August 21, 2006
punbb

    <p minmax_bound="true">in punbb-1.2.12 search.php line 54:<br /><br minmax_bound="true" /></p>
    <div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee">
            <span style="COLOR: #008080"> 1</span> <span style="COLOR: #0000ff">if</span><span style="COLOR: #000000"> (</span><span style="COLOR: #0000ff">isset</span><span style="COLOR: #000000">(</span><span style="COLOR: #800080">$search_id</span><span style="COLOR: #000000">)) </span><span style="COLOR: #0000ff">unset</span><span style="COLOR: #000000">(</span><span style="COLOR: #800080">$search_id</span><span style="COLOR: #000000">);<br /></span><span style="COLOR: #008080"> 2</span> <span style="COLOR: #000000"><br /></span><span style="COLOR: #008080"> 3</span> <span style="COLOR: #000000"></span><span style="COLOR: #008000">//</span><span style="COLOR: #008000"> If a search_id was supplied</span><span style="COLOR: #008000"><br /></span><span style="COLOR: #008080"> 4</span> <span style="COLOR: #008000"></span><span style="COLOR: #0000ff">if</span><span style="COLOR: #000000"> (</span><span style="COLOR: #0000ff">isset</span><span style="COLOR: #000000">(</span><span style="COLOR: #800080">$_GET</span><span style="COLOR: #000000">[</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">search_id</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">]))<br /></span><span style="COLOR: #008080"> 5</span> <span style="COLOR: #000000">{<br /></span><span style="COLOR: #008080"> 6</span> <span style="COLOR: #000000">    </span><span style="COLOR: #800080">$search_id</span><span style="COLOR: #000000"> </span><span style="COLOR: #000000">=</span><span style="COLOR: #000000"> </span><span style="COLOR: #008080">intval</span><span style="COLOR: #000000">(</span><span style="COLOR: #800080">$_GET</span><span style="COLOR: #000000">[</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">search_id</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">]);<br /></span><span style="COLOR: #008080"> 7</span> <span style="COLOR: #000000">    </span><span style="COLOR: #0000ff">if</span><span style="COLOR: #000000"> (</span><span style="COLOR: #800080">$search_id</span><span style="COLOR: #000000"> </span><span style="COLOR: #000000">&lt;</span><span style="COLOR: #000000"> </span><span style="COLOR: #000000">1</span><span style="COLOR: #000000">)<br /></span><span style="COLOR: #008080"> 8</span> <span style="COLOR: #000000">        message(</span><span style="COLOR: #800080">$lang_common</span><span style="COLOR: #000000">[</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">Bad request</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">]);<br /></span><span style="COLOR: #008080"> 9</span> <span style="COLOR: #000000">}<br /></span><span style="COLOR: #008080">10</span> <span style="COLOR: #000000"><br /></span><span style="COLOR: #008080">11</span> <span style="COLOR: #000000"></span><span style="COLOR: #008000">//</span><span style="COLOR: #008000"> ......<br /></span><span style="COLOR: #008080">12</span> <span style="COLOR: #008000">// something not effect<br /></span><span style="COLOR: #008080">13</span> <span style="COLOR: #008000">// ......<br /></span><span style="COLOR: #008080">14</span> <span style="COLOR: #008000">// ......<br /></span><span style="COLOR: #008080">15</span> <span style="COLOR: #008000">// and in line 100:</span><span style="COLOR: #008000"><br /></span><span style="COLOR: #008080">16</span> <span style="COLOR: #008000"></span><span style="COLOR: #000000"><br /></span><span style="COLOR: #008080">17</span> <span style="COLOR: #000000"></span><span style="COLOR: #0000ff">if</span><span style="COLOR: #000000"> (</span><span style="COLOR: #0000ff">isset</span><span style="COLOR: #000000">(</span><span style="COLOR: #800080">$search_id</span><span style="COLOR: #000000">))<br /></span><span style="COLOR: #008080">18</span> <span style="COLOR: #000000">{<br /></span><span style="COLOR: #008080">19</span> <span style="COLOR: #000000">    </span><span style="COLOR: #800080">$ident</span><span style="COLOR: #000000"> </span><span style="COLOR: #000000">=</span><span style="COLOR: #000000"> (</span><span style="COLOR: #800080">$pun_user</span><span style="COLOR: #000000">[</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">is_guest</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">]) </span><span style="COLOR: #000000">?</span><span style="COLOR: #000000"> get_remote_address() </span><span style="COLOR: #000000">:</span><span style="COLOR: #000000"> </span><span style="COLOR: #800080">$pun_user</span><span style="COLOR: #000000">[</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">username</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">];<br /></span><span style="COLOR: #008080">20</span> <span style="COLOR: #000000"><br /></span><span style="COLOR: #008080">21</span> <span style="COLOR: #000000">    </span><span style="COLOR: #800080">$result</span><span style="COLOR: #000000"> </span><span style="COLOR: #000000">=</span><span style="COLOR: #000000"> </span><span style="COLOR: #800080">$db</span><span style="COLOR: #000000">-&gt;</span><span style="COLOR: #000000">query(</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">SELECT search_data FROM </span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">.</span><span style="COLOR: #800080">$db</span><span style="COLOR: #000000">-&gt;</span><span style="COLOR: #000000">prefix</span><span style="COLOR: #000000">.</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">search_cache WHERE id=</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">.</span><span style="COLOR: #800080">$search_id</span><span style="COLOR: #000000">.</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000"> AND ident=\</span><span style="COLOR: #000000">''</span><span style="COLOR: #000000">.$db-&gt;escape($ident).</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">\</span><span style="COLOR: #000000">''</span><span style="COLOR: #000000">) or error(</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">Unable to fetch search results</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">,</span><span style="COLOR: #000000"> </span><span style="COLOR: #ff00ff">__FILE__</span><span style="COLOR: #000000">,</span><span style="COLOR: #000000"> </span><span style="COLOR: #ff00ff">__LINE__</span><span style="COLOR: #000000">,</span><span style="COLOR: #000000"> </span><span style="COLOR: #800080">$db</span><span style="COLOR: #000000">-&gt;</span><span style="COLOR: #000000">error());<br /></span><span style="COLOR: #008080">22</span> <span style="COLOR: #000000"></span></div>
    <p minmax_bound="true">
            <br minmax_bound="true" />Can you guys realize something?<br minmax_bound="true" />Yes, you are right.<br minmax_bound="true" />We can use $_POST[search_id] with the Zend_Hash_Del_Key_Or_Index Vulnerability to exploit it!<br minmax_bound="true" />But in fact,in common.php line 39:<br minmax_bound="true" /></p>
    <div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee">
            <span style="COLOR: #008080">1</span> <span style="COLOR: #008000">//</span><span style="COLOR: #008000"> Reverse the effect of register_globals</span><span style="COLOR: #008000"><br /></span><span style="COLOR: #008080">2</span> <span style="COLOR: #008000"></span><span style="COLOR: #0000ff">if</span><span style="COLOR: #000000"> (@</span><span style="COLOR: #008080">ini_get</span><span style="COLOR: #000000">(</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">register_globals</span><span style="COLOR: #000000">'</span><span style="COLOR: #000000">))<br /></span><span style="COLOR: #008080">3</span> <span style="COLOR: #000000">    unregister_globals();<br /></span><span style="COLOR: #008080">4</span> <span style="COLOR: #000000"></span></div>
    <p minmax_bound="true">
            <br minmax_bound="true" />I hate punbb....  <img height="19" src="/images/emcrook.gif" width="19" border="0" /></p>
punbb

02/Jun 旧碎思

22/Jan 单机游戏个人推荐列表

16/Aug 中国古代如何阻止北方游牧民族南侵？

11/Jun 关于青年漫画

12/May 用Markdown占领世界

12/May 读或死

12/Sep PaaS Sandbox 实现原理分析

09/Oct PHP端口复用的利用
