Destoon最新 V5.0-UTF8 正式版命令执行漏洞(后台)

2014-07-06T00:00:00
ID SSV:94490
Type seebug
Reporter Root
Modified 2014-07-06T00:00:00

Description

简要描述:

RT

详细说明:

后台一处命令执行漏洞,可添加系统账户。 漏洞位于admin/tag.inc.php

case 'preview': $db->halt = 0; $destoon_task = ''; if($tag_css) $tag_css = stripslashes($tag_css); if($tag_html_s) $tag_html_s = stripslashes($tag_html_s); if($tag_html_e) $tag_html_e = stripslashes($tag_html_e); if($tag_code) $tag_code = stripslashes($tag_code); if($tag_js) $tag_js = stripslashes($tag_js); $code_eval = $code_call = $code_html = ''; if($tag_css) $code_eval .= '<style type="text/css">'."\n".''.$tag_css.''."\n".'</style>'."\n"; if($tag_html_s) $code_eval .= $tag_html_s."\n"; $code_call = $code_eval; $code_call .= $tag_code."\n"; $tag_code = str_replace('<!--{', '', $tag_code); $tag_code = str_replace('}-->', '', $tag_code); if(strpos($tag_code, '",') !== false) { $tag_code = str_replace(', '.$tag_expires.')', ', -1)', $tag_code); } else { $tag_code = str_replace('")', '", -1)', $tag_code); } $tag_code .= ';'; ob_start(); eval($tag_code);//eval直接执行1 $contents = ob_get_contents(); ob_clean(); $code_eval .= $contents."\n"; if($tag_html_e) { $code_eval .= $tag_html_e; $code_call .= $tag_html_e; } $t = str_replace('",', '&debug=1",', $tag_code); ob_start(); eval($t);//eval直接执行2 $td = ob_get_contents(); ob_clean();

eval函数直接执行参数tag_code和t

漏洞证明:

1.net user命令:

<img src="https://images.seebug.org/upload/201407/052134188dac70cc4020c386f17862ccac011db4.jpg" alt="d1.jpg" width="600" onerror="javascript:errimg(this);">

2.netstat -ano命令:

<img src="https://images.seebug.org/upload/201407/0521351363cc2dbfc7f22f281b109e4435e5c18c.jpg" alt="d2.jpg" width="600" onerror="javascript:errimg(this);">

可以当shell用了。