $upfile['error'];

        switch ($type){

            case 'image/jpeg':

            case 'image/jpg':

            case 'image/gif':

            case 'image/png':

                $isupload = 1;

                break;

            default:

                $isupload = 0;

        } www.2cto.com

        if ($isupload && $error == 0){

            $new_name = date("dHis") . '_' . rand(10000, 99999) . strrchr($name,'.');

            $file_path = createFolder() . $new_name;

            move_uploaded_file($tmp_name,$file_path);

        }

    }

    return substr($file_path,3);

}

只验证了MIME头，改包绕过检测即可

 

修复：加强过滤和验证