中易广告联盟系统(ZYADS) sql注入和本地包含漏洞

在index/news.php 1-31行 <? include_once("top.php"); $newsid = intval($_GET['id']); $to_type = addslashes($_GET['type']); if ($to_type=='index') { $to_type_s =" and to_type=1"; } if ($to_type=='webuser') { $to_type_s =" and to_type!=3"; } if ($to_type=='webadver') { $to_type_s =" and to_type!=2"; } $newssql = 'select * from zyads_news WHERE `id` =\'' . $newsid . '\' '.$to_type_s.''; $newsre=$db->query($newssql); $newsrow = $db->fetch_array($newsre); if (empty($newsrow)){ zyads_message('zyads_news'); } ?> 可以看到$to_type没定义或者不等于index，webuser，webadver的话 那么$to_type_s是没有定义的 这时候我们就可以提交一个$to_type_s变量来进行sql注入。简单的注入，呵呵。 在/code/adview_cpa_html.php 1-46行 <?php /*********************/ /* */ /* Version : 5.1.0 */ /* Author : RM */ /* Comment : 071223 */ /* */ /*********************/ _obfuscate_JQYdYn1jfBI( ); define( "IN_ZYADS", TRUE ); $name = $_GET['name']; $adid = $_GET['adid']; $offsetwidth = $_GET['offsetwidth']; $site = $_GET['site']; $click_url = "http://www.erzhi.cn"; $count_url = "http://www.erzhi.cn"; if ( empty( $name ) || empty( $adid ) || empty( $site ) ) { exit( "广告出错" ); } @require( "../user/c/".$name."/user_info.php" ); require( "../include/soft_class.php" ); require( "../include/settings.php" ); $code = new _obfuscate_Y2xpZW50( ); $getip = $code->_obfuscate_Z2V0aXA( ); $getbrowse = $code->_obfuscate_Z2V0YnJvd3Nl( ); $getos = $code->_obfuscate_Z2V0b3M( ); $maketime = time( ) + $setting['zyads_date'] * 3600; $maketime = $maketime; $strbas = $code->_obfuscate_cGFzc3BvcnRfZW5jcnlwdA( $getip."|".$maketime."|".$getbrowse."|".$getos, $setting['url_pwd'] ); $strbas = _obfuscate_IGI7aGd_LDRuMD0VZg( $strbas ); if ( $zyads_users['flag'] != 2 ) { echo "document.write('帐号被锁定');"; exit( ); } if ( _obfuscate_Cx96BhhwZxABPA8( "../cache/cpa/".$adid.".php" ) ) { require( "../cache/cpa/".$adid.".php" ); } else { exit( "文件丢失-".$adid.".php" ); } $name，$adid这两个变量都能造成本地包含漏洞 不过$adid好利用点。 中易广告联盟系统(ZYADS) 暂无