Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200821018
HistoryNov 09, 2008 - 12:00 a.m.

dedecms fill out a tasteless vulnerability-vulnerability warning-the black bar safety net

2008-11-0900:00:00
佚名
www.myhack58.com
23
JSON

Author: Ice the origin of the[L. S. T]&[0. S. T]

Just look at the small handsome gay blog found above also describes a About dedecms a 0day(http://www. xssor. cn/sa/? action=show&id=5 A 8, but this bug and a few months ago that write directly to the file in the vulnerability If is not a file, I remember not too clear, people do not blame, just hand there is a dedecms station, but the test of time always unsuccessful. Then download a latest version of dede download down looked at it, the original official is already fill. But I at the time of the test, found that the official remedy is not too obvious. Below we recall the vulnerability of the formation. In the member/story_add_content_action. the php folder has the following code:
WriteBookText($arcID,stripslashes($body));
Then take a look at this function is at? write, 在include\inc_bookfunctions.php to:
function WriteBookText($cid,$body)
{
global $cfg_cmspath,$cfg_basedir;
$ipath = $cfg_cmspath.“/ data/textdata”;
$tpath = ceil($cid/5 0 0 0);
if(! is_dir($cfg_basedir.$ ipath)) MkdirAll($cfg_basedir.$ ipath,$GLOBALS[‘cfg_dir_purview’]);
if(! is_dir($cfg_basedir.$ ipath.‘/’.$ tpath)) MkdirAll($cfg_basedir.$ ipath.‘/’.$ tpath,$GLOBALS[‘cfg_dir_purview’]);
$bookfile = $cfg_basedir.$ ipath.“/ {$tpath}/bk{$cid}. php”;
$body = “<”.“? php exit();\r\n”.$ body.“\ r\n?”.“& gt;”;
@$fp = fopen($bookfile,‘w’);
The most important is this sentence:$body = “<”.“? php exit();\r\n”.$ body.“\ r\n?”.“& gt;”;I didn’t see the previous code, but are preceded by an exit();after, even if we write a word, the file content will be turned into<? php exit();?& gt;<? php @eval($_POST[cmd])?& gt;?& gt; that is, in the implementation of the eval function, before executing the exit Function, the official is such a limiting word Trojan functionality, but here is the official ignore the php of the storm wrong, if we casually write a few extra characters in there? We write more a few>or other more critical character in, anyway, stripslashes($body)for it to escape, so that we can easily get website’s physical path, 这里给大家一个实例http://www.xyxxw.com/book/data/textdata/1/bk23.php

Well, the vulnerability analysis to here! This is also our word why write into it but even no reasons! What say the wrong place, also please correct me on!

JSON