SQL的Members_List、Your_Account模块中存在注入缺陷。如果magic_quotes_gpc选项为“OFF”，攻击者使用下列攻击方法及代码能利用该缺陷：

　　PHP代码/位置：

?/modules/Members_List/index.php : ------------------------------------------------------------------------ [...] $count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users "; $select = "select uid, name, uname, femail, url from ".$user_prefix."_users "; $where = "where uname != Anonymous "; if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) { $where .= "AND uname like ".$letter."% "; } else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) { $where .= "AND uname REGEXP \"^\[1-9]\" "; } else { $where .= ""; } $sort = "order by $sortby"; $limit = " ASC LIMIT ".$min.", ".$max; $count_result = sql_query($count.$where, $dbi); $num_rows_per_order = mysql_result($count_result,0,0); $result = sql_query($select.$where.$sort.$limit, $dbi) or die(); echo "<br>"; if ( $letter != "front" ) { echo "<table width=\"100%\" border=\"0\" cellspacing=\"1\"><tr>\n"; echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._NICKNAME."</b></font></td>\n"; echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._REALNAME."</b></font></td>\n"; echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._EMAIL."</b></font></td>\n"; echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._URL."</b></font></td>\n"; $cols = 4; [...] ------------------------------------------------------------------------ /modules/Your_Account/index.php : switch($op) { [...] case "mailpasswd": mail_password($uname, $code); break; case "userinfo": userinfo($uname, $bypass, $hid, $url); break; case "login": login($uname, $pass); break; [...] case "saveuser": saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter); break; [...] case "savehome": savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, $popmeson); break; case "savetheme": savetheme($uid, $theme); break; [...] case "savecomm": savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax); break; [...] } ------------------------------------------------------------------------ /modules/Your_Account/index.php : [...] function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) { global $user, $Ｃookie, $userinfo, $EditedMessage, $user_prefix, $dbi, $module_name; Ｃookiedecode($user); $check = $Ｃookie[1]; $check2 = $Ｃookie[2]; $result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi); list($vuid, $ccpass) = sql_fetch_row($result, $dbi); if (($uid == $vuid) AND ($check2 == $ccpass)) { if (!eregi("http://";, $url)) { $url = "http://$url"; } if ((isset($pass)) && ("$pass" != "$vpass")) { echo "<center>"._PASSDIFFERENT."</center>"; } elseif (($pass != "") && (strlen($pass) < $minpass)) { echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b> "._CHARLONG."</center>"; } else { if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = FixQuotes($bio); } if ($pass != "") { Ｃookiedecode($user); sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi); $pass = md5($pass); sql_query("update ".$user_prefix."_users set name=$realname, email=$email, femail=$femail, url=$url, pass=$pass, bio=$bio , user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ, user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig, user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm, newsletter=$newsletter where uid=$uid", $dbi); $result = sql_query("select uid, uname, pass, storynum, umode, uorder, thold, noscore, ublockon, theme from ".$user_prefix."_users where uname=$uname and pass=$pass", $dbi); if(sql_num_rows($result, $dbi)==1) { $userinfo = sql_fetch_array($result, $dbi); doＣookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum], $userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon], $userinfo[theme],$userinfo[commentmax]); } else { echo "<center>"._SOMETHINGWRONG."</center><br>"; } 上一页12 3 下一页 [收藏] [推荐] [评论] [打印] [关闭] 0 顶一下 上一篇：保护 SQL Server 数据库的十大绝招 下一篇：有孔就入 SQL Injection的深入探讨 最新评论共有 0 位网友发表了评论 查看所有评论 发表评论 评论内容：不能超过250字，需审核，请自觉遵守互联网相关政策法规。 用户名： 密码： 匿名? 注册 栏目列表 热点关注 Oracle数据库的ORA-00257 SQL Server 2000中的触发 用PB编写多线程应用程序 Visual FoxPro 9中新的数 SQL语言快速入门之一 用ADO管理SQL Server数据 如何恢复/修复MS SQL数据 超级PK:Sybase与Oracle的 使用伪代码开发数据表维护 透视MySQL数据库之更新语 在VFP6.0中控制串行端口传 用触发器生成数据库表的数 利用SQL注入缺陷进行攻击 Visual FoxPro 9.0更强大 跨站式SQL注入数据库攻击 VFP的数据库加密算法 Oracle分布式系统数据复制 在Microsoft SQL Server 2 Oracle PL/SQL语言基础 如何修复被破坏的Foxpro数 相关文章 如何修改mysql root密码？ 使用phpMyadmin创建数据库 Error in my_thread_globa MySQL数据库同步实例 MySQL查询高速缓冲 have_q 装的MYSQL不能自动启动? Windows平台上如何编译MyS Ubuntu操作系统下安装MySQ 如何在MySQL&Oracle下创建 无错版Vsftpd+Mysql+Pam配 © 2005-2008, 开发文档库. Power by DedeCMS.