BUG-1: permission to bypass
File location: goodsshow.php
Problem code:
2 0 //Do not allow visitors under the single jump landing
2 1 if(empty($_COOKIE['username'])) /just a simple determination of whether or not it is empty
2 2 {
2 3 header('location:member. php? c=login');
2 4 exit();
2 5 }
2 6
Brief description: username is cookie get, as long as we let him not empty you can skip the registration directly to the tourists the identity of the order.
Using: Firefox cookie plug-ins add yourself a username and assign a value.
BUG-2: not authorized to access
File location:/data/alipay/index.php
Description: in the name behind plus the above URL can be accessed directly to PayPal instant account transaction Interface The Fast Track.
The code behind is the background to upload some code:
5 2 //forced to define some file types prohibited upload
5 3 if(in_array($tempfile_ext, explode('|', 'php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml')))
5 4 {
5 5 return 'your uploaded file type is: ['.$ tempfile_ext.'], the The class file is not allowed by the background upload!';
5 6 }
The above is a mandatory limit Upload File Types. This is obviously a problem, if you can enter the background, then take the shell is smooth. Because the above is a blacklist, not a whitelist. There are many suffixes is that you can upload~! Later I will not see. Very late sleep-in!
2 0 1 3 year 5 month 2 8 day 1:4 7:3 9
PS: long time no play audit, write is not very good, large cattle do not blame to you!
{"type": "myhack58", "published": "2013-05-31T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2013/39047.htm", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": -0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "lastseen": "2016-10-28T18:36:29", "viewCount": 5, "id": "MYHACK58:62201339047", "references": [], "edition": 1, "reporter": "\u4f5a\u540d", "modified": "2013-05-31T00:00:00", "title": "PHPMyWind CMS v4. 6. 3 Beta 0day-vulnerability warning-the black bar safety net", "description": "BUG-1: permission to bypass \n\nFile location: goodsshow.php \n\nProblem code: \n\n2 0 //Do not allow visitors under the single jump landing \n2 1 if(empty($_COOKIE['username'])) /just a simple determination of whether or not it is empty \n2 2 { \n2 3 header('location:member. php? c=login'); \n2 4 exit(); \n2 5 } \n2 6 \n\nBrief description: username is cookie get, as long as we let him not empty you can skip the registration directly to the tourists the identity of the order. \n\nUsing: Firefox cookie plug-ins add yourself a username and assign a value. \n\n\n\nBUG-2: not authorized to access \n\n\nFile location:/data/alipay/index.php \n\n\nDescription: in the name behind plus the above URL can be accessed directly to PayPal instant account transaction Interface The Fast Track. \n\n\n\nThe code behind is the background to upload some code: \n\n\n5 2 //forced to define some file types prohibited upload \n5 3 if(in_array($tempfile_ext, explode('|', 'php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml'))) \n5 4 { \n5 5 return 'your uploaded file type is: ['.$ tempfile_ext.'], the The class file is not allowed by the background upload!'; \n5 6 } \n\n\nThe above is a mandatory limit Upload File Types. This is obviously a problem, if you can enter the background, then take the shell is smooth. Because the above is a blacklist, not a whitelist. There are many suffixes is that you can upload~! Later I will not see. Very late sleep-in! \n2 0 1 3 year 5 month 2 8 day 1:4 7:3 9 \n\nPS: long time no play audit, write is not very good, large cattle do not blame to you!\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647004803}}
PHPMyWind CMS v4. 6. 3 Beta 0day-vulnerability warning-the black bar safety net