Notepad Dog microblogging V3. 6. 1 Build 2 0 A 1 2 0 7 1 8 background to get shell-vulnerability warning-the black bar safety net

2012-08-08T00:00:00
ID MYHACK58:62201234577
Type myhack58
Reporter 佚名
Modified 2012-08-08T00:00:00

Description

Notepad Dog microblogging system, the background presence of design defects that can lead to get backstage access to the shell

Version: V3. 6. 1 Build 2 0 a 1 2 0 7 1 8 1. System Tools->data backup->custom backup->select a data amount smaller table->more options->select compress backup file->multi-sub-volume compressed into one file.

!

Direct submit. 2. Direct the backup file is downloaded, and then to the backup file to add a zzz. php. sql, the content of<? php phpinfo();?& gt;

!

  1. Then find a normal picture of the implementation of the cat yy520.zip >> yy520. png, front Desk submit yy520. png

4.获取图片的地址images/topic/6/17/14_o.jpg back to the back-end System Tools - >data recovery !

Click on unzip, use the burp suite to intercept the package

!

Modified: datafile_server=./images/topic/6/17/14_o.jpg The last visit !

The last of the last, please let me explain, why the above will have so much 2b the step. 1.

$datafile_server = get_param(‘datafile_server’); 。。。。。 $unzip->ReadFile($datafile_server);

if($unzip->Count() == 0 || $unzip->GetError(0) != 0 || ! preg_match(“/\. sql$/i”, $importfile = $unzip->GetName(0))) { $this->Messager(‘data file does not exist: possible server does not allow upload of files or size exceeds the limit.’, null); } Due to the above preg_match limitations, in the zip file inside the file name must be sql at the end, this can be used in apache to parse the bypass, so our file name must be***. php. sql

$identify = explode(‘,’, base64_decode(preg_replace(“/^# Identify:\s(\w+)./ s", "\\1", substr($unzip->GetData(0), 0, 2 5 6))));

[1] [2] next