Phpyun v3.2 (20141222) frontend secondary injection (direct exit management password demo test)

Phpyun v3.2 (20141222) frontend secondary injection (direct exit management password demo test)

Non-blind injection. Directly output various managed data.

The demo test is still performed.

In ask/model/index. class. php
 

Function attention_action () {$ this-> is_login (); // You need to log on to the member $ is_set = $ this-> obj-> DB_select_once ("attention ", "'uid' = '". $ this-> uid. "'and 'type' = '". (int) $ _ POST ['type']. "'"); // set the type to 1if ($ _ POST ['type'] = '1 ') {$ info = $ this-> obj-> DB_select_once ("question", "'id' = '". (int) $ _ POST ['id']. "'", "'id', 'title', 'uid'"); $ gourl = $ this-> aurl (array ("url" => "c: content, id :". $ info ['id']); $ content = "followed by <a href = \"". $ gourl. "\" targe T = \ "_ blank \"> ". $ info ['title']." </a>. "; $ N_contemt =" The <a href = \"". $ gourl. "\" target = \ "_ blank \"> 《". $ info ['title']. "" </a>. "; $ Log =" followed 《". $ info ['title']. "" "; $ n_log =" canceled 《". $ info ['title']. "" ";} else {$ info = $ this-> obj-> DB_select_once (" q_class "," 'id' = '". $ _ POST ['id']. "'", "'id', 'name'"); $ gourl = $ this-> aurl (array ("url" => "c: getclass, id :". $ info ['id']); $ content = "followed by <a href = \"". $ gourl. "\" target = \ "_ blank \"> ". $ info ['name']. "</a>. "; $ N_contemt =" <a href = \ "" is canceled \"". $ gourl. "\" target = \ "_ blank \"> ". $ info ['name']. "</a>. "; $ Log =" followed ". $ info ['name']; $ n_log = "the pair is canceled ". $ info ['name']. "</a>. ";} If ($ info ['uid'] = $ this-> uid) {echo '4';} else if (is_array ($ is_set )) {// $ is_set is empty at the beginning, so it will not enter here. When the second entry is an array, it will be included in it. Therefore, we use an account for this hole. $ Ids = @ explode (',', $ is_set ['id']); if (in_array ($ _ POST ['id'], $ ids )) {if ($ _ POST ['type'] = '1') {echo '2';} else {foreach ($ ids as $ k => $ v) {if ($ v! =_ _ POST ['id']) {$ I _ids [] = $ v ;}} if ($ I _ids) {$ n_id = $ this-> obj-> update_once ("attention", array ("ids" => @ implode (',', $ I _ids )), array ("id" => $ is_set ['id']);} else {$ n_id = $ this-> obj-> DB_delete_all ("attention ", "'id' = '". $ is_set ['id']. "'");} if ($ n_id) {$ data ['uid'] = $ this-> uid; $ data ['content'] = $ n_contemt; $ data ['ctime'] = time (); $ this-> obj-> insert_into ("friend_state", $ data ); $ this-> obj-> member_log ($ n_log); echo '3' ;}} else {// When it is not an array, $ I _ids = $ is_set ['id'] is the first time it is null. ','. $ _ POST ['id']; // $ _ POST ['id] is spliced here, so it is partially controllable. $ N_id = $ this-> obj-> update_once ("attention", array ("ids" => $ I _ids ), array ("id" => $ is_set ['id']); // if ($ n_id)

Function attenquestion_action () {if ($ this-> uid = '') {$ this-> obj-> ACT_msg ($ _ SERVER ['HTTP _ referer'], "Please log on first! ") ;}$ This-> public_action (); $ ids = $ this-> obj-> DB_select_once (" attention "," 'uid' = '". $ this-> uid. "'and 'type' = '1'", "'kids'"); // The database is checked out here $ ids = rtrim ($ ids ['kids'],', '); // assign $ ids $ pageurl = $ this-> aurl (array ("url" => "c :". $ _ GET ['C']. ", page: {page}"); $ question = $ this-> get_page ("question", "'id' in (". $ ids. ") order by 'add _ time' desc", $ pageurl, "10"); // if (! Empty ($ question) {foreach ($ question as $ k => $ v) {$ uid [] = $ v ['uid'];} $ uids = implode (',', $ uid); $ friend_info = $ this-> obj-> DB_select_all ("friend_info", "'uid' in (". $ uids. ")", "'uid', 'pic"); foreach ($ question as $ key => $ val) {foreach ($ friend_info as $ k => $ v) {if ($ val ['uid'] = $ v ['uid']) {if ($ val ['uid'] = $ v ['uid']) {if ($ v ['pic ']) {$ question [$ key] ['pic'] = $ v ['pic '];} else {$ question [$ key] ['pic '] = $ this-> config ['sy _ weburl']. '/'. $ this-> config ['sy _ friend_icon '] ;}}}}$ this-> yunset ("question", $ question ); // display the data directly here

if($config['sy_istemplate']!='1' || md5(md5($config['sy_safekey']).$_GET['m'])!=$_POST['safekey']){   foreach($_POST  as $id=>$v){$str = html_entity_decode($v,ENT_QUOTES,"GB2312");$v = common_htmlspecialchars($id,$v,$str,$config);safesql($id,$v,"POST",$config);$id = sfkeyword($id,$config);$v = sfkeyword($v,$config);$_POST[$id] = $v;}}

Continue bypass

Http://www.hr135.com/company/index.php? M = index & c = index & id = 3751 & style =.../../template/admin & tp =/admin_web_config

After the key is obtained, the computation continues bypass filtering.
 

Request twice.

Then access web/phpyun32/ask/index. php? M = index & c = attenquestion
 

Directly output data. Here I will test the demo.

I found it amazing here .. The demo has a safe dog. I have bypassed the global injection, but it has never been a safe dog.

I am too lazy to study the safety dog. I just output a hello phpyun.
 

Then proceed
 

Data is successfully output.

 

 

Solution:

Endless filtering.