当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-08213

漏洞标题:爱丽27.cn源码下载

相关厂商:爱丽

漏洞作者: loopx9

提交时间:2012-06-12 14:30

修复时间:2012-07-27 14:30

公开时间:2012-07-27 14:30

漏洞类型:系统/服务运维配置不当

危害等级:低

自评Rank:3

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-06-12: 积极联系厂商并且等待厂商认领中,细节不对外公开
2012-07-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

nginx应该是取消了php解析导致下载漏洞产生

详细说明:

php没有解析直接出源码.

漏洞证明:

http://www.27.cn/global.php


http://www.27.cn/include/data.class.php


<?php
/**
 * [aili.com] (C)2001-2009 aili.com Inc.
 * This is NOT a freeware, use is subject to license terms
 * $RCFfile: data.class.php $
 * $Revision: 1.1 $
 * $Date: 2009/08/25 17:45:00 $
 */
/**
 * This is a class to database and create the thumbs for them.
 * require global.php data.class.php
 */
if(!defined('IN_CMS')) {
	exit('Access Denied');
}
class DBbase_Sql {
	var $Host     = 'localhost';
	var $Database = 'newcms';
	var $User     = 'new27cn';
	var $Password = 'FD%^%df5636FPEe6546PRVCME';
	var $Link_ID  = 0;
	var $Query_ID = 0;
	var $Record   = array();
	var $Row;
	var $Errno    = 0;
	var $Error    = "";
	var $Auto_free   = 0;
	var $Auto_commit = 0;
	function connect(){
/*		if ( 0 == $this->Link_ID ){
			$this->Link_ID=mysql_connect($this->Host, $this->User, $this->Password);
			if (!$this->Link_ID) {
				$this->halt("Link-ID == false, connect failed");
			}
			if (!mysql_query(sprintf("use %s",$this->Database),$this->Link_ID)) {
				$this->halt("cannot use database ".$this->Database);
			}
		}*/
		if ( 0 == $this->Link_ID ){
			$this->Link_ID=mysql_connect($this->Host, $this->User, $this->Password);
			if (!$this->Link_ID) {
				$this->halt("Link-ID == false, connect failed");
			}
			if (!mysql_select_db($this->Database,$this->Link_ID)) {
				$this->halt("cannot use database ".$this->Database);
			}
		}
		if(!mysql_ping($this->Link_ID)) {
		 mysql_close($this->Link_ID);
		$this->Link_ID = 0;
		$this->Link_ID = $this->connect();
		}
	}
	function query($Query_String){
		$this->connect();
		mysql_query("SET NAMES gbk",$this->Link_ID);
		$this->Query_ID = mysql_query($Query_String,$this->Link_ID);
		$this->outputsql($Query_String);
		$this->Row = 0;
		$this->Error = $this->Database;
		if (!$this->Query_ID) {
		  $this->halt("Invalid SQL: ".$Query_String);
		}
		return $this->Query_ID;
	}
	function outputsql($Query_String){
		if($_GET['sql_debug_open']=='debug'){
			@file_put_contents('sql.log',$Query_String."\r\n",FILE_APPEND);
		}
		$this->Query_String=$Query_String;
	}
	function fetch_array(){
		return mysql_fetch_array($this->Query_ID);
	}
	function next_record(){
		$this->Record = mysql_fetch_array($this->Query_ID);
		$this->Row += 1;
		$stat = is_array($this->Record);
		if (!$stat && $this->Auto_free) {
			mysql_free_result($this->Query_ID);
			$this->Query_ID = 0;
		}
		return $stat;
	}
	function seek($pos){
		$status = mysql_data_seek($this->Query_ID, $pos);
		if ($status) {
			$this->Row = $pos;
		}
		return;
	}
	function metadata($table){
		$count = 0;
		$id    = 0;
		$res   = array();
		$this->connect();
		$id = @mysql_list_fields($this->Database, $table);
		if ($id < 0) {
			$this->halt("Metadata query failed.");
		}
		$count = mysql_num_fields($id);
		for ($i=0; $i<$count; $i++) {
			$res[$i]["table"] = mysql_field_table ($id, $i);
			$res[$i]["name"]  = mysql_field_name  ($id, $i);
			$res[$i]["type"]  = mysql_field_type  ($id, $i);
			$res[$i]["len"]   = mysql_field_len   ($id, $i);
			$res[$i]["flags"] = mysql_field_flags ($id, $i);
			$res["meta"][$res[$i]["name"]] = $i;
			$res["num_fields"]= $count;
		}
		mysql_free_result($id);
		return $res;
	}
	function affected_rows(){
		return mysql_affected_rows($this->Link_ID);
	}
	function num_rows(){
		return mysql_num_rows($this->Query_ID);
	}
	function num_fields(){
		return mysql_num_fields($this->Query_ID);
	}
	function nf(){
		return $this->num_rows();
	}
	function f($Name){
		return $this->Record[$Name];
	}
	function pos(){
		return $this->Row;
	}
	function instid(){
		return mysql_insert_id($this->Link_ID);
	}
	function substr_cut($str_cut,$length = 30){  
		if (strlen($str_cut) > $length){ 
			for($i=0; $i < $length; $i++){ 
				if (ord($str_cut[$i]) > 128){
					$i++;
				}	
				$str_cut = substr($str_cut,0,$i); 
			}
			return $str_cut;
		}
	}
	function halt($message){
		printf("System Maintenance......<br>Please wait Try.".$message);
	}
 
	function escape_string($message){
		return mysql_escape_string($message);
	}
 
	function strformat($message){
		return stripslashes($message);
	}
  
	function in_($message){
		$message = str_replace('&amp;','&',$message);
		$message = str_replace('&nbsp;',' ',$message);
		$message = str_replace('"','&quot;',$message);
		$message = str_replace("'",'&#39;',$message);
		$message = str_replace("<","&lt;",$message);
		$message = str_replace(">","&gt;",$message);
		$message = str_replace("\t","&nbsp;&nbsp;",$message);
		$message = str_replace("\r","",$message);
		$message = str_replace(" ","&nbsp;",$message);
		$message=str_replace("(","?",$message);
		$message=str_replace(")","?",$message);
		$message=addslashes($message);
		return $message;
	}
 
	function out_($message){
		$message=str_replace("'","?",$message);
		$message=str_replace(";","?",$message);
		$message=str_replace("("," (",$message);
		$message=str_replace(")","?",$message);
		$message=ereg_replace(" {2}","&nbsp;&nbsp;",nl2br(htmlspecialchars(stripslashes($message)))); 
		return $message;
	}
 
	function trimall(&$items){
		 array_walk($items,"trim_value");
	}
  
	function trim_value(&$value){ 
		$value = trim($value); 
	}
	function free_result(){
		mysql_free_result($this->Query_ID);
	}
	function close_mysql(){
		mysql_close($this->Link_ID);
	}
}
?>

修复方案:

版权声明:转载请注明来源 loopx9@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:7 (WooYun评价)