• 日期: 2024-10-28
  • 标签: 常规
<!DOCTYPE html>
<html lang="en">
    <?php
    session_start();
    include('admin/db_connect.php');
    ob_start();
        $query = $conn->query("SELECT * FROM system_settings limit 1")->fetch_array();
         foreach ($query as $key => $value) {
          if(!is_numeric($key))
            $_SESSION['system'][$key] = $value;
        }
    ob_end_flush();
    include('header.php');
<pre><code>?&gt;

&lt;style&gt;
	header.masthead {
	  background: url(admin/assets/uploads/&lt;?php echo $_SESSION['system']['cover_img'] ?&gt;);
	  background-repeat: no-repeat;
	  background-size: cover;
	}
</code></pre>
<p>#viewer_modal .btn-close {
position: absolute;
z-index: 999999;
/<em>right: -4.5em;</em>/
background: unset;
color: white;
border: unset;
font-size: 27px;
top: 0;
}
#viewer_modal .modal-dialog {
width: 80%;
max-width: unset;
height: calc(90%);
max-height: unset;
}
#viewer_modal .modal-content {
background: black;
border: unset;
height: calc(100%);
display: flex;
align-items: center;
justify-content: center;
}
#viewer_modal img,#viewer_modal video{
max-height: calc(100%);
max-width: calc(100%);
}
body,main {
background: #121212 !important;
padding-bottom: 15px;
}
footer{
background: #020202 !important;
}</p>
<p>a.jqte_tool_label.unselectable {
height: auto !important;
min-width: 4rem !important;
padding:5px
}</p>
<p>#carousel-field{
position: fixed;
z-index: -1;
width: calc(100%)
}
#carousel-field, #carsCarousel, #carsCarousel .carousel-inner,#carsCarousel .carousel-item,#carsCarousel img{
/<em>max-height: 60vh</em>/
}
.col-lg-8.align-self-end.mb-4.page-title {
background: #00000070;
}</p>
<p>/*
a.jqte_tool_label.unselectable {
height: 22px !important;
}*/
</style>
<?php 
$page = isset($_GET['page']) ?$_GET['page'] : "home";
if($page == 'home'):
?>
<style>
.masthead{
background: unset!important
}
.masthead:before{
content: unset!important;
}
</style></p>
  <header class="masthead">
        <?php 
        $cars_img = scandir('admin/assets/uploads/cars_img/');
            foreach($cars_img as $k=> $fname){
                if(in_array($fname,array('.','..'))){
                    unset($cars_img[$k]);
                }
            }
            if(count($cars_img) > 0):
        ?>
        <div id="carousel-field">
        <div id="carsCarousel" class="carousel slide" data-ride="carousel">
          <div class="carousel-inner">
            <?php
            $i = 0 ;
             foreach($cars_img as $fname):
                $active = ($i == 0) ? 'active' : '';
                $i++;
            ?>
            <div class="carousel-item <?php echo $active ?>">
              <img class="d-block w-100" src="admin/assets/uploads/cars_img/<?php echo $fname ?>" alt="">
            </div>
            <?php endforeach; ?>
          </div>
        </div>
        </div>
    <?php endif; ?>
<pre><code>   &lt;div class=&quot;container h-100&quot;&gt;
        &lt;div class=&quot;row h-100 align-items-center justify-content-center text-center&quot;&gt;
            &lt;div class=&quot;col-lg-8 align-self-end mb-4 page-title&quot;&gt;
              &lt;h3 class=&quot;text-white&quot;&gt;Welcome to &lt;?php echo $_SESSION['system']['name']; ?&gt;&lt;/h3&gt;
                &lt;hr class=&quot;divider my-4&quot; /&gt;

            &lt;div class=&quot;col-md-12 mb-2 justify-content-center&quot;&gt;
              &lt;form action=&quot;&quot; id=&quot;find-car&quot;&gt;
                &lt;div class=&quot;row form-group&quot;&gt;
                  &lt;div class=&quot;col-md-4&quot;&gt;
                    &lt;label for=&quot;&quot; class=&quot;control-label text-white&quot;&gt;Pickup Date/Time&lt;/label&gt;
                    &lt;input type=&quot;text&quot; class=&quot;form-control datetimepicker&quot; required=&quot;&quot; name=&quot;pickup&quot; autocomplete=&quot;off&quot;&gt;
                  &lt;/div&gt;
                  &lt;div class=&quot;col-md-4&quot;&gt;
                    &lt;label for=&quot;&quot; class=&quot;control-label text-white&quot;&gt;Drop off Date/Time&lt;/label&gt;
                    &lt;input type=&quot;text&quot; class=&quot;form-control datetimepicker&quot; required=&quot;&quot; name=&quot;dropoff&quot; autocomplete=&quot;off&quot;&gt;
                  &lt;/div&gt;
                  &lt;div class=&quot;col-md-4&quot;&gt;
                    &lt;label for=&quot;&quot; class=&quot;control-label text-white&quot;&gt;Category&lt;/label&gt;
                    &lt;select class=&quot;custom-select select2&quot; name=&quot;category_id&quot;&gt;
                      &lt;option value=&quot;0&quot;&gt;Any&lt;/option&gt;
                      &lt;?php
                      $qry = $conn-&gt;query(&quot;SELECT * FROM categories order by name asc&quot;);
                      while($row=$qry-&gt;fetch_assoc()):
                      ?&gt;
                      &lt;option value=&quot;&lt;?php echo $row['id'] ?&gt;&quot;&gt;&lt;?php echo $row['name'] ?&gt;&lt;/option&gt;
                      &lt;?php endwhile; ?&gt;
                    &lt;/select&gt;
                  &lt;/div&gt;
                &lt;/div&gt;
                &lt;div class=&quot;form-group &quot;&gt;
                  &lt;center&gt;
                    &lt;button class=&quot;btn btn-primary&quot;&gt;Find Availability&lt;/button&gt;
                  &lt;/center&gt;
                &lt;/div&gt;
              &lt;/form&gt;
            &lt;/div&gt;                        
            &lt;/div&gt;
            
        &lt;/div&gt;
    &lt;/div&gt;  
&lt;/header&gt;
&lt;?php endif; ?&gt;
&lt;body id=&quot;page-top&quot;&gt;
    &lt;!-- Navigation--&gt;
    &lt;div class=&quot;toast&quot; id=&quot;alert_toast&quot; role=&quot;alert&quot; aria-live=&quot;assertive&quot; aria-atomic=&quot;true&quot;&gt;
    &lt;div class=&quot;toast-body text-white&quot;&gt;
    &lt;/div&gt;
  &lt;/div&gt;
    &lt;nav class=&quot;navbar navbar-expand-lg navbar-light fixed-top py-3&quot; id=&quot;mainNav&quot;&gt;
        &lt;div class=&quot;container&quot;&gt;
            &lt;a class=&quot;navbar-brand js-scroll-trigger&quot; href=&quot;.&quot;&gt;&lt;?php echo $_SESSION['system']['name'] ?&gt;&lt;/a&gt;
            &lt;button class=&quot;navbar-toggler navbar-toggler-right&quot; type=&quot;button&quot; data-toggle=&quot;collapse&quot; data-target=&quot;#navbarResponsive&quot; aria-controls=&quot;navbarResponsive&quot; aria-expanded=&quot;false&quot; aria-label=&quot;Toggle navigation&quot;&gt;&lt;span class=&quot;navbar-toggler-icon&quot;&gt;&lt;/span&gt;&lt;/button&gt;
            &lt;div class=&quot;collapse navbar-collapse&quot; id=&quot;navbarResponsive&quot;&gt;
                &lt;ul class=&quot;navbar-nav ml-auto my-2 my-lg-0&quot;&gt;
                    &lt;li class=&quot;nav-item&quot;&gt;&lt;a class=&quot;nav-link js-scroll-trigger&quot; href=&quot;index.php?page=home&quot;&gt;Home&lt;/a&gt;&lt;/li&gt;
                    &lt;li class=&quot;nav-item&quot;&gt;&lt;a class=&quot;nav-link js-scroll-trigger&quot; href=&quot;index.php?page=about&quot;&gt;About&lt;/a&gt;&lt;/li&gt;
                   
                    
                 
                &lt;/ul&gt;
            &lt;/div&gt;
        &lt;/div&gt;
    &lt;/nav&gt;
</code></pre>
  <main>
        <?php 
        include $page.'.php';
        ?>
</main>
<div class="modal fade" id="confirm_modal" role='dialog'>
    <div class="modal-dialog modal-md" role="document">
      <div class="modal-content">
        <div class="modal-header">
        <h5 class="modal-title">Confirmation</h5>
      </div>
      <div class="modal-body">
        <div id="delete_content"></div>
      </div>
      <div class="modal-footer">
        <button type="button" class="btn btn-primary" id='confirm' onclick="">Continue</button>
        <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
      </div>
      </div>
    </div>
  </div>
  <div class="modal fade" id="uni_modal" role='dialog'>
    <div class="modal-dialog modal-md" role="document">
      <div class="modal-content">
        <div class="modal-header">
        <h5 class="modal-title"></h5>
      </div>
      <div class="modal-body">
      </div>
      <div class="modal-footer">
        <button type="button" class="btn btn-primary" id='submit' onclick="$('#uni_modal form').submit()">Save</button>
        <button type="button" class="btn btn-secondary" data-dismiss="modal">Cancel</button>
      </div>
      </div>
    </div>
  </div>
  <div class="modal fade" id="uni_modal_right" role='dialog'>
    <div class="modal-dialog modal-full-height  modal-md" role="document">
      <div class="modal-content">
        <div class="modal-header">
        <h5 class="modal-title"></h5>
        <button type="button" class="close" data-dismiss="modal" aria-label="Close">
          <span class="fa fa-arrow-righ t"></span>
        </button>
      </div>
      <div class="modal-body">
      </div>
      </div>
    </div>
  </div>
  <div class="modal fade" id="viewer_modal" role='dialog'>
    <div class="modal-dialog modal-md" role="document">
      <div class="modal-content">
              <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>
              <img src="" alt="">
      </div>
    </div>
  </div>
  <div id="preloader"></div>
        <footer class=" py-5">
            <div class="container">
                <div class="row justify-content-center">
                    <div class="col-lg-8 text-center">
                        <h2 class="mt-0 text-white">Contact us</h2>
                        <hr class="divider my-4" />
                    </div>
                </div>
                <div class="row">
                    <div class="col-lg-4 ml-auto text-center mb-5 mb-lg-0">
                        <i class="fas fa-phone fa-3x mb-3 text-muted"></i>
                        <div class="text-white"><?php echo $_SESSION['system']['contact'] ?></div>
                    </div>
                    <div class="col-lg-4 mr-auto text-center">
                        <i class="fas fa-envelope fa-3x mb-3 text-muted"></i>
                        <!-- Make sure to change the email address in BOTH the anchor text and the link target below!-->
                        <a class="d-block" href="mailto:<?php echo $_SESSION['system']['email'] ?>"><?php echo $_SESSION['system']['email'] ?></a>
                    </div>
                </div>
            </div>
            <br>
            <div class="container"><div class="small text-center text-muted">Copyright © 2020 - <?php echo $_SESSION['system']['name'] ?> | <a href="https://www.sourcecodester.com/" target="_blank">Sourcecodester</a></div></div>
        </footer>
<pre><code>   &lt;?php include('footer.php') ?&gt;
&lt;/body&gt;
&lt;script type=&quot;text/javascript&quot;&gt;
  $('#login').click(function(){
    uni_modal(&quot;Login&quot;,&quot;login.php&quot;)
  })
  $('.datetimepicker').datetimepicker({
      format:'Y-m-d H:i',
  })
  $('#find-car').submit(function(e){
    e.preventDefault()
    location.href = 'index.php?page=search&amp;'+$(this).serialize()
  })
&lt;/script&gt;
&lt;?php $conn-&gt;close() ?&gt;
</code></pre>
</html>
<p>可能存在的漏洞:</p>
<ol>
<li>
<p>SQL注入:在query语句中未对变量进行过滤或转义,可能导致SQL注入漏洞。</p>
</li>
<li>
<p>目录遍历:在代码中存在以下代码:</p>
<pre><code>$cars_img = scandir('admin/assets/uploads/cars_img/');
</code></pre>
<p>如果攻击者能够控制<code>$cars_img</code>的值,则可以通过构造恶意数据来进行目录遍历攻击。</p>
</li>
<li>
<p>跨站脚本攻击(XSS):在代码中存在以下代码:</p>
<pre><code>&lt;div class=&quot;text-white&quot;&gt;&lt;?php echo $_SESSION['system']['contact'] ?&gt;&lt;/div&gt;
</code></pre>
<p>如果<code>$_SESSION['system']['contact']</code>的值未经过滤或转义,则可能导致XSS漏洞。</p>
</li>
</ol>
<p>POC:</p>
<ol>
<li>
<p>SQL注入测试:</p>
<p>构造payload:<code>1' or 1=1#</code>,在URL中传递,例如:<code>index.php?page=home&amp;pickup=1%27%20or%201=1%23&amp;dropoff=test&amp;category_id=0</code>。如果页面仍然正常显示,则说明存在SQL注入漏洞。</p>
</li>
<li>
<p>目录遍历测试:</p>
<p>构造payload:在URL中传递恶意数据,例如:<code>index.php?page=home&amp;pickup=1&amp;dropoff=test&amp;category_id=0&amp;fname=../../../../../etc/passwd</code>。如果页面显示了/etc/passwd文件的内容,则说明存在目录遍历漏洞。</p>
</li>
<li>
<p>XSS测试:</p>
<p>构造payload:在后台系统设置中设置联系电话为<code>&lt;script&gt;alert('XSS')&lt;/script&gt;</code>,然后访问首页。如果弹出XSS提示框,则说明存在XSS漏洞。</p>
</li>
</ol>
代码审计:PHP网站代码安全漏洞分析与POC示例

原文地址: https://www.cveoy.top/t/topic/oXcd 著作权归作者所有。请勿转载和采集!

免费AI点我,无需注册和登录