dedecms v5.1 WriteBookText() code injection vul 's

admin
admin
admin
105120
文章
87
评论
2017年5月5日05:00:12评论349 views字数 813阅读2分42秒阅读模式
摘要

来源:Ph4nt0m Google Group
by [email protected]
QQ:378367942
/include/inc_bookfunctions.php
—————————————————
……
function WriteBookText($cid,$body)
{
global $cfg_cmspath,$cfg_basedir;
$ipath = $cfg_cmspath.”/data/textdata”;
$tpath = ceil($cid/5000);
if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS[‘cfg_dir_purview’]);
if(!is_dir($cfg_basedir.$ipath.’/’.$tpath)) MkdirAll($cfg_basedir.$ipath.’/’.$tpath,$GLOBALS[‘cfg_dir_purview’]);
$bookfile = $cfg_basedir.$ipath.”/{$tpath}/bk{$cid}.php”;
$body = “<“.”?php/r/n”.$body.”/r/n?”.”>”;
@$fp = fopen($bookfile,’w’);
@flock($fp);
@fwrite($fp,$body);
@fclose($fp);

来源:Ph4nt0m Google Group
by [email protected]
QQ:378367942


/include/inc_bookfunctions.php
—————————————————
……
function WriteBookText($cid,$body)
{
global $cfg_cmspath,$cfg_basedir;
$ipath = $cfg_cmspath.”/data/textdata”;
$tpath = ceil($cid/5000);
if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS[‘cfg_dir_purview’]);
if(!is_dir($cfg_basedir.$ipath.’/’.$tpath)) MkdirAll($cfg_basedir.$ipath.’/’.$tpath,$GLOBALS[‘cfg_dir_purview’]);
$bookfile = $cfg_basedir.$ipath.”/{$tpath}/bk{$cid}.php”;
$body = “<“.”?php/r/n”.$body.”/r/n?”.”>”;
@$fp = fopen($bookfile,’w’);
@flock($fp);
@fwrite($fp,$body);
@fclose($fp);

}

……

—————————————————

/member/story_add_content_action.php
—————————————————

……
WriteBookText($arcID,addslashes($body));
……

—————————————————

找了个好看的站测试了一下
http://www.admin5.com/data/textdata/1/bk1.php

文件是写上去了,可惜这个目录不支持php,fuck

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年5月5日05:00:12
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   dedecms v5.1 WriteBookText() code injection vul 'shttps://cn-sec.com/archives/47746.html

发表评论

匿名网友 填写信息