和老外聊太郁闷了......谁叫俺们e文没学好呢 ！！ 被村长bs了 :)

电起火了
猫坏了
买个新的
发现
本本键盘坏了
买个usb的
发现
真tmd不习惯

耗时3天，发费250员

http://www.yanbin.org/category/php/

http://blog.fbird.cn/post/68.htm

http://msdn.microsoft.com/msdnmag/default.aspx

http://courses.coreservlets.com/Course-Materials/pdf/chinese/

We're sorry...

... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.

We'll restore your access as quickly as possible, so try again soon. In the meantime, if you suspect that your computer or network has been infected, you might want to run a virus checker or spyware remover to make sure that your systems are free of viruses and other spurious software.

We apologize for the inconvenience, and hope we'll see you again on Google.

http://marc.theaimsgroup.com/?l=bugtraq&m=116224319807026&w=2

第一个是unset的漏洞

第二个就是和我发现的那个一样的：http://superhei.blogbus.com/files/1157120596.ppt

不过文章说他可以null字符截断，我记得我测试的时候好象不可以 :( 难道又是传说中的rpwt？

随着脚本技术的发展各种webshell的诞生，n个类型的“一句话” 我想这些都是可以称为“具有中国特色”的 有攻就有防，于是诞生了多个版

本的 “ScanWebShell”，这个好象在asp的方法表现不错，于是有人想写php的，不过貌似没有太多的用：
第1：php可以做后门的函数很多，而且很多都是属于使用很常见的函数如：include类 eval preg_ ....
第2：zend加密phpshell，这样的不知道你怎么查
第3：如果你的scanwebshell不够“底层”的话，会不会查（md s...\）这样建立的目录呢？

愿上帝保佑吃饱了饭的人民~~~

Time	Title	Speaker	Infos
Saturday	Talks
10:00	Vulnerability and Program Analyse	Keji
11:00	Tao of Security Researching	Anonymous Speaker 1
13:00	Malware Behaviral Classification	Tony Lee
14:00	PHP scripts automatic-audit techs	CoolQ
15:00	Analyzing Vista Memory Management Security Protection	FlashSky
16:00	Party Time(drink & talk)

https://0x557.org/project/sp0x02/index.html

可惜没有机会到现场去看看大牛 hoho 期待远程yy

http://www.hardened-php.net/suhosin_096_released.131.html

http://www.hardened-php.net/advisory_072006.130.html

Sablog-X Ver 1.1 getip() Vulnerability

getip()过滤不严导致sql/xss等攻击。

sablog\include\common.php
--------code-------------
function getip() {
if (isset($_SERVER)) {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$realip = $_SERVER['HTTP_CLIENT_IP'];
} else {
$realip = $_SERVER['REMOTE_ADDR'];
}
} else {
if (getenv("HTTP_X_FORWARDED_FOR")) {
$realip = getenv( "HTTP_X_FORWARDED_FOR");
} elseif (getenv("HTTP_CLIENT_IP")) {
$realip = getenv("HTTP_CLIENT_IP");
} else {
$realip = getenv("REMOTE_ADDR");
}
}
return $realip;
}
--------code-------------

D:\>Findstr /S /I /N /d:D:\phproot\sablog "getip" *.php
D:\phproot\sablog:
post.php:93: $DB->query("INSERT INTO ".$db_prefix."users VALUES ('', '".$username."', '".md5($password)."', '".$email."', '".$url."', '".time()."', '".getip()."', '0', '')");
post.php:181: if (preg_match("/^$ban_ip/", getip())) {
post.php:320: $DB->query("INSERT INTO ".$db_prefix."comments (articleid, authorid, author, url, email, dateline, content, ipaddress, visible) VALUES ('".$articleid."', '".$userid."', '".$username."', '".$url."', '".$email."', '".time()."', '".$content."', '".getip()."', '".$visible."')");
post.php:379: $query = $DB->query("SELECT searchid, dateline, ('".$options['search_post_space']."'<>'0' AND ".time()."-dateline<".$options['search_post_space'].") AS flood, searchfrom='".$searchfrom."' AND keywords='".$keywords."' AS indexvalid FROM ".$db_prefix."searchindex WHERE ('".$options['search_post_space']."'<>'0' AND ipaddress='".getip()."' AND ".time()."-dateline<".$options['search_post_space'].") ORDER BY flood");
post.php:475: $DB->query("INSERT INTO ".$db_prefix."searchindex (keywords, dateline, sortby, orderby, tatols, ids, searchfrom, ipaddress) VALUES ('".$keywords."', '".time()."', '".$sortby."', '".$orderby."', '".$tatols."', '".$ids."', '".$searchfrom."', '".getip()."')");
trackback.php:80: $query = $DB->query("SELECT trackbackid FROM ".$db_prefix."trackbacks WHERE ipaddress='".getip()."' AND dateline+".$interval.">='".time()."'");
trackback.php:98: $query = $DB->query("SELECT title,ipaddress,articleid FROM ".$db_prefix."trackbacks WHERE ipaddress='".getip()."' OR articleid='".$articleid."'");
trackback.php:101: if ($trackback['title'] == $title && $trackback['ipaddress'] == getip()) {
trackback.php:105: if ($trackback['ipaddress'] == getip() && $trackback['articleid'] == $articleid) {
trackback.php:185: $DB->query("INSERT INTO ".$db_prefix."trackbacks (articleid, title, dateline, excerpt, url, blog_name, ipaddress, visible, point) VALUES('".$articleid."', '".$title."', '".time()."', '".$excerpt."', '".$url."', '".$blog_name."', '".getip()."', '".$visible."', '".$point."')");
include\common.php:168:function getip() {
include\common.php:219:if ($_COOKIE["UserIP"] !== getip()) {
include\common.php:220: setcookie ("UserIP", getip(), time()+(24*3600));
admin\adminfunctions.php:128: $DB->query("INSERT INTO ".$db_prefix."loginlog (username,dateline,ipaddress,result) VALUES ('".addslashes($username)."','".time()."','".getip()."','".$result."')");

admin\adminfunctions.php:137: $DB->query("INSERT INTO ".$db_prefix."adminlog (action,script,dateline,ipaddress,username) VALUES ('".htmlspecialchars(trim($action))."','".htmlspecialchars(trim($script))."','".time()."','".getip()."','".$_SESSION['admin_username']."')");

admin\global.php:70: $DB->unbuffered_query("UPDATE ".$db_prefix."admin SET logincount=logincount+1, logintime='".time()."', loginip='".getip()."' WHERE username='".$username."'");

wap\global.php:228: $DB->query("INSERT INTO ".$db_prefix."loginlog (username,dateline,ipaddress,result) VALUES ('".addslashes($username)."','".time()."','".getip()."','".$result."')");
wap\index.php:329: $query = $DB->query("SELECT searchid, dateline, ('".$options['search_post_space']."'<>'0' AND ".time()."-dateline<".$options['search_post_space'].") AS flood, searchfrom='article' AND keywords='".$keywords."' AS indexvalid FROM ".$db_prefix."searchindex WHERE ('".$options['search_post_space']."'<>'0' AND ipaddress='".getip()."' AND ".time()."-dateline<".$options['search_post_space'].") ORDER BY flood");
wap\index.php:376: $DB->query("INSERT INTO ".$db_prefix."searchindex (keywords, dateline, sortby, orderby, tatols, ids, searchfrom, ipaddress) VALUES ('".$keywords."', '".time()."', 'dateline', 'desc', '".$tatols."', '".$ids."', 'article', '".getip()."')");
wap\index.php:622: $DB->unbuffered_query("UPDATE ".$db_prefix."admin SET logincount=logincount+1, logintime='".time()."', loginip='".getip()."' WHERE username='".$username."'");
wap\index.php:686: if (preg_match("/^$ban_ip/", getip())) {
wap\index.php:762: if (preg_match("/^$ban_ip/", getip())) {
wap\index.php:812: $DB->query("INSERT INTO ".$db_prefix."comments (articleid, authorid, author, url, email, dateline, content, ipaddress, visible) VALUES ('".$articleid."', '".$userid."', '".$username."', '".$url."', '".$email."', '".time()."', '".$content."', '".getip()."', '".$visible."')");

 

Defend Your Code with Top Ten Security Tips Every Developer Must Know

http://msdn.microsoft.com/msdnmag/issues/02/09/SecurityTips/

[20:52] <icbm> 我需要关门mm弟子
.....
[20:55] <Swan> 自宫的可以不？