原文地址http://0day5.com/archives/3467-----------------------------------------------------------
#插件信息:
http://addon.discuz.com/?@dc_mall.plugin
官方安装量3000+ (已经不少了吧) #测试环境:
PHP 版本为: 5.2.9-2
magic_quotes_gpc = off dc_mall.inc.php(漏洞文件) - <?php
-
- if(!defined('IN_DISCUZ')) {
-
- exit('Access Denied');
-
- }
-
- $_lang = lang('plugin/dc_mall');
-
- $action = $_GET['action'] ? $_GET['action'] : 'index';
-
- $version ='Ver 1.1.1';
-
- $cvar = $_G['cache']['plugin']['dc_mall'];
-
- $file = DISCUZ_ROOT.'./source/plugin/dc_mall/module/index/'.$action.'.inc.php';//action参数未过滤直接传入$file 后面的用%00截断即可包含任意文件
-
-
-
- if (!file_exists($file)||!$cvar['open']) showmessage('undefined_action');
-
- $usercredit = getuserprofile('extcredits'.$cvar['credit']);
-
- $mallnav = C::t('#dc_mall#dc_mall_sort')->getdata();
-
- $sortid = dintval($_GET['sortid']);
-
- if(empty($mallnav[$sortid]))$sortid=0;
-
- @include $file;
-
- $croppath = DISCUZ_ROOT.'./source/plugin/dc_mall/data/cron.php';
-
- $cronupdate = @include $croppath;
-
- if(TIMESTAMP-$cronupdate['timestamp']>$cvar['autotime']*60){
-
- require_once DISCUZ_ROOT.'./source/plugin/dc_mall/cache/cache_mallinfo.php';
-
- build_cache_plugin_mallinfo();
-
- $configdata = 'return '.var_export(array('timestamp'=>TIMESTAMP), true).";\n\n";
-
- if($fp = @fopen($croppath, 'wb')) {
-
- fwrite($fp, "<?php\n//plugin mall temp upgrade check file, DO NOT modify me!\n//Identify: ".md5($configdata)."\n\n$configdata?>");
-
- fclose($fp);
-
- }
-
- }
-
- include template('dc_mall:index/'.$action);
-
- ?>
#包含测试 
前台上传带马图片,在直接用包含就成功。 局限性太大了。。
| 
|小黑屋|手机版|中国白客联盟-BUC
( 赣ICP备15007148号-6 ) 
发表于 2015-10-5 21:33:41
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡