PHP finished Web website Latest Version upload and Injection Vulnerability

Software Version: V2.0.5/20120412 commercial fee software Official Website: www.phpweb.net vulnerability file: search/module/search. php/search/index. php? Key = 1 & myord = 1 [sqlinjection] <? Php //... omitting n rows... // Row 3: $ key = htmlspecialchars ($ _ GET ["key"]); // simply encode the character HTML Entity, mysql injection is not affected. $ page = htmlspecialchars ($ _ GET ["page"]); $ myord = htmlspecialchars ($ _ GET ["myord"]); //... omitting n rows... $ key, $ myord two parameters are included in the query // row 47th $ key: $ fsql-> query ("select count (id) from {P} _ news_con where iffb = '1' and catid! = '0' and (title regexp '$ key' or body regexp' $ key') "); // although the query is carried in, regexp does not know how to bypass it .. // row 197th $ myord $ fsql-> query ($ scl. "order by $ myord desc limit $ pagelimit"); produces an injection?> Upload Vulnerability: vulnerability file:/kedit/upload_cgi/upload. php <? Phpdefine ("ROOTPATH ",".. /.. /"); include (ROOTPATH. "includes/admin. inc. php "); NeedAuth (0); $ dt = date (" Ymd ", time (); if (! Is_dir (ROOTPATH. $ _ POST ['attachpath']. $ dt) {@ mkdir (ROOTPATH. $ _ POST ['attachpath']. $ dt, 0777);} // directory for saving the file: www.2cto.com $ save_path = ROOTPATH. $ _ POST ['attachpath']. $ dt. '/'; echo $ save_path; // URL of the file storage directory $ save_url = '.. /.. /'. $ _ POST ['attachpath']. $ dt. '/'; // defines the file extensions that can be uploaded $ ext_arr = array ('gif', 'jpg ', 'png', 'bmp '); // restrict the suffix // maximum file size $ max_size = 1000000; // change the directory permission @ mkdir ($ save_path, 0777); // all paths of the file $ file_path = $ save _ Path. $ _ POST ['filename']; // save the file name // File URL $ file_url = $ save_url. $ _ POST ['filename']; // if (empty ($ _ FILES) = false) when a file is uploaded) {// original file name $ file_name = $ _ FILES ['filedata'] ['name']; // temporary file name on the server $ tmp_name =$ _ FILES ['filedata'] ['tmp _ name']; // file size $ file_size = $ _ FILES ['filedata'] ['SIZE']; // check the directory if (@ is_dir ($ save_path) === false) {alert ("the upload directory does not exist. ");} // Check the directory write permission if (@ is_writable ($ save_path) ===false) {alert (" the upload directory has no write permission. ") ;}// Check whether the uploaded if (@ is_uploaded_file ($ tmp_name) ===false) {alert (" the temporary file may not be an uploaded file. ") ;}// Check the file size if ($ file_size> $ max_size) {alert (" the size of the uploaded file exceeds the limit. ");} // Get the file extension $ temp_arr = explode (". ", $ _ POST ['filename']); $ file_ext = array_pop ($ temp_arr); $ file_ext = trim ($ file_ext); $ file_ext = strtolower ($ file_ext ); // check if (in_array ($ file_ext, $ ext_arr) === false) {alert ("the File Upload extension is not allowed. ");} // Move the file // unrenamed although the suffix iis 6 Resolution vulnerability is filtered ^_^ if (move_uploaded_file ($ tmp_name, $ file_path) === false) {alert ("File Upload Failed. ") ;}@ Chmod ($ file_path, 0666);?> In iis 6.0, you can use getshell to capture packets and change the package filename to xx.php112111.jpg to break through the apache version magic_quotes_gpc = off. In this case, you can consider 0 truncation to bypass the configuration file writing in the background, and the Creation page is inserted to... if you have not found a method to kill shell, you can study it.