dedecms v5. 1 WriteBookText() code injection vul-vulnerability warning-the black bar safety net

2008-05-02T00:00:00
ID MYHACK58:62200818934
Type myhack58
Reporter 佚名
Modified 2008-05-02T00:00:00

Description

Source: Ph4nt0m Google Group by Flyh4t@126.com QQ:3 7 8 3 6 7 9 4 2

  1. \include\inc_bookfunctions.php
  2. ---------------------------------------------------
  3. ......
  4. function WriteBookText($cid,$body)
  5. {<span id="more-1 9 4 4"></span>
  6. global $cfg_cmspath,$cfg_basedir;
  7. $ipath = $cfg_cmspath."/ data/textdata";
  8. $tpath = ceil($cid/5 0 0 0);
  9. if(! is_dir($cfg_basedir.$ ipath)) MkdirAll($cfg_basedir.$ ipath,$GLOBALS['cfg_dir_purview']); 1 0. if(! is_dir($cfg_basedir.$ ipath.'/'.$ tpath)) MkdirAll($cfg_basedir.$ ipath.'/'.$ tpath,$GLOBALS['cfg_dir_purview']); 1 1. $bookfile = $cfg_basedir.$ ipath."/ {$tpath}/bk{$cid}. php"; 1 2. $body = "<"."? php\r\n".$ body."\ r\n?"."& gt;"; 1 3. @$fp = fopen($bookfile,'w'); 1 4. @flock($fp); 1 5. @fwrite($fp,$body); 1 6. @fclose($fp); 1 7. <div id="qhide_185676" class="qt" style="display: block;">} 1 8. 1 9. </div> 2 0. ......

\member\story_add_content_action.php

  1. ......
  2. WriteBookText($arcID,addslashes($body));
  3. ......

Find a good station to test a bit http://www.admin5.com/data/textdata/1/bk1.php

The file is a write up, unfortunately this directory does not support php,fuck