SQL的Members_List、Your_Account模塊中存在注入缺陷。如果magic_quotes_gpc選項為“OFF”,攻擊者使用下列攻擊方法及代碼能利用該缺陷:
PHP代碼/位置:
?/modules/Members_List/index.PHP :
------------------------------------------------------------------------
[...]
$count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";
$select = "select uid, name, uname, femail, url from
".$user_prefix."_users ";
$where = "where uname != Anonymous ";
if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {
$where .= "AND uname like ".$letter."% ";
} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {
$where .= "AND uname REGEXP \"^\[1-9]\" ";
} else {
$where .= "";
}
$sort = "order by $sortby";
$limit = " ASC LIMIT ".$min.", ".$max;
$count_result = sql_query($count.$where, $dbi);
$num_rows_per_order = MySQL_result($count_result,0,0);
$result = sql_query($select.$where.$sort.$limit, $dbi) or dIE();
echo "
";
if ( $letter != "front" ) {
echo "cellspacing=\"1\">\n";
echo "
color=\"$textcolor2\">"._NICKNAME."\n";
echo "
color=\"$textcolor2\">"._REALNAME."\n";
echo "
color=\"$textcolor2\">"._EMAIL."\n";
echo "
color=\"$textcolor2\">"._URL."\n";
$cols = 4;
[...]
------------------------------------------------------------------------
/modules/Your_Account/index.PHP :
switch($op) {
[...]
case "mailpasswd":
mail_passWord($uname, $code);
break;
case "userinfo":
userinfo($uname, $bypass, $hid, $url);
break;
case "login":
login($uname, $pass);
break;
[...]
case "saveuser":
saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass,
$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
$user_sig,
