0x00 介绍 Mailpress是一个比较流行的邮件插件。 Plugin Directory:https://wordpress.org/plugins/mailpress/ 官网:http://blog.mailpress.org 此漏洞已于2016年06月21日通报给wordpress。 0x01 漏洞简述 Mailpress存在越权调用,在不登陆的情况下,可以...
文件\payment\unionpay\notify.php lt;?php/***[WeEngineSystem]Copyright(c)2014WE7.CC*WeEngineisNOTafreesoftware,itunderthelicenseterms,visitedhttp://www.we7.cc/formoredetails.*/error_reporting(0);define(IN_MOBILE,true);require../../framework...
/web/source/mc/store.ctrl.php if($do==delete){$count=pdo_fetchcolumn(SELECTCOUNT(*)FROM.tablename(activity_clerks).WHEREuniacid=:uniacidANDstoreid=:id,array(:id=gt;$_GPC[id],:uniacid=gt;$_W[uniacid]));$count=intval($count);if($countgt;0){m...
漏洞文件:web/source/platform/qr.ctrl.php 代码行:204左右 if($do == delsata) { $id = $_GPC[id]; $b = pdo_delete(qrcode_stat,array(id =$id, uniacid = $_W[uniacid])); if ($b){ message(删除成功,url(platform/qr/display),success); }else{ messag...
版本是74cms_v3.6_20150902,最新的已经修复。 第一个逻辑漏洞是短信发送处的问题,在ajax_user.php文件中,原代码片段如下: $mobile=trim($_POST[mobile]); $sms_type=$_POST[sms_type]?$_POST[sms_type]:reg; if (empty($mobile) || !preg_match(/^(13|15...
漏洞触发点在/Application/People/Controller/IndexController.class.php中第48行: public function area() { $map = $this-setMap(); $arearank = I(get.arearank, 0); $arealv = I(get.arealv); $areaname = I(get.areaname); if ($arearank == null || $...
Author:Sinner 漏洞文件: \controllers\ApiController.php Line 54 public function downAction() { $data = fn_authcode(base64_decode($this-get(file)), DECODE); $file = isset($data[finecms]) $data[finecms] ? $data[finecms] : ; if (empty($file))...
坦白的说,看到限制条件就觉得不爱了,搞得上班还迟到.就是没有注意看条件.要是直接docker运行多好。 Before this commit in class.phpmailer.php in a certain scenarion there is no filter in the senders email address special chars. This flaw can le...
PHPMyWind_5.3/message.php (25-41) $r = $dosql-GetOne(SELECT Max(orderid) AS orderid FROM `dede_message`); $orderid = (empty($r[orderid]) ? 1 : ($r[orderid] + 1)); $nickname = htmlspecialchars($nickname);//游客(xxx) $contact = htmlspecialc...
漏洞文件member/mypay.php(14-40行) if(empty($_SESSION[duomi_user_id])){ showMsg(请先登录,login.php); exit();}elseif($dm==mypay){ $key=$_POST[cardkey]; if($key==){showMsg(请输入充值卡号,-1);exit;} $pwd=$_POST[cardpwd]; if($pwd==){showMsg(请...