当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062116

漏洞标题:162100网址导航本地包含漏洞(有环境限制)

相关厂商:162100网址导航

漏洞作者: Xser

提交时间:2014-05-27 10:33

修复时间:2014-08-25 10:34

公开时间:2014-08-25 10:34

漏洞类型:文件包含

危害等级:低

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-27: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-08-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

162100网址导航本地包含 #

详细说明:

162100网址导航本地包含 #
漏洞页面:
mingz.php

漏洞证明:

漏洞页面:
mingz.php

<?php
/* 名站模块 */
/* 162100源码 - 162100.com */
@ require ('set/set.php');
@ require ('set/set_sql.php');
@ require ('set/set_area.php');
if (!function_exists('get_m')) {
function get_m($v) {
global $web, $n;
$text = '';
if ($web['link_type'] == 1) {
//$link = '"export.php?url=".urlencode($h[0]).""';
$link = '"".($h[3] == "js" ? $h[0] : "export.php?url=".urlencode($h[0])).""';
} else {
$link = '"".($h[3] == "js" ? "export.php?url=".urlencode($h[0]) : $h[0]).""';
}
if ($v = trim($v)) {
$total_arr = @explode("\n", $v);
$n = count($total_arr);
if ($n > 0) {
$text .= '<div id="mingz_">';
foreach ($total_arr as $each) {
$h = @explode("|", trim($each));
$text .= '<span><a onclick="addM(this)" href="'.eval('return '.$link.';').'"'.($h[2] != '' ? ' class="'.$h[2].'"' : '').'>'.$h[1].'</a></span>';
}
$text .= '</div>';
}
}
return $text;
}
}
$_GET['run'] = (string)$_GET['run'];
if ($_GET['run'] == 'collection') {
$title = '自定义网址';
$require = 'collection';
} elseif ($_GET['run'] == 'notepad') {
$title = '记事本';
$require = 'notepad';
} elseif ($_GET['run'] == 'search_site') {
$title = '站内搜索';
$require = 'search_site';
} else {
if (array_key_exists($_GET['run'], $web['area']['mingz'])) {
$title = $web['area']['mingz'][$_GET['run']][0];
$text = '';
$n = 0;
if (!isset($sql['db_err'])) {
db_conn();
}
if ($sql['db_err'] == '') {
echo 'SELECT class_title,http_name_style,class_priority FROM `'.$sql['pref'].'162100` WHERE column_id="mingz" AND class_id="'.$_GET['run'].'" AND detail_title="" LIMIT 1', $db;
$result = @mysql_query('SELECT class_title,http_name_style,class_priority FROM `'.$sql['pref'].'162100` WHERE column_id="mingz" AND class_id="'.$_GET['run'].'" AND detail_title="" LIMIT 1', $db);
if ($row = @mysql_fetch_assoc($result)) {

$text .= (preg_replace('/<style.+<\/style>/isU', '', trim($row['class_priority'])) != '' ? '<style type="text/css">
<!--
.class_priority {}
-->
</style><div class="class_priority">'.$row['class_priority'].'</div>' : $row['class_priority']).''.get_m($row['http_name_style']).'';
} else {
$err = '数据为空或读取失败!';
}
@mysql_free_result($result);
} else {
$err = $sql['db_err'];
}
@mysql_close();
} else {
$title = '参数出错!';
}
}
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Page-Enter" content="blendTrans(Duration=1)" />
<meta http-equiv="Page-Exit" content="blendTrans(Duration=1)" />
<title><?php echo $title.' - '.$web['sitename2'], $web['code_author']; ?></title>
<base target="_blank" />
<link href="inc/css/css_base.css" rel="stylesheet" type="text/css">
<link href="inc/css/style/color_<?php echo preg_replace('/_\d+$/', '', $web['cssfile']); ?>/css.css" rel="stylesheet" type="text/css" id="my_style_color">
<link href="inc/css/style/bj_<?php echo $web['cssfile']; ?>/css.css" rel="stylesheet" type="text/css" id="my_style_bj">
<style type="text/css">
<!--
body { width:720px; background-color:transparent; background-image:none; }
-->
</style>
<script type="text/javascript" language="javaScript" src="inc/js/main.js"></script>
<script language="javascript" type="text/javascript">
<!--
//调出用户信息弹窗
window.onload=function(){
document.body.style.backgroundColor='#FFFFFF';
try {
parent.document.getElementById('t1Frame').height=document.body.offsetHeight;
}catch(e){
}
}
//-->
</script>
</head>
<body>
<?php
//<!-- require -->
if (isset($require)) {
@ require ('inc/run/get_mingz_'.$require.'.php');//此处是个本地包含漏洞。
} else {
echo $text, $err;
}
//<!-- /require -->
?>
</body>
</html>


环境需要开启gloabs全局
利用如图:

111457y5uuziw35m7huzku.png

修复方案:

过滤

版权声明:转载请注明来源 Xser@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论