|
dedecms v5.1 WriteBookText() code injection vul |
 |
|
作者:洋葱圈
|
|
周五, 02 5月 2008 04:21 |
来源:Ph4nt0m Google Group
by
该E-mail地址已受到防止垃圾邮件机器人的保护,您必须启用浏览器的Java Script才能看到。
QQ:378367942
-
1. \include\inc_bookfunctions.php
2. ---------------------------------------------------
3. ……
4. function WriteBookText($cid,$body)
5. {<span id="more-1944"></span>
6. global $cfg_cmspath,$cfg_basedir;
7. $ipath = $cfg_cmspath."/data/textdata";
8. $tpath = ceil($cid/5000);
9. if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS['cfg_dir_purview']);
10. if(!is_dir($cfg_basedir.$ipath.'/'.$tpath)) MkdirAll($cfg_basedir.$ipath.'/'.$tpath,$GLOBALS['cfg_dir_purview']);
11. $bookfile = $cfg_basedir.$ipath."/{$tpath}/bk{$cid}.php";
12. $body = "<"."?php\r\n".$body."\r\n?".">";
13. @$fp = fopen($bookfile,'w');
14. @flock($fp);
15. @fwrite($fp,$body);
16. @fclose($fp);
17. <div id="qhide_185676" class="qt" style="display: block;">}
18.
19. </div>
20. ……
-
—————————————————
\member\story_add_content_action.php
—————————————————
- ……
- WriteBookText($arcID,addslashes($body));
- ……
—————————————————
找了个好看的站测试了一下
http://www.admin5.com/data/textdata/1/bk1.php
文件是写上去了,可惜这个目录不支持php,fuck
Trackback(0)
|
|
最后更新 ( 周五, 02 5月 2008 07:16 )
|
美国 : 
Unknown Browser
TrackBack URI for this entry
Subscribe to this comment's feed
Show/Hide comments
Show/Hide comment form