2015-04-19: 细节已通知厂商并且等待厂商处理中 2015-04-24: 厂商已经主动忽略漏洞,细节向公众公开
http://www.10jqka.com.cn/ia/index.php~
http://www.10jqka.com.cn/ia/mod.php~
http://www.10jqka.com.cn/modules.php~
http://www.10jqka.com.cn/modules/toplist/get_js.php~
http://www.10jqka.com.cn/modules/trade/get_user_trade_info.php~
http://www.10jqka.com.cn/kid_mammon/config.inc
<?php// Invest Assis Main Filerequire_once("include/global.php");require_once("include/sess.php");require_once("config.php");sess_start();sess_get($is_customer, "is_customer");//print_r($aaa);// Invoker check$invoker = chk_invoker();$mod_name = $_REQUEST[name];$entry = $_REQUEST[entry];// 弥补工程部错误的将其他模块发布if(!in_array($mod_name,$allowed_module) && !preg_match('/^172\.16\.\d{1,3}\.\d{1,3}$/', $_SERVER[REMOTE_ADDR])){ header("Location: http://www.10jqka.com.cn/ia/building.html"); exit;}// 弥补结束if(empty($mod_name)){ //$mod_name = "invest_center"; header("Location: http://www.10jqka.com.cn/web_club/"); exit;}if(empty($entry)){ $entry = "index";}$title = get_page_title($mod_name);// Create global smarty$smar = new IA_Smarty;//$caching = SMARTY_CATCHING;//$cache_lifetime = 0;// If not a customer, go Index.php $auth_result = chk_user_new("", "", $_REQUEST['passport']); /*if($_SERVER[REMOTE_ADDR] == "220.184.64.43"){ echo $_REQUEST['bo']; echo sess_is_registered("user"); exit; }*/if (sess_is_registered("user")){ sess_get($user, "user"); sess_get($is_customer, "is_customer"); $smar->assign("login_info", "欢迎<B>".$user[1]."</B>使用同花顺理财系统!当前时间为".date("Y年m月d日 H:i:s"));}else if(!in_array($mod_name, $allowed_module)){ if((strlen($_COOKIE[user]) == 0) || (0 != $auth_result)){ header("location: index.php?name=".$mod_name."&passport=".$_REQUEST['passport']); exit; }}sess_get($aaa, "access_auth");if (!is_array($aaa)) $aaa = $access_auth;// If the module rightif (in_array($mod_name, $free_module)) {}elseif(!is_array($aaa) || !array_key_exists($mod_name."__".$_REQUEST['blockname'], $aaa) || ("1" != $aaa[$mod_name."__".$_REQUEST['blockname']])) { $body_tpl = "body_invoke_err.tpl"; $smar->assign("title", $title); $smar->assign("user", $user); $smar->assign("name", $mod_name); $smar->assign("invoker", $invoker); $smar->assign("msg", "您没有足够的权限访问本功能模块!!"); $smar->display("html_header.tpl"); $smar->display("header.tpl"); if(!empty($_REQUEST[blockname])) $smar->assign("blockname", $_REQUEST[blockname]); if($for_account)$smar->display("body_header.tpl"); $smar->display($body_tpl); $smar->display("body_footer.tpl"); $smar->display("footer.tpl"); $smar->display("html_footer.tpl"); // 记录出错信息 include_once("include/passport.php"); $data = base64_decode($_POST[passport]); $ppt = new PassPort($data); sess_get($user, "user"); $msg .= "userinfo = ".print_r($user, 1); $msg .= "passport = ".$data; $msg .= "\nppt = ".print_r($ppt, 1); $msg .= "\ncookie = ".print_r(explode(":",base64_decode($_COOKIE[user])), 1); $msg .= "\naaa = ".print_r($aaa, 1); $msg .= "\nin_array(".$mod_name.", free_module): ".in_array($mod_name, $free_module)."\n"; $msg .= "is_array(aaa): ".is_array($aaa)."\n"; $msg .= "array_key_exists(".$mod_name."__".$_REQUEST['blockname'].",aaa): ".array_key_exists($mod_name."__".$_REQUEST['blockname'], $aaa)."\n"; $msg .= "aaa[".$mod_name."__".$_REQUEST['blockname']."]: ".$aaa[$mod_name."__".$_REQUEST['blockname']]; make_err_log("req_error_4", $msg); exit;}// User have loginedrequire_once("include/xsql.php");require_once("include/auth.php");require_once("include/quota.php");if(isset($_REQUEST[acc_id])){ $cur_acc = $_REQUEST[acc_id]; sess_set($cur_acc, "cur_acc");}else{ sess_get($cur_acc, "cur_acc");}sess_get($acc_list, "acc_list");if("999" != $acc_list && empty($acc_list)){ // Get all account of user sess_get($user, "user"); $xsql_info = xsql_func("invest_get_account_list", $user[10]); if(($xsql_info["code"] != "0") || empty($xsql_info["info"])){ $acc_list = "999"; }else{ $acc_list = $xsql_info["info"]; } // Set account list to session(format: acc_list[acc_id=>acc_name]) sess_set($acc_list, "acc_list");}if("999" != $acc_list && !empty($acc_list)){ $smar->assign("mod_name", $mod_name); $smar->assign("entry", $entry); // Get user account list $i = 0; foreach($acc_list as $val){ $acc_list_options[$val["ACCOUNTID"]] = $val["ACCOUNTNAME"]; if(empty($cur_acc) && $i == 0){ $cur_acc = $val["ACCOUNTID"]; sess_set($cur_acc, "cur_acc"); } $i ++; } $smar->assign("acc_list_options", $acc_list_options); $smar->assign("cur_acc", (!empty($_REQUEST[aid])?$_REQUEST[aid]:$cur_acc)); // If isset aid, aid option checked $smar->assign("acc_select_js", "<SCRIPT LANGUAGE=\"JavaScript\">\n<!--\nfunction on_select_acc(acc_id){\nwindow.location=\"mod.php?name=".$mod_name."&func=".$_REQUEST[func]."&entry=".$entry."&blockname=".$_REQUEST[blockname]."&acc_id=\"+acc_id;\n}\n//-->\n</SCRIPT>"); $smar->assign("acc_temp", "temp");}$body_tpl = "body_default.tpl";$body_func = "body_default";$self_html = false;$for_account = true;$with_html_header = true;$with_header = true;$with_nav = true;$with_footer = true;run();if($self_html){ $with_html_header = false; $with_header = false; $with_nav = false; $with_footer = false;}// Output page//$smar->caching = $caching;//$smar->cache_lifetime = $cache_lifetime;$smar->assign("title", $title);$smar->assign("user", $user);$smar->assign("name", $mod_name);$smar->assign("invoker", $invoker);$module_info = &get_module_info($mod_name);$smar->assign("module_catalog", $module_info['cata']);$smar->assign("module_name", $module_info['name']);$smar->register_function("body_func", $body_func);if($with_html_header){ $smar->display("html_header.tpl");}if($with_header && $invoker != _CLIENT) $smar->display("header.tpl");if(!empty($_REQUEST[blockname])) $smar->assign("blockname", $_REQUEST[blockname]);if($with_nav) $smar->display("nav.tpl");//if(!strcasecmp($mod_name, "operate_eval")) $smar->display("czfx_nav.tpl");//if(!strcasecmp($mod_name, "account_eval")) $smar->display("ccfx_nav.tpl");if($for_account)$smar->display("body_header.tpl");$smar->display($body_tpl);$smar->display("body_footer.tpl");if($with_footer && $invoker != _CLIENT) $smar->display("footer.tpl");$smar->display("html_footer.tpl");function run(){ global $user; $arr_ip = explode(".", $_SERVER["REMOTE_ADDR"]); if(($arr_ip[0] == "172") && ($arr_ip[1] == "16")){ // 核新点击不记录 }else{ /* if(strlen($user[1])){ mysql_connect("10.0.0.5", "root", "kernel"); mysql_select_db("cells"); $date = date("Y-m-d"); $result = mysql_query("SELECT count(*) as c FROM stat_ia WHERE date='".$date."' AND uname='".$user[1]."'"); list($count) = mysql_fetch_row($result); if($count <= 0){ mysql_query("INSERT INTO stat_ia (date, uname) VALUES ('".$date."', '".$user[1]."')"); } mysql_close(); }*/ } global $mod_name, $entry; global $smar, $body_tpl, $body_func; $include_file = $mod_name."/".$entry.".php"; if(file_exists($include_file)){ require_once($include_file); $func = $mod_name."__index"; if(function_exists($func)){ $func(); }else{ // waiting a default err page $body_tpl = "body_invoke_err.tpl"; $smar->assign("msg", _NO_FUNC); return true; } }else{ // waiting a default err page $body_tpl = "body_invoke_err.tpl"; $smar->assign("msg", _NO_MODULE); return true; }}function body_default(){ global $mod_name, $entry; global $smar, $body_tpl, $body_func; if (sess_get($user, "user")){ echo "<table height=\"100%\" valign=\"center\"><tr><td height=\"100%\">"; echo "<b>Waiting building Investment Center</b>"; echo "</td<tr></table>"; return; }}?>
<?phprequire_once("mainfile.php");if(!ip_check($_SERVER["REMOTE_ADDR"])){ die(header("HTTP/1.0 Not Fount"));}$vip_mods = array('article', 'star', 'analysist', 'vote_result', 'what', 'article_comment', 'school', 'Forums', 'Your_Account', 'Downloads', 'my_page', 'trade', 'finance', 'hk_index', 'vt_home', 'yjfh', 'sms_order', 'news_caijing', 'news_content', 'news_caijing', 'news_guping');include_once("certificate.php");$module = 1;if(isset($_REQUEST[name])) $module_name = $_REQUEST[name];//$snd_nav = make_snd_nav($name);if (isset($name)) { if(in_array($name, $vip_mods)) $vip = true; else $vip = false; if(!$vip){ $result = sql_query("select active, view from ".$prefix."_modules where title='$name'", $dbi); list($mod_active, $view) = sql_fetch_row($result, $dbi); } if ($vip || (($mod_active == 1) OR ($mod_active == 0 AND is_admin($admin)))) { if (!isset($mop)) { $mop="modload"; } if (!isset($file)) { $file="index"; } if (ereg("\.\.",$name) || ereg("\.\.",$file)) { echo "You are so cool..."; } else { //$ThemeSel = get_theme(); $ThemeSel = 'NukeTest'; if (file_exists("themes/$ThemeSel/modules/$name/$file.php")) { $modpath = "themes/$ThemeSel/"; } if ($view == 0) { $modpath .= "modules/$name/$file.php"; if (file_exists($modpath)) { include($modpath); } else { die ("Sorry, such file doesn't exist."); } } if ($view == 1 AND is_user($user) || is_admin($admin)) { $modpath .= "modules/$name/$file.php"; if (file_exists($modpath)) { include($modpath); } else { die ("Sorry, such file doesn't exist.."); } } elseif ($view == 1 AND !is_user($user) || !is_admin($admin)) { $pagetitle = "- "._ACCESSDENIED.""; include("header.php"); if(isset($_REQUEST[agent]) and ereg("^[0-9]+$", $_REQUEST[agent])){ title("<br>鉴权错误:"._ACCESSDENIED."<br><br>"); OpenTable(); echo "<br><center><b>对不起,这个区域仅供会员使用!</b><br><br>"; echo "<form name=\"disp_login\" action=\"modules.php?name=Your_Account\" method=\"post\">" ."<hr width=70%><b>用户登录入口</b><br><br>" ."<table border=\"0\"><tr><td>" ."用户名:</td><td><input type=\"text\" id=\"uname\" name=\"uname\" size=\"15\" maxlength=\"25\"></td>" ."<td> "._PASSWORD.":</td><td><input type=\"password\" id=\"pass\" name=\"pass\" size=\"15\" maxlength=\"20\"></td>" ."<td> 保留登录时间:</td><td><select name=\"cookiedate\"><option value=\"0\">一次有效</option><option value=\"1\" selected>一天有效</option><option value=\"2\">一月有效</option><option value=\"3\">一年有效</option></select>" ."<input type=\"hidden\" name=\"op\" value=\"login\">" ."<input type=\"hidden\" name=\"agent\" value=\"".$_REQUEST[agent]."\">" ."<td><input type=\"submit\" value=\""._LOGIN."\"></td></tr></table></form>"; CloseTable(); }else{ title("$sitename: "._ACCESSDENIED.""); OpenTable(); echo "<center><b>"._RESTRICTEDAREA."</b><br><br>" .""._MODULEUSERS."" .""._GOBACK.""; CloseTable(); } include("footer.php"); die(); } if ($view == 2 AND is_admin($admin)) { $modpath .= "modules/$name/$file.php"; if (file_exists($modpath)) { include($modpath); } else { die ("Sorry, such file doesn't exist..."); } } elseif ($view == 2 AND !is_admin($admin)) { $pagetitle = "- "._ACCESSDENIED.""; include("header.php"); title("$sitename: "._ACCESSDENIED.""); OpenTable(); echo "<center><b>"._RESTRICTEDAREA."</b><br><br>" .""._MODULESADMINS."" .""._GOBACK.""; CloseTable(); include("footer.php"); die(); } } } else { include("header.php"); OpenTable(); echo "<center><B>"._MODULENOTACTIVE."</B><br><br>" .""._GOBACK."</center>"; CloseTable(); include("footer.php"); }} else { die ("Sorry, you can't access this file directly...");}// 第二级导航function make_snd_nav($name){ switch($name){ case "Your_Account": return _SND_NAV_2ND; break; case "my_page": return _SND_NAV_3RD; break; case "trade": return _SND_NAV_4TH; break; case "hk_index": return _SND_NAV_5TH; break; case "Downloads": return _SND_NAV_6TH; break; case "finance": return _SND_NAV_7TH; break; case "Forums": break; //改在/usr/local/www/mobile/themes/NukeTest/theme.php default: return _SND_NAV_1ST; break; }}?>
。。。
危害等级:无影响厂商忽略
忽略时间:2015-04-24 09:32
漏洞Rank:8 (WooYun评价)
暂无
