dedecms v5.1 WriteBookText() code injection vul
15 kali dilihat
Langsung ke pesan pertama yang belum dibaca
flyh4t
1 Mei 2008, 01.47.3101/05/08
kepadaph4...@googlegroups.com
dedecms v5.1 WriteBookText() code injection vul
QQ:378367942
\include\inc_bookfunctions.php
---------------------------------------------------
……
function WriteBookText($cid,$body)
{
global $cfg_cmspath,$cfg_basedir;
$ipath = $cfg_cmspath."/data/textdata";
$tpath = ceil($cid/5000);
if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS['cfg_dir_purview']);
if(!is_dir($cfg_basedir.$ipath.'/'.$tpath)) MkdirAll($cfg_basedir.$ipath.'/'.$tpath,$GLOBALS['cfg_dir_purview']);
$bookfile = $cfg_basedir.$ipath."/{$tpath}/bk{$cid}.php";
$body = "<"."?php\r\n".$body."\r\n?".">";
@$fp = fopen($bookfile,'w');
@flock($fp);
@fwrite($fp,$body);
@fclose($fp);
}
……
---------------------------------------------------
\member\story_add_content_action.php
---------------------------------------------------
……
WriteBookText($arcID,addslashes($body));
……
---------------------------------------------------
找了个好看的站测试了一下
http://www.admin5.com/data/textdata/1/bk1.php
文件是写上去了,可惜这个目录不支持php,fuck
---------------------------------------------------
……
function WriteBookText($cid,$body)
{
global $cfg_cmspath,$cfg_basedir;
$ipath = $cfg_cmspath."/data/textdata";
$tpath = ceil($cid/5000);
if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS['cfg_dir_purview']);
if(!is_dir($cfg_basedir.$ipath.'/'.$tpath)) MkdirAll($cfg_basedir.$ipath.'/'.$tpath,$GLOBALS['cfg_dir_purview']);
$bookfile = $cfg_basedir.$ipath."/{$tpath}/bk{$cid}.php";
$body = "<"."?php\r\n".$body."\r\n?".">";
@$fp = fopen($bookfile,'w');
@flock($fp);
@fwrite($fp,$body);
@fclose($fp);
}
……
---------------------------------------------------
\member\story_add_content_action.php
---------------------------------------------------
……
WriteBookText($arcID,addslashes($body));
……
---------------------------------------------------
找了个好看的站测试了一下
http://www.admin5.com/data/textdata/1/bk1.php
文件是写上去了,可惜这个目录不支持php,fuck
ps:qiur3n兄啊,表出去了,继续看代码吧
送!送!送!瑞星2008正版半年免费!
vulworm
1 Mei 2008, 06.42.1201/05/08
kepadaPh4nt0m
nod
On 5月1日, 下午1时47分, flyh4t <fly...@126.com> wrote:
> dedecms v5.1 WriteBookText() code injection vul
>
> by Fly...@126.com
> QQ:378367942
>
> \include\inc_bookfunctions.php
> ---------------------------------------------------
> ......
> ---------------------------------------------------
>
> \member\story_add_content_action.php
> ---------------------------------------------------
> ......
> WriteBookText($arcID,addslashes($body));
> ......
> ---------------------------------------------------
>
> 找了个好看的站测试了一下http://www.admin5.com/data/textdata/1/bk1.php
On 5月1日, 下午1时47分, flyh4t <fly...@126.com> wrote:
> dedecms v5.1 WriteBookText() code injection vul
>
> by Fly...@126.com
> QQ:378367942
>
> \include\inc_bookfunctions.php
> ---------------------------------------------------
> function WriteBookText($cid,$body)
> {
> global $cfg_cmspath,$cfg_basedir;
> $ipath = $cfg_cmspath."/data/textdata";
> $tpath = ceil($cid/5000);
> if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS['cfg_dir_purview']);
> if(!is_dir($cfg_basedir.$ipath.'/'.$tpath)) MkdirAll($cfg_basedir.$ipath.'/'.$tpath,$GLOBALS['cfg_dir_purview']);
> $bookfile = $cfg_basedir.$ipath."/{$tpath}/bk{$cid}.php";
> $body = "<"."?php\r\n".$body."\r\n?".">";
> @$fp = fopen($bookfile,'w');
> @flock($fp);
> @fwrite($fp,$body);
> @fclose($fp);}
>
> ......
> {
> global $cfg_cmspath,$cfg_basedir;
> $ipath = $cfg_cmspath."/data/textdata";
> $tpath = ceil($cid/5000);
> if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS['cfg_dir_purview']);
> if(!is_dir($cfg_basedir.$ipath.'/'.$tpath)) MkdirAll($cfg_basedir.$ipath.'/'.$tpath,$GLOBALS['cfg_dir_purview']);
> $bookfile = $cfg_basedir.$ipath."/{$tpath}/bk{$cid}.php";
> $body = "<"."?php\r\n".$body."\r\n?".">";
> @$fp = fopen($bookfile,'w');
> @flock($fp);
> @fwrite($fp,$body);
> @fclose($fp);}
>
> ---------------------------------------------------
>
> \member\story_add_content_action.php
> ---------------------------------------------------
> ......
> WriteBookText($arcID,addslashes($body));
> ......
> ---------------------------------------------------
>
> 找了个好看的站测试了一下http://www.admin5.com/data/textdata/1/bk1.php
x-sec
1 Mei 2008, 13.30.5401/05/08
kepadaPh4nt0m
不可以传到其他目录?
shanfu...@163.com
1 Mei 2008, 20.11.1001/05/08
kepadaph4...@googlegroups.com
fly...@126.com
3 Mei 2008, 05.25.3503/05/08
kepadaph4...@googlegroups.com
$body = "<"."?php exit();\r\n".$body."\r\n?".">";
好象补了
在2008-05-01,flyh4t <fly...@126.com> 写道:
中 国 最 强 网 游 --- 网 易 梦 幻 西 游 ,166 万 玩 家 同 时 在 线
ZR
3 Mei 2008, 05.50.5703/05/08
kepadaPh4nt0m
织梦!
On 5月3日, 下午5时25分, fly...@126.com wrote:
> $body = "<"."?php exit();\r\n".$body."\r\n?".">";
>
> 好象补了
>
> 在2008-05-01,flyh4t <fly...@126.com> 写道:
>
> dedecms v5.1 WriteBookText() code injection vul
>
> by Fly...@126.com
> QQ:378367942
>
> \include\inc_bookfunctions.php
> ---------------------------------------------------
> ......
On 5月3日, 下午5时25分, fly...@126.com wrote:
> $body = "<"."?php exit();\r\n".$body."\r\n?".">";
>
> 好象补了
>
> 在2008-05-01,flyh4t <fly...@126.com> 写道:
>
> dedecms v5.1 WriteBookText() code injection vul
>
> by Fly...@126.com
> QQ:378367942
>
> \include\inc_bookfunctions.php
> ---------------------------------------------------
> function WriteBookText($cid,$body)
> {
> global $cfg_cmspath,$cfg_basedir;
> $ipath = $cfg_cmspath."/data/textdata";
> $tpath = ceil($cid/5000);
> if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS['cfg_dir_purview']);
> if(!is_dir($cfg_basedir.$ipath.'/'.$tpath)) MkdirAll($cfg_basedir.$ipath.'/'.$tpath,$GLOBALS['cfg_dir_purview']);
> $bookfile = $cfg_basedir.$ipath."/{$tpath}/bk{$cid}.php";
> $body = "<"."?php\r\n".$body."\r\n?".">";
> @$fp = fopen($bookfile,'w');
> @flock($fp);
> @fwrite($fp,$body);
> @fclose($fp);}
>
> {
> global $cfg_cmspath,$cfg_basedir;
> $ipath = $cfg_cmspath."/data/textdata";
> $tpath = ceil($cid/5000);
> if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS['cfg_dir_purview']);
> if(!is_dir($cfg_basedir.$ipath.'/'.$tpath)) MkdirAll($cfg_basedir.$ipath.'/'.$tpath,$GLOBALS['cfg_dir_purview']);
> $bookfile = $cfg_basedir.$ipath."/{$tpath}/bk{$cid}.php";
> $body = "<"."?php\r\n".$body."\r\n?".">";
> @$fp = fopen($bookfile,'w');
> @flock($fp);
> @fwrite($fp,$body);
> @fclose($fp);}
>
> ......
> ---------------------------------------------------
>
> \member\story_add_content_action.php
> ---------------------------------------------------
> ......
> WriteBookText($arcID,addslashes($body));
> ......
> ---------------------------------------------------
>
> 找了个好看的站测试了一下http://www.admin5.com/data/textdata/1/bk1.php
> ---------------------------------------------------
>
> \member\story_add_content_action.php
> ---------------------------------------------------
> ......
> WriteBookText($arcID,addslashes($body));
> ......
> ---------------------------------------------------
>
>
> 文件是写上去了,可惜这个目录不支持php,fuck
>
> ps:qiur3n兄啊,表出去了,继续看代码吧
>
> 送!送!送!瑞星2008正版半年免费!> 文件是写上去了,可惜这个目录不支持php,fuck
>
> ps:qiur3n兄啊,表出去了,继续看代码吧
>
shell...@126.com
4 Mei 2008, 05.42.4904/05/08
kepadaph4...@googlegroups.com
谁知道?
w00w0rm
4 Mei 2008, 05.45.1904/05/08
kepadaph4nt0m
shell...@126.com
4 Mei 2008, 05.47.5204/05/08
kepadaph4...@googlegroups.com
恩 看到了
偶还没拿到ODAY
shell...@126.com
4 Mei 2008, 05.53.0204/05/08
kepadaph4...@googlegroups.com
x第5期上有 还没去买
Discuz6.0.1 UC最新漏洞大体验 作者:黑侠(Black Mask)
w00w0rm
4 Mei 2008, 05.55.2904/05/08
kepadaph4nt0m
----- Original Message -----From: shell_adminTo: ph4nt0mSent: 2008-05-04, 17:42:49Subject: [Ph4nt0m]_Discuz6.0.1_UC最新漏洞
可酷可乐
6 Mei 2008, 03.35.5806/05/08
kepadaPh4nt0m
addslashes转义了,还能怎么利用?写不进去马啊。
Balas ke semua
Balas ke penulis
Teruskan
0 pesan baru