MetInfo_v5. 1. 3 arbitrary file upload vulnerability-vulnerability warning-the black bar safety net

2013-06-05T00:00:00
ID MYHACK58:62201339115
Type myhack58
Reporter my5t3ry
Modified 2013-06-05T00:00:00

Description

MetInfo 2 No. 3 released a new version 5. 1. 5, the prosthesis of this article mentioned the vulnerability, of course, strictly speaking, should be the arbitrary variable overwrite vulnerability....

ps: welcome various forms to reprint 首发 t00ls.net

Note: Please do not use the contents of this document are engaged in all illegal activities, otherwise the consequences conceited

author:my5t3ry

Nonsense not much said, see code:

include\common.inc.php 2 0

3 9 $db_settings = parse_ini_file(ROOTPATH.'config/config_db.php'); @extract($db_settings); require_once ROOTPATH.'include/mysql_class.php'; $db = new dbmysql(); $db->dbconn($con_db_host,$con_db_id,$con_db_pass,$con_db_name); define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc()); isset($REQUEST['GLOBALS']) && exit('Access Error'); require_once ROOTPATH.'include/global.func.php'; foreach(array('_COOKIE', '_POST', '_GET') as $_request) { foreach($$_request as $ _ key => $_value) {$_Key{0} != '' & & $$ _ Key = daddslashes($value); } } $query="select * from {$tablepre}config where name='met_tablename' and lang='metinfo'"; $mettable=$db->get_one($query); $mettables=explode('|',$mettable[value]); foreach($mettables as $key=>$val){ $tablename='met'.$ val; $$tablename=$tablepre.$ val; }

[1] [2] next