Starlight posted it 1. 3 background take the SHELL and repair programme-vulnerability warning-the black bar safety net

ID MYHACK58:62201132483
Type myhack58
Reporter 佚名
Modified 2011-11-30T00:00:00


by:air of the legend

Today analysis of the two programs, made it.

Okay, I admit a bit tasteless. in.

We first take a look at this file


01functionwrite_file($l1,$l2="){ //write file

0 2 $dir= dirname($l1);

0 3 if(! is_dir($dir)){

0 4 mkdirss($dir);

0 5 }

0 6 );

0 7}


0 9 );

1 0}

1 1// array is saved to file


1 3 if(is_array($arr)){

1 4 $con= var_export($arr,true);

1 5 }else{

1 6 $con=$arr;

1 7 }

1 8 $con="<? php\nreturn $con;\n?& gt;";//\n! defined('IN_MP') && die();\nreturn $con;\n

1 9 write_file($filename,$con);

2 0}

The above is the definition of a function, we mainly see the write_file this function, OK and we look again at the background of a file l


1$array=$_POST; //POST submitted array is assigned the value of$array

2 if(! empty($array['ads_name_sub'])){

3 if($this->model->table('ads')->where(' adsname="'. trim($_POST['ads_name_sub']).'"')-& gt;find()){

4 $this->error('the advertising identifier already exists,please re-fill of an advertising identity!');

5 }

6 $data['adsname'] = trim($array['ads_name_sub']); //file name

7 $data['adscontent'] =stripslashes(trim($array['ads_content_sub'])); //content

8 $this->model->table('ads')->data($data)->insert($data);

9 write_file(ROOT_PATH.'/ data/ads/'.$ data['adsname'].'. js',t2js($data['adscontent'])); //write the SHELL

Into the background, and then browse to http://www. badguest. cn /admin/index.php/extend/ads.html

Then the AD identification code to fill: 1.php

Advertising content fill:<? phpinfo();?& gt;

Then visit http://www. badguest. cn /data/ads/1.php.js you can see our lovely horses. Of course 1. php. js this analysis was to see the environment.

So to say tasteless, but also to take the SHELL of a method.

Fix: filtering the two input